So, you just bought some crypto. Congrats! (Or: Congrats ?) But now you need a place to store it. But the safest place you’ve been told to store it…may not really be all that safe. Hi. Welcome to the wonderful world of crypto!
You could leave your new crypto on the exchange where you purchased it, but those are worthwhile targets for hackers. You could move it to a software wallet, or maybe a third-party website or an app on your phone. But, again, those are online, so they’re susceptible to hacking. A paper wallet — literally a QR code printed on a piece of paper — is also an option, but they’re such a pain to set up.
A hardware wallet it is, then. These are easy-to-use standalone devices specifically designed to hold crypto. They let you to access your funds without connecting to the internet. Super secure, right? Except: Maybe not.
On March 20, Saleem Rashid, a 15-year-old self-taught programmer, published a blog post detailing multiple ways a hacker could crack the Ledger Nano S, a popular crypto hardware wallet. Apparently, the device isn’t as “tamper-proof” as its makers claimed. In his post, Rashid explained how a hacker could use a vulnerability in the Ledger Nano S to steal any private keys stored on the device. They could do this by tampering with the device either before you bought it (a “supply chain attack”) or after you’d already loaded it up with your private information (an “evil maid attack”).
Ledger released a patch to address the hardware wallet vulnerability on March 6, and Eric Larchevêque, Ledger’s CEO, told TechCrunch the company hadn’t received any reports of hackers actually accessing the crypto of Nano S users.
So, why wasn’t that the end of it?
Because, apparently, Rashid wasn’t satisfied with the response from Ledger. Which is why he publishing his post two weeks after the release of the patch. He also threw shade directly at Larchevêque, writing:
“I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
The same day he released his post, Rashid noted on Twitter that he told Ledger about the vulnerability four months ago and the company had exhibited “pretty poor communication” in the interim.
Ledger and Larchevêque appear far less phased than Rashid by the whole situation. “All systems have vulnerabilities,” Larchevêque told TechCrunch. “That’s part of the life of any security system. It’s a game of cat and mouse.”
That may be true, but it’s also a good reason to think twice before slapping the “tamper-proof” label on any future devices.