All Ledger hardware wallets vulnerable to man in the middle attack

Haythem Elmir

Ledger hardware wallet that is currently operating in the cryptocurrency market is vulnerable to cyber attacks. The vulnerability was identified by unknown security researchers in every single hardware wallet that allows cybercriminals to show fraudulent addresses to Ledger users/customers. When funds are requested to these addresses, the cryptocurrency is transferred to the attacker’s wallet instead of the user. Needless to say that the user will end up losing their funds.

Hardware wallets are usually considered the safest option for storing cryptocurrency but the one million users who have been affected by the newly identified threat to Ledger’s hardware wallets makes it evident that even these cannot offer foolproof protection.

The flaw was acknowledged by Ledger on February 3rd via a Tweet on its official Twitter account where the company also shared a report [PDF] that described the vulnerability in details. The report stated that a Ledger wallet creates a brand new address every time a payment is to be received but through man-in-the-middle attack, while the user is trying to generate this address in order to transfer cryptocurrency to their wallet, the amount would be transferred to a fraudulent address if the computer is infected with malware.

After compromising the computer, the attacker can secretly replace the code that generates the unique address, which causes the problem of depositing the funds to the attacker’s wallet. “An attacker could be in control of your computer screen and show you a wrong address which would make him the beneficiary [sic] of any transaction sent to it,” the report highlighted.

It happens so because the wallet uses a JavaScript code running on the computer. If the computer is infected with a malware all it needs is replacing the code that generates the receiving address with the code that leads to the attacker’s wallet.

The report mentions that to prevent attack users must verify whether the wallet address is correct or not before transferring funds. This can be done by clicking on the button under the QR CODE. This button will display the address of the hardware wallet and users will be able to verify the address.

The report also explained that the module is not applicable on the Ether wallet interface from Ledger since the Ethereum app does not have mitigation and hence, the user cannot verify if the address is correct or incorrect.

To read the original article:


Laisser un commentaire

Next Post

DDoS attacks: How an 18-year-old got arrested for trying to knock out systems

Netherlands police’s high-tech crime unit has arrested an 18-year-old man on suspicion of launching distributed denial-of-service (DDoS) attacks on the Dutch tax authority, tech site Tweakers, and internet service provider Tweak. The police said the teenager, known only as ‘Jelle S’, is also suspected of attacking the online bank Bunq. […]