Posted on February 8, 2018 at 8:50 PM
A group of cybersecurity researchers discovered that all crypto hardware wallets carried flaws that made them vulnerable to a hacking technique known as the man-in-the-middle attack.
New research has proven that all hardware crypto wallets currently operating are vulnerable to man-in-the-middle (MitM) attacks. The flaw was discovered by a group of unknown cybersecurity researchers and proves that all current hardware wallets enable hackers to display incorrect wallet addresses to parties who might conduct a transaction to the specific wallet. The hacker can, therefore, intercept an address and replace it with their own, which means that funds will be sent to the fraudulent wallet address instead of the correct one. This means a loss of significant funds for affected users.
Hardware wallets were traditionally considered the safer option, compared to the alternative of app-based or online wallets. However, this new information which has so far affected one million users might cause the general opinion to change.
Ledger, the popular hardware wallet provider, has acknowledged this new threat via a Tweet, last week. In addition, the company released a PDF report which provides more details on the threat. According to this report, a Ledger wallet generates a new address for every new transaction, however thanks to the MitM attack, the hacker intercepts this and displays the fraudulent address while the victim’s device is still in the process of generating a new address.
The malware attacks, however, need to affect the device with a malware before it can operate successfully. After the hacker has compromised the device, the can covertly switch the code that is responsible for generating new addresses, which means that funds will not reach the victim’s wallet. The report states that the malware would ensure that the hacker has full control of the compromised device, and in doing so they can change settings which will make them the beneficiary of all incoming funds.
The report emphasizes that in order to prevent attacks, users must employ severe verification methods to ensure that the shared address is the correct one. To do so, users can simply click on the buttons that is displayed beneath the QR code. Clicking this button will display the hardware wallet’s address and will allow the user to verify the address.
Ethereum users are not affected by this technique, according to the report.
Ledger has not yet named the authors of the report due to security concerns. However, the report warns Ethereum app users to consider the hardware wallet similar to all other software wallets, at least until such time when Ledger has been able to address this issue.
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
What is more alarming, is that the group of unnamed researchers who discovered the flaw noted that Ledger as not particularly serious in addressing the security concern. According to the researchers, they took steps in contacting Ledger’s CTO and CEO to notify them and advise on possible fixes. However, they were met with a cool reply that simply requested more details. After three weeks of being unresponsive, Ledgers sent the researchers an issue stating that they did not intend to release a security update.
However, the CTO did confirm that Ledger will notify their users about the possible dangers that could arise should this flaw ever be exploited.