Saleem Rashid is a 15 year old self-taught British programmer who discovered a fatal defect in the Ledger Nano S, an offline cryptocurrency wallet that is marketed as being "tamper-proof."
After giving the company a suitable window to create a patch for the defect he'd identified, Rashid published his research.
Rashid showed that the tamperproofing mechanisms that Ledger used could be trivially bypassed, invalidating the company's claims that it was safe to buy used Ledger hardware without worrying about backdoors being inserted by the seller, and claims that Ledger devices were secure against attacks by parties with physical access to the hardware ("evil maid" attacks).
When the company released its patch, though, it downplayed the severity of the defect that Rashid had identified, calling it "NOT critical," and made false claims to the effect that the "attack cannot extract the private keys or the seed."
Rashid still hasn't investigated and validated the patch, so it's not clear if it even works (given that the company either doesn't understand the bug he submitted or is lying about it, there's a good chance it doesn't). Matthew Green (previously), an eminent security researcher from Johns Hopkins, evaluated Rashid's work and told Ars Technica that he's not convinced that any patch from Ledger will actually work in the long-run.
This is an important little morality play about why companies shouldn't get a say in who gets to disclose defects in their products, or under which circumstances those disclosures can be made. At a time when industry associations are pushing for a ban on security defect reporting without manufacturer permission, Ledger stands as an example of why this is a terrible idea.
Ledger has sold thousands of units to people who are entrusting them to store millions of dollars' worth of cryptocurrency. These units were defective. Ledger claims to have fixed the devices, but in the same breath, they lied to customers about the severity of the defect, reducing the likelihood that customers will hear of, or apply, the patch. And it's not clear if that patch works.
Every company, without exception, would have an easier time if it got a veto over the disclosure of true facts about defects in its products. It's not surprising that industry associations seize upon opportunities to push for this privilege, but stories like this one are timely reminders about why we need to fight them tooth and nail.
A video accompanying Rashid's blog post shows a device displaying the word "abandon" for the first 23 recovery passwords and "art" for the remaining one. A malicious backdoor could provide a recovery seed that appeared random to the end user but was entirely known to the developer.
"He's carving up the firmware in a really efficient way to fit it into a tiny amount of space to pull off the attack here," said Kenn White, an independent researcher who reviewed Rashid's research before it was published. "It's well done, it's clever, it's creative, and it's devastating."
Rashid told Ars that it might have been possible for his backdoor to do a variety of other nefarious things. He also said the weaknesses could be exploited in evil-maid scenarios in which someone has brief access to the device and possibly by malware that infects the computer the device is plugged into. Researchers are usually quick to point out that physical access and malware-infected computers are, by definition, compromises on their own and hence shouldn't be considered a valid means for compromising the hardware wallets. The chief selling point of hardware wallets, however, is that they protect users against these fatal events.
Breaking the Ledger Security Model [Saleem Rashid]
A “tamper-proof” currency wallet just got trivially backdoored by a 15-year-old [Dan Goodin/Ars Technica]