• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Home
  • About
  • Structure
  • Gradebook

ITACS 5211: Introduction to Ethical Hacking

Wade Mackey

November 26, 2018 by Manogna Alahari Leave a Comment

A 15-year-old security researcher, Saleem Rashid has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a company which designs products to protect the user’s private keys from malicious software that might try to gather those credentials from the user’s computer. Rashid mentions that if the attacker has the physical access to the device, who could update the devices with malicious code that would wait for a potential buyer to use it, and then route the private key and drain the user’s cryptocurrency account, when the user goes to use it. The major problem with ledger device is that it contains a secure processor chip and a non- secure microcontroller chip, where the attackers use the insecure microcontroller chip to run the malicious software.

– The authentication to the microcontroller should be strong enough so that any insecure element cannot authenticate to microcontroller.

– Ledger should include tamper protection seal which warns the customers that the device has been physically opened or modified prior to its first use by customer.

– One of the chances where attackers gain the physical access to the device is when the products frequently outrun the company’s ability to produce them and this lead the chief of the company state that their products can be purchased from the third party sellers. I feel it’s a good idea to purchase this kind of devices directly from the source.

– In Ledger device the secure processor chip and in-secure microcontroller chip still passes the information with each other, while the attacker can use the in-secure microcontroller chip and generates the displayed receive address using the code running on the machine

– The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.

– New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.

Filed Under: Week 10: Web Application Hacking Tagged With:

Reader Interactions

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • Uncategorized (14)
  • Week 01: Overview (7)
  • Week 02: TCP/IP and Network Architecture (18)
  • Week 03: Reconnaisance (17)
  • Week 04: Vulnerability Scanning (19)
  • Week 05: System and User Enumeration (17)
  • Week 06: Sniffers (17)
  • Week 07: NetCat and HellCat (15)
  • Week 08: Social Engineering, Encoding and Encryption (21)
  • Week 09: Malware (14)
  • Week 10: Web Application Hacking (17)
  • Week 11: SQL Injection (15)
  • Week 12: Web Services (25)
  • Week 13: Evasion Techniques (8)
  • Week 14: Review of all topics (15)

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in