{"id":5965,"date":"2018-11-26T17:56:32","date_gmt":"2018-11-26T22:56:32","guid":{"rendered":"http:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/?p=5965"},"modified":"2018-11-26T17:56:32","modified_gmt":"2018-11-26T22:56:32","slug":"5965","status":"publish","type":"post","link":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/2018\/11\/26\/5965\/","title":{"rendered":""},"content":{"rendered":"<p>A 15-year-old security researcher, Saleem Rashid has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a company which designs products to protect the user\u2019s private keys from malicious software that might try to gather those credentials from the user\u2019s computer. Rashid mentions that if the attacker has the physical access to the device, who could update the devices with malicious code that would wait for a potential buyer to use it, and then route the private key and drain the user\u2019s cryptocurrency account, when the user goes to use it. The major problem with ledger device is that it contains a secure processor chip and a non- secure microcontroller chip, where the attackers use the insecure microcontroller chip to run the malicious software.<\/p>\n<p>\u2013 The authentication to the microcontroller should be strong enough so that any insecure element cannot authenticate to microcontroller.<\/p>\n<p>\u2013 Ledger should include tamper protection seal which warns the customers that the device has been physically opened or modified prior to its first use by customer.<\/p>\n<p>\u2013 One of the chances where attackers gain the physical access to the device is when the products frequently outrun the company\u2019s ability to produce them and this lead the chief of the company state that their products can be purchased from the third party sellers. I feel it\u2019s a good idea to purchase this kind of devices directly from the source.<\/p>\n<p>\u2013 In Ledger device the secure processor chip and in-secure microcontroller chip still passes the information with each other, while the attacker can use the in-secure microcontroller chip and generates the displayed receive address using the code running on the machine<\/p>\n<p>\u2013 The ledger wallet doesn\u2019t implement any integrity-check\/anti-tampering to its source files, meaning they can be modified by anyone.<\/p>\n<p>\u2013 New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A 15-year-old security researcher, Saleem Rashid has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a company which designs products to protect the user\u2019s private keys from malicious software that might try to gather those credentials from the user\u2019s computer. Rashid mentions that if the attacker has the physical access to the [&hellip;]<\/p>\n","protected":false},"author":19033,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[716794],"tags":[],"class_list":{"0":"post-5965","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-week-10-monitoring-evaluating-it","7":"entry"},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/users\/19033"}],"replies":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/comments?post=5965"}],"version-history":[{"count":1,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5965\/revisions"}],"predecessor-version":[{"id":5966,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5965\/revisions\/5966"}],"wp:attachment":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/media?parent=5965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/categories?post=5965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/tags?post=5965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}