Ledger, the company that makes devices designed to physically safeguard keys used in cryptocurrencies, has become incredibly popular, but now a 15-year-old has discovered a flaw in their hardware. Saleem Rashid, a teenage security researcher from the UK, has found a way to steal private keys from Ledger devices.
Products like those made by Ledger allow a user to safeguard their private keys from malware that could potentially steal them from a user’s computer. They work by allowing transactions via a USB port without actually sharing the key with the PC it’s plugged into.
Rashid’s method requires physical possession of the device for a hacker to gain access to its contents, and normally this wouldn’t be a problem, but Ledger claims its built-in security is so good that it’s perfectly safe to buy its products from third-party sellers like Amazon and eBay. What Rashid found was that a reseller could add or update a device with malware allowing hackers to silently wait until it’s used, then steal the private key and any cryptocurrency associated with the account.
While Ledger originally denied the possibility of this flaw as being unlikely in a recent blog post they claim to have now fixed it along with others discovered by different security researchers. The firmware update for Ledger Nano S devices was released on March 6th, but they are still working on an update for the more expensive Ledger Blue, though the company claims it should be ready soon. Once a customer plugs the devices into a computer they should be alerted that the new firmware update is available.