According to a blog published by Mo Nokhbeh, a crypto software researcher, the Ledger Wallet app is in danger of exploitation due to a vulnerability that has persisted on the platform since 2019. According to Mo, a user can send Bitcoin (BTC) instead of other Bitcoin forks such as the BTC testnets, Litecoin, Bitcoin Cash etc. without their knowledge if even if they had selected the ‘forks’.
To use the Ledger hardware wallet, a user must install the corresponding app on to the USB drive allowing users to hold different types of digital currencies. However, only one app is able to be open at a time to ensure security and total isolation of the apps.
An issue arises with BTC and its corresponding forks for example if your Litecoin app is open and live and you’d wish to send LTC, the wallet will prompt a confirmation of a Bitcoin transaction while the interface presents it as an LTC transaction to a Litecoin address. If you accept the confirmation, a fully valid BTC transaction will be sent out of your wallet instead of the cheaper altcoin forks.
Interactions with Ledger
Mo has been vocal to the Ledger team on the vulnerability of their platform, but claims his cries fell on deaf years with the issue persisting for the past year and a half. In a response posted on Decrypt, a spokesperson from Ledger said the delays were mainly due to the communications channels the security researcher used. The spokesperson said,
“The researcher contacted us through many means—mainly Twitter DMs. The appropriate medium for bug bounty remains the dedicated email address [email protected] Due to this, our point of view on this timeline differs, and we are genuinely sorry for the miscommunication.”
However, Nokhbeh denies the claims saying the only time he sent a Twitter DM was recently in June 2020 after a number of failed tries through the official channels.
Solution to the Ledger App vulnerability
In a statement focusing on the possible exploits, Ledger said the vulnerability arose as a tradeoff between security and usability especially for the Bitcoin network. While the external security of the wallets remain solid, Ledger allows Bitcoin forks/derivatives that follow the same derivation path as the top crypto to derive public keys or sign Bitcoin transactions. It reads,
“Some BTC forks use the same derivation path as BTC. If we prevent these forks from using the BTC derivation path, this would simply prevent users from using the Ledger Nano S/X with these forks.”
The statement further states the solution to the issue has been released in a new update warning users when their intended and confirmation transactions do not match.
We’d like to thank the researcher for helping us make our Ledger Nanos more secure. A new version of the Bitcoin app will be released today, with an update that will display a warning and prompt for confirmation when an unexpected path is used–therefore solving this issue.
— Ledger (@Ledger) August 5, 2020