However, Ledger’s development team has closed this vulnerability. They took steps to prevent the MCU from sending false code to the secure element. This requires the MCU to forward the entire contents of its flash memory. However, the MCU has a relatively limited amount of flash memory. To infiltrate false code on it, the MCU must theoretically store the official firmware and the false code. The memory capacity of the MCU should prevent this kind of attack.
Rashid allegedly circumvented this mechanism by first realizing that the MCU contained both the boot loader and the firmware, and that some of the software functions, the compiler intrinsics, were also identical. He eventually removed these intrinsics and replaced them with malicious code. When the secure element then asked the MCU about the content, the 15-year-old created a (seemingly) legitimate image to trick the device. The device then verified the counterfeit firmware.
As a result, the device then generated wallet addresses and recovery passwords that the attackers could control. Rashid thus ultimately claims to be able to generate passwords that seem random to the users, but which the attackers know. According to Rashid, this vulnerability could be exploited by allowing malware to infiltrate devices and computers to infect them.
Firmware update promises security for the Bitcoin trader
Ledger responded immediately to this Bitcoin trader problem. On March 20, they released an update that fixes three Bitcoin trader security issues. With the update, it is now possible to verify the integrity of the device and guarantee that the devices are not infected. Seeds and Private Keys are now safe.
In cooperation with the two security experts Timothée Isnard and Sergei Volokitin, Rashid himself has used Ledger to ensure that the security gaps have been closed. They strongly recommend upgrading the Ledger firmware to version 1.4.1 to eliminate all security threats.
Six steps to updating the Ledger Nano S for crypto trader
The first step is to open the Ledger Manager on the PC and connect your crypto trader Ledger to the PC. If the device is new, press the right button while connecting the cable. After 5 seconds the device will display “Recovery” and you will be taken to the crypto trader dashboard. If the device is already configured, you should connect it regularly and enter its pin.
The second step is to synchronize the Ledger Manager with the wallet and wait for the dashboard to appear.
In the third step, click on the firmware menu in the upper left corner of the Ledger Manager on the PC. Then click on the green arrow in the line “Firmware Version 1.4.1.” and on the “Install” button. Finally you have to confirm this step on the device itself. If an error message appears, this does not necessarily mean that the device is infected. Then you have to uninstall all applications from the device and start the update again.