LedgerHQ Twitter account just reported a security concern with their Ledger products that also affects all other hardware wallets at this time.

While the wallet isn't vulnerable, the received address is generated with Javascript running on the host machine. Malware running on your host machine can manipulate the address displayed by using a hacker's address instead.

Concerns about the attack

(Pulled from vulnerability doc)

All the ledger wallet software is located in the AppData folder, meaning that even an
unprivileged malware can modify them (no need to gain administrative rights).
The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files,
meaning they can be modified by anyone.
All the malware needs to do is replace one line of code in the ledger software, this can be
achieved with less than 10 lines of python code.
New ledger users would typically send all their funds to the wallet once initialized.
If the machine was pre-infected, this first transaction may be compromised causing the user to
lose all of his funds.
The attack changes the receive address during its generation, causing even the automatically
generated QR to be updated to the attacker’s address. Meaning that both the string and QR
representations of the address are compromised.

The only solution is to force the hardware device to confirm the address on the display screen to verify they match. On the Ledger this can be done with the Monitor Button.

On the Trezor, there is a button to show on the display screen.

_Source
More information about the vulnerability can be found here. This is not limited to Ledger or Trezor, any device that runs a client on the host machine can be at risk.

My recent popular posts

Security Issue found with all hardware crypto wallets

Concerns about the attack

(Pulled from vulnerability doc)

My recent popular posts