Cryptocurrency enthusiasts who rely on Ledger hardware wallets to keep their coins safe ought to exercise extreme caution when sending funds: sticky-fingered hackers might be out to re-route your digital cheddar away from your intended recipient and straight to their own wallets instead.
The company has taken to Twitter to remind users to “always verify [their] receiv[ing] address” on their devices’ screen manually by using the “monitor screen” button at the bottom of each transaction request form.
Referring to a recent vulnerability report from DocDroid, Ledger acknowledged that its hardware wallets suffers from a flaw that makes it possible for attackers to infect it with malware, designed to trick you into sending your cryptocurrency to the hackers.
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
“Ledger wallets generate the displayed receive address using JavaScript code running on the host machine,” the report reads. “This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.”
What is even worse is that – due to Ledger’s design which requires new addresses be generated consistently – users have no viable options to “verify the integrity of the receive address.” This could dupe users into thinking the displayed receiving address is indeed authentic, while this might not at all be the case.
The DocDroid report further indicates that all Ledger software could be exploited and modified by even unprivileged malware, which means attackers could abuse its system without any need to gain administrative rights.
The wallets also have no implementation in place to check for integrity and ensure anti-tampering. Indeed, the report claims Ledger wallets are so poorly designed that pre-infected devices could exploit users’ first-ever transaction to jack their crypto.
DocDroid disclosed the vulnerability to the Ledger a month ago, but its team preferred to fix the flaw by raising awareness about it – instead making changes to its code and interface.
Responding to annoyed customers on Twitter, Ledger said that the issue “cannot be solved in the absolute.”
“A malware can always change what you see on your computer screen,” the company wrote. “The only solution is prevention and building an UX to make the user check on its device. On device verification feature has been added [six] month ago already.”
So next time you’re making a transaction with your Ledger wallet, better take your time to make sure everything is in check: you might be risking getting all of your coins jacked.
Update: Ledger has detailed the vulnerability at length at their official blog.
Update 2: Ledger has contacted TNW with the following statement:
Hardware wallets like the Ledger Nano S were created because fundamentally, computers are not secure. We were recently informed by a member of our community that they had created a malware that could infect the user’s computer – specifically, the Ledger Chrome application.The issue highlighted to us was a proof of concept, in which an attacker could theoretically change the ‘receive’ address seen on the computer’s screen by a user sending cryptocurrencies while using the Ledger Chrome application. We have no evidence that anyone in the Ledger community was impacted by this issue.It is an industry wide issue. All hardware wallets are affected: this is not a vulnerability of the device, but a reminder about the fact you cannot trust what you see on the screen of your computer.
Get the TNW newsletter
Get the most important tech news in your inbox each week.