Saleem Rashid, a teenage security expert, has broken past the security of the Ledger Nano S hardware wallet after discovering a vulnerability that was caused by the use of custom architecture by Ledger. According to a post on his website, Saleem Rashid indicated that an attacker can exploit the security loophole to compromise the cryptocurrency wallet device and steal private keys belonging to the user, with the capacity to control the hardware wallet remotely.
How the Hack Works
Saleem Rashid explains in the post that the microcontroller to the wallet uses a nonsecure protocol that can be hacked from the use of the displays and the buttons to input data. Practically, Saleem proved that a hacker can trick the Secure Element (SE) that connects through a proxy to the device and obtain the private keys from the hardware wallet.
Furthermore, the 15 year-old whizz also demonstrates that resellers of the Ledger Nano S could access the firmware of the microcontroller and compromise its identification capacity by the SE. According to Rashid, attackers are capable of controlling the user interface through the use of malicious code to come up with a zero randomness recovery seed of their choice. In an uploaded video, Rashid proved his point with the word ‘abandon’ to show how hackers with the mnemonic phrase to the wallet could easily access the private keys.
Response From the Ledger Team
Rashid also reported the flaw to Nicolas Bacca (the Ledger CTO) who replied saying that the post by Rashid was nothing but a “massive FUD” aimed at giving the teenager attention. This came after panic started spreading on social platforms such as Reddit, with Saleem getting agitated by the lack of prompt response from the Ledger team.
Although Rashid’s report was not taken seriously by the Ledger team, the company came up with a firmware update on March 6th that Rashid criticized. He recommended that the update be posted as a critical or distinguished update to keep hackers from exploiting the vulnerability in future.
Eventually, Ledger managed to release another update on March 20th that served as a solution to the vulnerabilities pointed out in Saleem’s technical report. The hack on the Ledger Nano S is one of two of the endeavors by the 15 year-old, who lives in the UK. He has also managed to uncover problems with the TREZOR.one wallet in the past and the issue was solved. Rashid has managed to capture the attention of the crypto world with his out-of-the-box thinking as indicated by the CEO of Satoshi labs, Marek Palatinus.