Hardware Bitcoin Wallets Hacked: The Importance Of Responsible Disclosure
HomeCryptocurrency NewsBitcoinist.com

Hardware Bitcoin Wallets Hacked: The Importance Of Responsible Disclosure

Following yesterday’s article regarding vulnerabilities uncovered in hardware wallets, both Trezor and Ledger have called ‘foul play’ over...

Privacy Coins Like Monero Perfect For Buying Cannabis in Canada, Says Expert
Bitcoin Halving is 500 Days Away, But What Does It Mean for Price Now?
Bitcoin OTC Trading Volume Soars as Institutions May Be Accumulating

Following yesterday’s article regarding vulnerabilities uncovered in hardware wallets, both Trezor and Ledger have called ‘foul play’ over irresponsible disclosure. Hardware hacking group, wallet.fail, who exposed the security issues, at least partially deny this claim.


Responsible Disclosure

In the security world, hackers generally only go public with their findings after giving companies time to patch the vulnerabilities. Disclosing potential methods of attack before vendors have addressed them leaves users exposed to unnecessary risk.

Responsible vendors actually encourage hackers to attack their products, as by identifying weaknesses, overall security improves. Both Trezor and Ledger offer bug bounty programs, rewarding researchers who find vulnerabilities and report them directly.

Epic Fail

Wallet.fail’s presentation at the #35C3 security conference appears to have struck like a bolt from the blue, however. Trezor were clearly unaware of the vulnerabilities, as CTO Pavel Rusnak, leaped straight onto Twitter to say so. He found out about the issues with the rest of the audience, so explained that the issue would take some time to fix.

However, he later Tweeted that he had had a constructive two-hour discussion with wallet.fail regarding the vulnerabilities. He certainly seemed a lot happier following the outcome of this meeting.

Practical Vulnerabilities of Bitcoin Hardware Wallets

Ledger was also quick to respond, pointing out in a blog-post that wallet.fail had not followed standard security principles. However, Ledger also called into question the practicality of the vulnerabilities outlined in the presentation.

It specifically pointed out that the group did not extract the seed or PIN from any device. A not too subtle reference to its competitor, Trezor, perhaps.

In addition to the RF side-attack on the Ledger Blue’s PIN, wallet.fail detailed an attack utilizing a device hardware implant, and compromised PC software to authorize rogue transactions on a Ledger Nano S. The blog-post pointed out that both of these attacks require far more effort than simply installing a spy camera to discover a user’s PIN.

0xf00dbabe MCU bypass

A further vulnerability involved bypassing the MCU check to flash and execute unsigned firmware. Ledger claim that this is a feature, although a bug allowed installation of non-featured firmware. In any case, the MCU does not allow access to the PIN or seed.

Wallet.fail claim to have advised Ledger about this issues months ago, and indeed, Ledger says this has already been patched in the next firmware update.

Should wallet.fail have disclosed the bug to Ledger and Trezor beforehand? Share below!


Images courtesy of Shutterstock

The post Hardware Bitcoin Wallets Hacked: The Importance Of Responsible Disclosure appeared first on Bitcoinist.com.



from Bitcoinist.com http://bit.ly/2AmQ3Wk
Name

Bitcoin News,5117,Bitcoinist.com,4741,Cryptocurrencies,4741,Cryptocurrencies Latest News,5117,Cryptocurrency Latest News,4741,Cryptocurrency News,9858,
ltr
item
Cryptocurrency Latest News: Hardware Bitcoin Wallets Hacked: The Importance Of Responsible Disclosure
Hardware Bitcoin Wallets Hacked: The Importance Of Responsible Disclosure
https://bitcoinist.com/wp-content/uploads/2018/12/shutterstock_372063955-640x400.jpg
Cryptocurrency Latest News
http://cryptocurrencylatest.blogspot.com/2018/12/hardware-bitcoin-wallets-hacked.html
http://cryptocurrencylatest.blogspot.com/
http://cryptocurrencylatest.blogspot.com/
http://cryptocurrencylatest.blogspot.com/2018/12/hardware-bitcoin-wallets-hacked.html
true
1236144943044321696
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy