Ledger blocks hardware exploit, young hacker proves the future is bright…
Saleem Rashid, a 15-year old British ‘White Hat’ hacker has given up a bounty due to him for finding a flaw in Ledger’s hardware crypto-wallets in order to go public about the weakness he discovered.
Yesterday, Ledger issued a blog post to explain the changes made to its firmware in order to mitigate for the weaknesses found in its hardware by Rashid and two other researchers. It appears to have been somewhat cornered into this honesty by the young coder, however.
Rashid took issue with the firm’s CEO Eric Larchevêque, and gave-up a reward due to him for handing over details of his hardware-based exploit in order to publish his own detailed explanation of what he found and his contretemps with the firm. Ledger, as a whole, appears to dispute Rashid’s assertion that the flaw he found was critical, essentially saying that nature of Rashid’s attack on its hardware demanded physical access to a device prior to use, and required a set of circumstances so specific, as to make it extremely hard to execute in the real world.
As part of the blog, Rashid explains:
“Before I get to the details of the vulnerability, I would like to make it clear that I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report.
“I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
To be fair to Ledger, their take on the matter has been somewhat backed up by other researchers, who note that – while the someone being able to recreate Rashid’s attack would have dire implications for the user of the device – it’s difficult to defend against someone who is willing to crack open a device and essentially reprogram it from the inside out.
The overriding advice, again, is that security responsibility is a two-way street, and users must also take responsibility for where they source, and how they use, their hardware.