Ledger vulnerability

Discussion of all things crypto and blockchain.
User avatar
silverbender
Gold Supporter
Posts: 1002
Joined: Mon Mar 23, 2015
Location: Ohio

Ledger vulnerability

Postby silverbender » Sat Feb 03, 2018

Just wanted to get this up,I don't own a ledger.

https://www.docdroid.net/Jug5LX3/ledger-receive-address-attack.pdf
Image

User avatar
rahbii
Posts: 2130
Joined: Fri Oct 08, 2010
Location: Mega-City One

Re: Ledger vulnerability

Postby rahbii » Sat Feb 03, 2018

French company fwiw
Image Image Image
"The early bird gets the worm. But it's the 2nd mouse who gets the cheese"

cmiller17363
Gold Supporter
Posts: 974
Joined: Thu Jul 13, 2017

Re: Ledger vulnerability

Postby cmiller17363 » Sat Feb 03, 2018

I always send a very small amount to verify just in case. Sounds like it would work to mitigate the risks against this as well.
ImageImageImage

User avatar
satosan
Platinum Supporter
Posts: 1233
Joined: Sun Mar 28, 2010
Location: Keepin an eye on you from my lair in the US
Contact:

Re: Ledger vulnerability

Postby satosan » Wed Feb 07, 2018

I got an email today saying they updated the ledger chrome browser to address the "man in the middle" attack. If you're a ledger user you will probably get this email as well.
http://www.satosanmetals.com "Limited Mintage Silver"
Accepting: Bitcoin(BTC), BitcoinCash(BCH), Etherum(ETH), LiteCoin(LTC), DASH, Dogecoin(DOGE), VertCoin(VTC).
ImageImageImage

User avatar
SilverDoge
Constitutional Supporter
Posts: 4941
Joined: Mon Apr 21, 2014
Location: Kansas

Re: Ledger vulnerability

Postby SilverDoge » Thu Feb 08, 2018

This is another reason I like the KeepKey too. The screen is large and sleek and makes it easier to verify that the address you want to send it to is the address that is actually displayed on the screen.
Image

User avatar
gramcracker
Turtle Supporter
Posts: 138
Joined: Wed Sep 07, 2016
Location: Southern WV

Re: Ledger vulnerability

Postby gramcracker » Sun Jan 27, 2019

How did I miss this thread?

Here is another concern with Ledger which may be worse. Recently, ledger stopped supporting the Chrome apps moving everything to Ledger Live. My OS was, by choice, windows 7. Windows live requires 8 or higher. Reluctantly I upgraded to 10 which I despise. I downloaded ledger live then tried to upgrade my nano which which also requires firmware upgrade. Ledger has been showing "system status" down since Friday so not possible. It is now Sunday. Others however have done this weeks, maybe months ago without issue.

It began to occur to me that ledger seems to be centralized and I am at their mercy. Researching I find it should be possible to use my 24 word seed in any wallet that also uses a 24 word seed using the BIP 39 protocol. I will wait a few more days to try this if I am not already too late. Having their system down so long is unacceptable to me. Anyone else having this problem?

Here are a few more disturbing things I have found:

From the CEO of Ledger: "We’ve started actively pursuing this objective and are currently undergoing a series of certification tests" (Not yet certified) "Cynics may also wonder what is preventing Ledger from issuing a rogue firmware update themselves. The answer is quite trivial: just think about what we have to gain versus what we have to lose… An internal sponsored attack would not only be very quickly spotted and obvious to trace, but profits would be much less than what Ledger’s future equity is worth on the market." (How comforting) source: https://medium.com/ledger-on-security-a ... 9982c144ab

Reddit discussion with Ledger CTO: https://www.reddit.com/r/ledgerwallet/c ... is_secure/

Currently my entire portfolio is in my nano which I have not been unable to access for weeks. It is not giving me a warm fuzzy feeling. Hopefully just a temporary glitch but I will be moving somewhere else. Maybe trezor since it has open source regarding it's secure chip. I may be too old and stupid for this sh*t - probably just paranoid. Any thoughts are appreciated. Thanks, John
Don't believe everything you think.

User avatar
Goldman
Gold Supporter
Posts: 51
Joined: Sun Feb 23, 2014
Location: WNC

Re: Ledger vulnerability

Postby Goldman » Thu Feb 14, 2019

I'm just getting into Cryptos and found this thread. Here I was thinking I was being smart by getting a Nano S. It did prompt me to upgrade firmware to 1.5xxx but, this sure makes me nervous.

cmiller17363
Gold Supporter
Posts: 974
Joined: Thu Jul 13, 2017

Re: Ledger vulnerability

Postby cmiller17363 » Thu Feb 14, 2019

Your crypto is orders of magnitude more safe on a nano S than on an exchange. As long as you follow the recommended practices for safely storing your 24-word back up and you always maintain physical control of the nano S at all times then the chances of theft are extremely remote.
ImageImageImage

User avatar
Goldman
Gold Supporter
Posts: 51
Joined: Sun Feb 23, 2014
Location: WNC

Re: Ledger vulnerability

Postby Goldman » Thu Feb 14, 2019

Thanks cmiller. After I posted that, I went to Ledgers website and dug around and I feel better now. I have my 24-word backup stored in two different fire-proof boxes inside two separate safes and thirdly in a password app that uses secure 256-bit AES encryption.

cmiller17363
Gold Supporter
Posts: 974
Joined: Thu Jul 13, 2017

Re: Ledger vulnerability

Postby cmiller17363 » Thu Feb 14, 2019

Is there a way to delete it from the app/wipe it completely? If there is, I would do it. 2 paper copies of the full 24 word seed in separate locations protected from fire and water is (in my opinion and many others) the BEST way to store your seed. I am not a proponent of storing it on encrypted devices or anything electronic for that matter. No pictures of the seed, nothing. The only things that have ever seen my 24 word seed are my own two eyes. If you're dabbling and have very little money in the wallets that is one thing, but if you really want to be secure then old school (on paper) is the way to go.You will probably never have a problem with the encryption, but be aware that at this point in time, it could be argued that THAT is the weakest link in your security measures. I'm no expert, but I do listen to a ton of YouTube videos. Grain of salt required heh. ;) :lol:
ImageImageImage

User avatar
Goldman
Gold Supporter
Posts: 51
Joined: Sun Feb 23, 2014
Location: WNC

Re: Ledger vulnerability

Postby Goldman » Thu Feb 14, 2019

Okay, maybe I should rethink that one. I'm using it for a lot of other passwords and info to all of my financial assets though. :shock:

I've been You-tubing too and as soon as I stay in a Holiday Inn Express, it'll be official! :lol:

User avatar
SilverDoge
Constitutional Supporter
Posts: 4941
Joined: Mon Apr 21, 2014
Location: Kansas

Re: Ledger vulnerability

Postby SilverDoge » Thu Feb 14, 2019

cmiller17363 wrote:Is there a way to delete it from the app/wipe it completely? If there is, I would do it. 2 paper copies of the full 24 word seed in separate locations protected from fire and water is (in my opinion and many others) the BEST way to store your seed. I am not a proponent of storing it on encrypted devices or anything electronic for that matter. No pictures of the seed, nothing. The only things that have ever seen my 24 word seed are my own two eyes. If you're dabbling and have very little money in the wallets that is one thing, but if you really want to be secure then old school (on paper) is the way to go.You will probably never have a problem with the encryption, but be aware that at this point in time, it could be argued that THAT is the weakest link in your security measures. I'm no expert, but I do listen to a ton of YouTube videos. Grain of salt required heh. ;) :lol:


^^^ THIS
Image


Return to “Bitcoin/Crypto/Blockchain”

Who is online

Users browsing this forum: No registered users and 1 guest