Kraken Security Labs experts have discovered new attacks that can be applied to Ledger Nano X hardware wallets. The wallet maker has already fixed the problem.
It is reported that Ledger Nano X wallets can be attacked by attackers even before the user receives the product - for example, be subject to intervention by a reseller or during delivery. Theoretically, hackers can control the computer to which the Ledger Nano X wallet will be connected with the installed malware to steal cryptocurrencies. Kraken experts described two scenarios - “Bad Ledger” and “Blind Ledger”. In the case of Bad Ledger, the Ledger Nano X firmware changes, and the wallet turns into a data input device like a keyboard, allowing it to open a browser and view the Kraken exchange website.
The second option “Blind Ledger” allows you to make transactions blindly when the wallet display is turned off. The hacker program contains a code by which the device’s display turns off when certain conditions are met. The user cannot understand whether the wallet is functioning or not, however, it receives commands from the computer and can interact with it, including the Ledger Live application. Then, an instruction appears on the computer, according to which the user must press a certain combination of buttons on the hardware wallet to confirm a malicious transaction. The message may look like this: “Ledger Nano X wallet is not responding. Please press both buttons to reboot the device. "
In order to protect themselves from malicious attacks, Kraken Security Labs experts recommend buying Ledger wallets only from authorized distributors, always confirm transactions on the Ledger Nano X wallet itself and exercise caution when turning off the device’s display. On April 9, Kraken Security Labs notified the Ledger team of potential attacks, after which the wallet manufacturer updated their firmware, warning of the occurrence of such problems.
Recall that at the end of last year, Kraken Security Labs employees discovered a vulnerability in the KeepKey hardware cryptocurrency wallet, and in February they found out that Trezor hardware wallets can be cracked within 15 minutes with special equipment.