British 15-year-old Saleem Rashid created a code that enabled him to “backdoor” Ledger’s wallets.
The story started in November 2017 when Rashid discovered the flaws on the wallet. He disclosed the vulnerability to the company but was apparently not taken seriously.
For years, the top guys at France-based Ledger has touted their product to be tamper-proof. The Ledger Nano S is a $100 hardware wallet for Bitcoin, Ethereum and Altcoins that according to Ledger, has sold by the millions. The company claims that resellers are not able to modify and tamper this device without attracting end users’ attention. Why would they listen to a 15-year-old right?
After four months, the company released did release an update to address the issue that Rashid privately disclosed to them. However, Ledger’s Chief Security Officer Charles Guillemet maintains that the issue was “NOT critical”. He also stresses that the “attack cannot extract the private keys or the seed.”
Rashid publicly criticized this update on social media and in a blog post entitled entitled Breaking the Ledger Security Model. He maintains that he could still “autonomously extract the root private key once the user unlocks the device” and use to it instigate manipulation of destination addresses for transactions.
This recent discovery of the wallet’s vulnerability definitely puts a lot of pressure on the company and to their users who actually puts their faith in these devices.