The attack works by the bad actor creating a transaction that looks like an altcoin payment (a coin that isn’t Bitcoin) when it actually takes Bitcoin out of the wallet instead.
“An attacker can exploit this method to transfer Bitcoin while the user is under the impression that a transaction of another, less valuable altcoin (e.g. Litecoin, Testnet Bitcoins, Bitcoin Cash, etc.) is being executed,” wrote Nokhbeh.
This is worrying because the user thinks that they’re handing out 0.01 of an altcoin, which could be far less valuable than 0.01 Bitcoin, for instance.
“A new version of the Bitcoin app will be released today, with an update that will display a warning and prompt for confirmation when an unexpected path is used—therefore solving this issue,” said a Ledger spokesperson (who later confirmed that the fix is now live).
“The researcher contacted us through many means—mainly Twitter DMs. The appropriate medium for bug bounty remains the dedicated email address email@example.com. Due to this, our point of view on this timeline differs, and we are genuinely sorry for the miscommunication. It is important to note that we will never overlook the discovery made by a security researcher to improve our products,” she added.
Since the article was published, Nokhbeh told Decrypt, “The only twitter DM which was used was a last resort on
28 July 2020 to Donjon twitter. Every other communication made was straight to the ledger bounty address they provide. You can check the disclosure timeline in the post for these instances.”
How does the exploit work?
Nokhbeh explained that while Ledger’s hardware wallets support several cryptocurrencies via specialized applications for each, only one of them could be active at a time. But it turned out that external apps can gain access to the data even from currently locked cryptos.
“It was discovered that for Bitcoin and Bitcoin forks, the device exposes it’s (sic) functions for any of the assets. In other words, having unlocked the Litecoin app, you will receive a confirmation request for a Bitcoin transfer while the interface presents it as a transfer of Litecoins to a Litecoin address,” wrote Nokhbeh, adding emphasis that “Accepting the confirmation produces a fully valid signed Bitcoin (mainnet) transaction.”
This means that Ledger’s devices will receive Bitcoin-related requests even if Bitcoin is not the crypto being used at the time. Worse, it will present such a transaction as a transfer of the altcoin in question. Nokhbeh added that “the implications are serious.”
The report claims that Ledger was made aware of the vulnerability as far back as January 2019 but still hasn’t fixed it.
Ledger calls it a tradeoff
Commenting on the report, Ledger acknowledged that while its wallets ensure that cryptocurrency apps cannot use keys from each other, this indeed was “not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions” to avoid potential issues.
The reason is that many cryptocurrencies have evolved out of the Bitcoin blockchain, and share some of the same history.
“Some BTC forks use the same derivation path as BTC. If we prevent these forks from using the BTC derivation path, this would simply prevent users from using the Ledger Nano S/X with these forks,” Ledger explained.
According to the company’s latest Security Bulletin, the developers had to choose between security and usability, “wanting to avoid a situation where user funds would be locked and users unable to spend their funds.”
Looks like Ledger is caught in a catch 22.
Update: This article has been updated with a comment from Nokhbeh and to say that the Ledger fix has now been implemented.