Kraken Security Labs, the cybersecurity division of the popular cryptocurrency exchange Kraken, has unveiled two potential attacks against the Ledger Nano X hardware wallet, which have now been patched.
The attacks, according to Kraken’s cybersecurity arm, could see bad actors get access to victims’ computers, and use said access to install malware that would allow them to steal their cryptocurrency holdings.
The first attack, named Bad Ledger, would require the hacker to first tamper with the device before it was sold to the victim – something that can happen if the victim buys a Ledger from a seller on eBay, for example – to add a protocol that behaves like a keyword and can send malicious keystrokes to the victim’s computer.
In a video Kraken shared, cybersecurity experts use an infected Ledger Nano X to open their website on a computer.
2/ In the ‘Bad Ledger’ attack, the device’s firmware can be modified to act as an input device that can send malicious keystrokes to the user’s computer.
The video below shows an infected Ledger Nano X acting as a keyboard and accessing our website. pic.twitter.com/ZKqgllZ52W
— Kraken Exchange (@krakenfx) July 8, 2020
The second attack, dubbed Blind Ledger, could see hackers run malicious code on a non-secure processor to turn off the Ledger Wallet’s display, even if the device was running on its battery. They could then use social engineering to convince a victim top press several buttons to trigger a transaction that would move the funds to the hacker’s address.
As the display would be disabled, the victim could not check the transaction was being sent to that wallet. To stay safe, Kraken recommends users only buy Ledger devices from trusted stores, always verify transactions on the Ledger Now wallet, and be wary of the devices acts strangely.
Ledger, in response to Kraken’s findings, upgraded its firmware to protect its users against these attacks.