Update Firmware on Ledger ASAP - Exploit Found Again

in #bitcoin7 years ago

This wallet has the most cryptos but also the most security holes. Update needed again.

15-year-old teen found this hole while doing some research. If one has physical access to Ledger can extract all private keys.

Whole paper here: https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

The attack is shown here:

Visit his website to give him some love: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/ the guy is a genius.

UPDATE FIRMWARE ASAP!

Follow, Resteem and VOTE UP @kingscrown creator of http://fuk.io blog for 0day cryptocurrency news and tips!

Sort:  

Nice

This is why it's good to be tech-savvy: to not have to rely on overhyped gadgets to take care of your funds

If you have ANY significant amount of money in crypto I’d recommend getting a cheap laptop, multiple USBs and doing it by hand. Install Linux on the laptop, download wallets there and then keep the thing offline unless you need to access funds!

Use the USBs to backup wallets, encrypt the drives and store one at home and one in a safety deposit box. It’s a lot of work but if you have five or six figure crypto accounts it’s worth it.

The best way is to get multiple hardware wallets and spread evenly the fund over it. Protect well for the physical wallets though.

Hardware wallets can be hacked either before being sold to you or in transit. If you create one yourself it’s much more secure and virus resistance since you can forgo using insecure operating systems.

Not if you buy one from the official site with anti-tampering seal, like Trezor.

Again you’re still stuck trusting the computer you use to setup and access Trezor. Why not skip the middle man? Plus can the seal be faked? Do you trust the company to remain reputable?

Well, thats the point.
Their source code is open source in Github and under everyone's eye. If you dont believe the firmware comes with it, review the code, build the firmware and flash in to the device.

I truat nobody but the power of decentralization. Now tell me what else is making you worry?

The hardware is more what I’d think they’d target. It’s harder to detect.

That is what this discussion started with: get a Trezor from official site with seal. Reflash the firmware if you are this cautious.

FYI I have a huge chunk of my net worth inside one of it, I have no lesser concern than you on the security issues.

I shall thank you if you can pointing out any better options over hardware wallet, which so far you have not. Please feel free to enlighten me further.

So, I just upgraded a few days ago. Does this mean another update is already req'd? Or is 1.4.1 good for now?

I was on the fence about switching to a Trezor because of the experience I had with updating to 1.4.1 and the limitations of how many apps you can use. 1.4.1 added a lot more apps but this is the last straw, ordered a Trezor and will swap it out.

That is why crypto still needs improvement

even after 3 days plus consulting ledger support i could not finish the update.

WARNING! The comment below by @blockchainfiend leads to a known phishing site that could steal your account.
Do not open links from users you do not trust. Do not provide your private keys to any third party websites.

@kingscrown I can only say that your post is very useful for me success for you.

This is a fantastic post I liked