Teen’s devastating bug-report on a “tamper-proof” cryptocurrency wallet shows why companies can’t be left in charge of bad news about their productsOn March 21, 2018 by Maybell
Saleem Rashid is a 15 year old self-taught British programmer who discovered a fatal defect in the Ledger Nano S, an offline cryptocurrency wallet that is marketed as being “tamper-proof.”
After giving the company a suitable window to create a patch for the defect he’d identified, Rashid published his research.
Rashid showed that the tamperproofing mechanisms that Ledger used could be trivially bypassed, invalidating the company’s claims that it was safe to buy used Ledger hardware without worrying about backdoors being inserted by the seller, and claims that Ledger devices were secure against attacks by parties with physical access to the hardware (“evil maid” attacks).
When the company released its patch, though, it downplayed the severity of the defect that Rashid had identified, calling it “NOT critical,” and made false claims to the effect that the “attack cannot extract the private keys or the seed.”
Rashid still hasn’t investigated and validated the patch, so it’s not clear if it even works (given that the company either doesn’t understand the bug he submitted or is lying about it, there’s a good chance it doesn’t). Matthew Green (previously), an eminent security researcher from Johns Hopkins, evaluated Rashid’s work and told Ars Technica that he’s not convinced that any patch from Ledger will actually work in the long-run.
This is an important little morality play about why companies shouldn’t get a say in who gets to disclose defects in their products, or under which circumstances those disclosures can be made. At a time when industry associations are pushing for a ban on security defect reporting without manufacturer permission, Ledger stands as an example of why this is a terrible idea.
Ledger has sold thousands of units to people who are entrusting them to store millions of dollars’ worth of cryptocurrency. These units were defective. Ledger claims to have fixed the devices, but in the same breath, they lied to customers about the severity of the defect, reducing the likelihood that customers will hear of, or apply, the patch. And it’s not clear if that patch works.
Every company, without exception, would have an easier time if it got a veto over the disclosure of true facts about defects in its products. It’s not surprising that industry associations seize upon opportunities to push for this privilege, but stories like this one are timely reminders about why we need to fight them tooth and nail.
A video accompanying Rashid’s blog post shows a device displaying the word “abandon” for the first 23 recovery passwords and “art” for the remaining one. A malicious backdoor could provide a recovery seed that appeared random to the end user but was entirely known to the developer.
“He’s carving up the firmware in a really efficient way to fit it into a tiny amount of space to pull off the attack here,” said Kenn White, an independent researcher who reviewed Rashid’s research before it was published. “It’s well done, it’s clever, it’s creative, and it’s devastating.”
Rashid told Ars that it might have been possible for his backdoor to do a variety of other nefarious things. He also said the weaknesses could be exploited in evil-maid scenarios in which someone has brief access to the device and possibly by malware that infects the computer the device is plugged into. Researchers are usually quick to point out that physical access and malware-infected computers are, by definition, compromises on their own and hence shouldn’t be considered a valid means for compromising the hardware wallets. The chief selling point of hardware wallets, however, is that they protect users against these fatal events.
Breaking the Ledger Security Model [Saleem Rashid]
A “tamper-proof” currency wallet just got trivially backdoored by a 15-year-old [Dan Goodin/Ars Technica]
Science fiction writer and ecologist Kim Stanley Robinson (previously) writes that we need to “empty half the Earth of its humans” to save the planet — but not by the Green Left’s usual (and potentially genocidal) tactic of reducing our population by 50%.
This week, a self-driving Uber killed a pedestrian in Arizona, the first pedestrian fatality involving an autonomous vehicle; in his analysis of the event, Charlie Stross notes that Arizona’s laws treat corporations that kill people with considerably more forbearance than humans who do so, and proposes that in the near future, every self-driving car will […]
Back in January, a million people tuned in to Bernie Sanders’ town hall on universal health-care; yesterday, 1.7 million people tuned in to watch Sanders, Elizabeth Warren, Michael Moore, and a panel of experts discuss inequality.
The Nintendo Switch is king when it comes to gaming on the go, but it’s tough to lose yourself in Zelda: Breath of the Wild or Skyrim if your battery dies out. That’s where this Nintendo Switch Battery Charger Case comes into play. Built exclusively for Nintendo Switch, this pack allows for uninterrupted charging while you play, […]
Creative designers play a pivotal role in engaging target audiences and customers, and while companies are eager to bring more of these professionals on board, you’ll have a hard time getting your foot in the door if you’re not using the industry’s best tools. From Adobe to Maya, the eduCBA Design & Multimedia Lifetime Subscription Bundle […]
As more companies aim to reel in costs and boost productivity, project managers are becoming an essential part of many operations, and they’re paid handsomely for their expertise. But, while demand is high, you’ll have a hard time getting your foot in the door if you’re not toting the right certifications. The Official Lean Six Sigma […]