Kraken, a major United States-based cryptocurrency exchange, has identified new potential attacks against the popular hardware wallet, Ledger.
Kraken Security Labs, the exchange’s cyber security division, has discovered two new attack vectors that could compromise the security of Ledger Nano X wallets. The exchange announced the news in a July 8 blog post.
Both attacks can be exploited before users launch the wallet for the first time
According to the post, both attacks can affect Ledger Nano X wallets if exploited prior to the user receiving the wallet. This can happen if the wallet was disturbed during the shipment or obtained from a malicious reseller, Kraken noted.
As a result, the attacks could enable hackers to take control of computers connected to the Ledger wallets and install malware. This could ultimately lead to the loss of funds stored on the wallet.
“Bad Ledger” attack turns Ledger wallets into a malicious keyboard
In the post, Kraken Security Labs described both potential attack vectors. The first one, dubbed “Bad Ledger” attack, is able to infect a Ledger Nano X wallet by modifying its debugging protocol to act as an input device, like a keyboard. Using keyboard shortcuts, it is capable of opening a browser and navigating to Kraken exchange’s domain, the experts found.
This type of attack is similar to the so-called “Rubber Ducky” and “BadUSB” attacks, which can reflash a device with malicious firmware to compromise the computer, Kraken noted.
“Blind Ledger” approves malicious transactions through turned-off display
The second attack, described as “Blind Ledger”, is capable of resetting the wallet’s display and convincing users to press a series of buttons to approve a malicious transaction. Once the malicious code is running on their computer, it can alert the user of a fake error and turn off the wallet’s display.
Possible alerts may sound like “your Ledger Nano X stopped responding, please hold both buttons to restart the device,” Kraken noted. With the display disabled, users can not see what is actually happening on their hardware wallet. Blindly following these instructions actually leads to the verification of a malicious transaction, the security group explained.
Ledger’s official response
In response to Kraken’s warning, Ledger issued a security bulletin, confirming that the vulnerability can lead to supply chain attack scenarios. In the post, Ledger said that the latest firmware update protects wallet holders from these attacks by switching off debugging capabilities.
Ledger wrote:
“Debugging capabilities are permanently switched off as soon as an application is installed […] These attacks cannot be performed once an application has been installed on the device.”
The Ledger Nano X is the latest crypto wallet designed by major hardware wallet manufacturer, Ledger. Released in 2019, the product is the only Ledger wallet that is rechargeable and works wirelessly via Bluetooth. On July 6, Cointelegraph reported on Ledger’s CTO, Charles Guillemet, denying Ledger’s alleged double-spend vulnerability.
