{"id":7349,"date":"2018-03-23T15:36:17","date_gmt":"2018-03-24T01:36:17","guid":{"rendered":"https:\/\/westoahu.hawaii.edu\/cyber\/?p=7349"},"modified":"2019-11-08T02:53:02","modified_gmt":"2019-11-08T12:53:02","slug":"ledger-cryptocurrency-wallet-flaw","status":"publish","type":"post","link":"https:\/\/westoahu.hawaii.edu\/cyber\/vulnerability-research\/ledger-cryptocurrency-wallet-flaw\/","title":{"rendered":"Ledger Cryptocurrency Wallet Flaw"},"content":{"rendered":"<h2><strong>What happened?<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Security researcher, Saleem Rashid discovered a critical flaw in cryptocurrency wallet hardware created by the company, Ledger. A hardware wallets purpose is to protect a users cryptocurrency private wallet address from being stolen by malicious software located on a computer. It prevents the computer from being to read the wallet address but still receives the authentication that it is legitimate. Rashid\u2019s work was reviewed by cryptographer Matthew Green, and Open Crypto Audit Projects Kenneth White who were impressed by Rashid&#8217;s proof of concept exploit. It was created to take advantage of this flaw to show the extent of this compromise showing an attacker could use this flaw to alter the device before a user receives it, or to steal the wallet keys locally or remotely. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Several potential attacks against these devices were discussed in a document released by Rashid.<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\">Supply Chain Attack<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Evil Maid Attack<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Malware\/Social Engineering<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The focus of the published paper was the supply chain attack with attacks being demonstrated on a real Ledger Nano S. While the focus is on software, compromising the devices hardware is extremely viable.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A video was provided by Rashid performing the attack and altering one such device physically.<\/span><\/p>\n<p><iframe title=\"Nano-S attack\" width=\"687\" height=\"386\" src=\"https:\/\/www.youtube.com\/embed\/3poUPY-VpSI\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<blockquote><p><em><span style=\"font-weight: 400;\">As you can tell from the video above, it is trivial to perform a supply chain attack that modifies the generated recovery\u00a0<\/span><\/em><em><span style=\"font-weight: 400;\">seed. Since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the\u00a0<\/span><\/em><em><span style=\"font-weight: 400;\">device.<\/span><\/em><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">A less reliable proof of concept code was released by Rashid to <a href=\"https:\/\/github.com\/LedgerHQ\/nanos-nonsecure-firmware\">Github<\/a> for educational purposes.\u00a0<\/span><\/p>\n<h2><strong>Technical Details<\/strong><\/h2>\n<p><strong>Key Aspects<\/strong><\/p>\n<ul>\n<li>Microprocessor chip is not secure.<\/li>\n<li>Proof-of-concept code bypasses security measures.<\/li>\n<li>Buttons and screen can be reprogrammed.<\/li>\n<li>Authentication between the secure element and micro-controller is not strong enough.<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The vulnerability comes from a flaw in how Ledger designed their dual-chip architecture. The secure element micro-controller initially used does not support the needs of their hardware. In order to remedy this they designed one of their own to compensate. The micro-controller has been shown to be non-secure and susceptible to attacks which Rashid focuses on.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Nano S has two micro-controllers.<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"><strong>ST31H320 (SE)<\/strong> &#8211; Secure Element but does not support displays or USB. Stores private keys.<\/span><\/li>\n<li><span style=\"font-weight: 400;\"><strong>STM32F042K6 (MCU<\/strong>) &#8211; non-secure micro-controller which acts as a proxy for the SE and processes the display, buttons and USB interface.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Due to the MCU being vulnerable it puts other devices, peripherals, and the SE at risk. Below a diagram of how the communication takes place.<\/span><\/p>\n<figure id=\"attachment_7351\" aria-describedby=\"caption-attachment-7351\" style=\"width: 933px\" class=\"wp-caption aligncenter\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-7351\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/se_mcu.png\" alt=\"USB host flow\" width=\"933\" height=\"538\" srcset=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/se_mcu.png 1248w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/se_mcu-300x173.png 300w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/se_mcu-768x443.png 768w\" sizes=\"(max-width: 933px) 100vw, 933px\" \/><figcaption id=\"caption-attachment-7351\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<p><strong>Ledgers Security<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Ledger does have security measures in place to verify the integrity of the MCU\u2019s firmware by using a low-throughput universal asynchronous receiver-transmitter(UART). The SE asks the MCU for the entire contents of its flash memory to verify it contains official Ledger firmware. The security theory is that with only a limited amount of flash memory available that it would be difficult to run the official Ledger firmware and malicious code at the same time. A diagram of this method can be seen below.<\/span><\/p>\n<figure id=\"attachment_7354\" aria-describedby=\"caption-attachment-7354\" style=\"width: 1119px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-7354\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/semcutheory.png\" alt=\"Ledger steps\" width=\"1119\" height=\"527\" \/><figcaption id=\"caption-attachment-7354\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">Rashid having studied Ledgers method of defense designed an attack exploit. However it should be noted that malicious code from a malicious USB would be a more direct route he set out to create his own software code. He understood that C programs, in order to use some functions will often provide itself with extra programs and in this case it was a bootloader and firmware.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To exploit this Rashid created his own bootloader and firmware from source code using the command below to find the appropriate symbols. <\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_7356\" aria-describedby=\"caption-attachment-7356\" style=\"width: 1007px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-7356\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbolcommand.png\" alt=\"file system with sort command\" width=\"1007\" height=\"64\" srcset=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbolcommand.png 1499w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbolcommand-300x19.png 300w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbolcommand-768x49.png 768w\" sizes=\"(max-width: 1007px) 100vw, 1007px\" \/><figcaption id=\"caption-attachment-7356\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<figure id=\"attachment_7357\" aria-describedby=\"caption-attachment-7357\" style=\"width: 485px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7357\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbols.png\" alt=\"memory files\" width=\"485\" height=\"138\" srcset=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbols.png 580w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/symbols-300x85.png 300w\" sizes=\"(max-width: 485px) 100vw, 485px\" \/><figcaption id=\"caption-attachment-7357\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">He combined malicious branches that included the payload and targets with the malicious code. By using the appropriate code at the correct time the malicious code is able to be loaded without any issues. This can be seen in the diagram below on how he uses the \u201c__udivsi3\u201d as the attack vector.<\/span><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_7358\" aria-describedby=\"caption-attachment-7358\" style=\"width: 1140px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7358\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/bootloaderexploit.png\" alt=\"bootloader exploit diagram\" width=\"1140\" height=\"321\" \/><figcaption id=\"caption-attachment-7358\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">After using the vulnerability to get into the device Rashid creates an exploit to:<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\"> Code to modify the flash contents being sent to the SE, to trick the verification procedure<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> An attack such as a keylogger or key generation backdoor<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The exploit code he wrote is below.<\/span><\/p>\n<figure id=\"attachment_7363\" aria-describedby=\"caption-attachment-7363\" style=\"width: 979px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7363 size-full\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/exploitcode.png\" alt=\"code snippet\" width=\"979\" height=\"380\" srcset=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/exploitcode.png 979w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/exploitcode-300x116.png 300w, https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/exploitcode-768x298.png 768w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><figcaption id=\"caption-attachment-7363\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid.<\/a><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The code sets all entropy of the syscall random number generator to zero. It sets the recovery seed to the word &#8220;abandon&#8221;. Private keys are derived from the recovery seed and if you control the seed then you essentially control all the wallet addresses generated by the device.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A diagram of the SE\/MCU communication with the malicious code can be found below.<\/span><\/p>\n<figure id=\"attachment_7359\" aria-describedby=\"caption-attachment-7359\" style=\"width: 1075px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7359\" src=\"https:\/\/westoahu.hawaii.edu\/cyber\/wp-content\/uploads\/2018\/03\/maliciousdiagram.png\" alt=\"Malicious diagram\" width=\"1075\" height=\"485\" \/><figcaption id=\"caption-attachment-7359\" class=\"wp-caption-text\">Image provided by <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">Saleem Rashid<\/a>.<\/figcaption><\/figure>\n<h2><strong>Mitigation<\/strong><\/h2>\n<ul>\n<li><span style=\"font-weight: 400;\"><strong>Secure design and testing<\/strong> &#8211; The root of the vulnerabilities can be derived from the architecture design. If there were proper testing of the MCU and the other components this type of issue could have been avoided.<\/span><\/li>\n<li><span style=\"font-weight: 400;\"><strong>Firmware update<\/strong> &#8211; Ledger is releasing a firmware update to fix the vulnerabilities.<\/span><\/li>\n<\/ul>\n<h2><strong>Significance<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">The vulnerability and exploits only directly affects current users of Ledgers crypto wallets. <\/span><span style=\"font-weight: 400;\">However, this type of vulnerability does bring light to the ongoing design and architecture issues currently taking place. While nothing is completely secure there should be safeguards in place to protect the sole purpose of these wallets. It is important for developers and companies to begin securing their products at the hardware level and properly testing them before releasing to the public.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Sources:<\/strong><\/h2>\n<p><a href=\"https:\/\/krebsonsecurity.com\/2018\/03\/15-year-old-finds-flaw-in-ledger-crypto-wallet\/\">https:\/\/krebsonsecurity.com\/2018\/03\/15-year-old-finds-flaw-in-ledger-crypto-wallet\/<\/a><\/p>\n<p><a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf\">https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2018\/03\/ledgerattack.pdf<\/a><\/p>\n<p><a href=\"http:\/\/www.st.com\/en\/secure-mcus\/st31h320.html\">http:\/\/www.st.com\/en\/secure-mcus\/st31h320.html<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/LedgerHQ\/nanos-nonsecure-firmware\">https:\/\/github.com\/LedgerHQ\/nanos-nonsecure-firmware<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What happened? Security researcher, Saleem Rashid discovered a critical flaw in cryptocurrency wallet hardware created by the company, Ledger. A hardware wallets purpose is to protect a users cryptocurrency private wallet address from being stolen by malicious software located on a computer. It prevents the computer from being to read the wallet address but still &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/westoahu.hawaii.edu\/cyber\/vulnerability-research\/ledger-cryptocurrency-wallet-flaw\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Ledger Cryptocurrency Wallet Flaw&#8221;<\/span><\/a><\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[25,7],"tags":[],"class_list":["post-7349","post","type-post","status-publish","format-standard","hentry","category-vulnerabilities-weekly-summaries","category-vulnerability-research","entry"],"acf":[],"_links":{"self":[{"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/posts\/7349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/comments?post=7349"}],"version-history":[{"count":17,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/posts\/7349\/revisions"}],"predecessor-version":[{"id":9174,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/posts\/7349\/revisions\/9174"}],"wp:attachment":[{"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/media?parent=7349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/categories?post=7349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/westoahu.hawaii.edu\/cyber\/wp-json\/wp\/v2\/tags?post=7349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}