Security post! Cold wallet gets a cold shower and no, celebrities aren't giving you money

We've been talking about wallets before and defined cold wallets as the most secure wallets. Well, it still is the case, don't be alarmed, but recently a tech-savvy teenager from UK managed to hack into Ledger Nano S, a hardware wallet that was proclaimed unhackable by the creators.

_ledger.fr

First, let's take a step back and see what makes Ledger unhackable.

Attestation

What! you scream. This is not a word, you made that up! No, I didn't and the explanation is actually quite simple. Attestation, according to Ledger peeps, is just a cryptographic challenge, sent from the Chrome Wallet app to the device each time the device is connected. The challenge is solved and signed by the Ledger, using an embedded private key. The Chrome wallet can then verify the legitimacy of the signature by using the public key. If the firmware would have been hacked, the verify process would fail.

What about trying to hack the private key from the device? Ledger people explain:

the chip is designed to be a stronghold with extreme measures against physical attacks. The private key extraction attack can be theoretically executed, but at great expense and time, and only an organization such as the NSA could do it.

Ok, so here we arrive at this Tuesday, when 15-year old Saleem Rashid, created a proof-of-concept code, that makes the device to generate pre-determined addresses and recovery passwords and spit them out to the attacker. Using another Ledger wallet, one could recover the private keys and steal the cookies the money from the Ledger. And what more? The code used to take down the device is barely 300-bytes long.

According to arstechnica.com, the device could be compromised in multiple ways - destination changes, amounts being switched and ways we cannot even think of at the moment.

_{Rashid demonstrating the hack via saleemrashid.com}

Luckily, Rashid is a top bloke and according to himself, a Bitcoin enthusiast and a security researcher. He made an effort to document his finding and present them to Ledger officials already in November, which Ledger fixed with a recent update a few weeks ago.

So if you rock a Nano S, make sure you update your devices firmware.

A professor at Johns Hopkins University focused in encryption security, Matt Green was skeptical whether the fix will protect new and upcoming Ledgers permanently:

They need to check the firmware running on a processor. But their secure chip can't actually see the code running on that processor. So they have to ask the processor to supply its own code! Which is a catch-22, since that processor might not be running honest code, and so you can't trust what it gives you. It's like asking someone who may be a criminal to provide you with their full criminal record—on the honor system."

Sources:

arstechnica.com
ledger.fr
saleemrashid.com

---

---

Bored about wallets and hacks? Well i have one more wanring to you. I think i have mentioned it before, but celebrities aren't giving away cryptos!

If you follow some cryptocurrency celebrities or tweeters on Twitter, you might have noticed that many of their tweets have a another tweet in their replies, where a user with a similar name announces some kind of giveaway. Usually the perps username has a few letters changed, like replacing i-s with l-s or something similar. They often claim that for sending a minuscule amount of ETH to a specific wallet, the celebrity is doing a giveaway and sending more back.

Often these scammers work in groups, where their associates confirm that they have received their easy money. The amounts to be sent are small and people who are desperate for money or do not pay attention, might fall for the tricks. Do not think so? There are reportsthat some scammers have even managed to steal as much as £50000 per day!

The scale of the scam has getting bigger and bigger and after all, in this business, volumes matter. Most of us might be cautious about these types of scams, but some people fall those. Vitalik Buterin, the creater of Ethereum, acknowledges the problem as grave and serious, and as a countermeasure, changed his name on Twitter to Vitalik "Not giving away ETH" Buterin :)

_{VitalikButerin}

Stay safe out there. Be patient, be calm and pay attention to what you are doing. If something is too good to be true, it probably is.

Read more about it here on bitcoin.com

---

---

---

Sell your vote to minnowbooster and earn SBD

---

Check out Chainbb, an alternative frontend for STEEM network. If you like forum style, that's the platform for you.

---

_{Title image from pixabay}

Are you looking for Minnowbooster, Buildteam or Steemvoter support? Or are you looking to grow on Steemit or just chat? Check out Minnowbooster Discord Chat via the link below.




BuildTeam