Spencer Kellogg | United States
Saleem Rashid, an alleged 15-year-old living in the south of England, posted proof of vulnerabilities in the Ledger cryptocurrency hardware wallet system this week. Long seen as one of the strongest protection methods for holding cryptocurrency, this startling new revelation (and Ledger’s slow response) is a worrying reality to millions of cryptocurrency owners who hold the majority of their portfolios on the Ledger system. While no accounts have been reported as compromised, this new information provides consumers with a clear example of the questionable security throughout the cryptocurrency community.
The entry to Rashid’s blog details how he devised a backdoor code that allowed him access to the $100 dollar hardware device. The flaw would allow malicious hackers access to the private keys of consumers. With a private key in hand, a criminal can drain the wallet of its funds without the owner’s permission.
In early March, the French company suggested that it was in the process of overcoming security flaws in their system. Ledger officials went on to dismiss the vulnerabilities as routine while Ledger Chief Security Officer Charles Guillemet was quoted as saying the “attack cannot extract the private keys or the seed”. Rashid was quick to fire back, challenging the assertion on Reddit.
The underlying issue revolves around the communication between two microcontrollers which verify the authenticity of a cryptographic certificate. Rashid replaced the company’s firmware with unauthorized code that appeared legit to the communicating controllers. Once inside, Rashid was able to gain access to private keys and sign 3rd party transactions by himself. The backdoor also effects Ledger’s ‘high security’ model Ledger Blue and officials have said it could take weeks to secure that engine.
According to Rashid’s timeline, he reached out to Ledger officials in early November during the massive bull run. This would suggest that during the entirety of Bitcoin’s dominance in the mainstream media, the most popular cryptographic storage device was busy resolving an issue that could potentially affect millions of crypto wallets.
When a user creates a cryptocurrency wallet, the first thing they learn is how important it is to manage and keep secret their private key. A user can only spend the funds in the wallet if they have access to that key. One of the reasons that Ledger broke through to the wider market was its promising ease of use that created a secure, seamless environment for storing and transacting of assets.
Ledger’s quick and transparent response should provide consumers with relief. In the world of developing technology, there will be mistakes and how a team reacts is telling of their care for the user. Ledger appears to have done everything in their capability to rectify the situation and have been vocal in their suggestion that their system is secure.
Image Source Pixabay