Sergey Lappo
Sergey Lappo Student of Peter the Great St.Petersburg Polytechnic University and Dell EMC Software Engineer.

How (not) to lose your life savings while paying for a coffee with your Ledger Hardware Wallet

Intro

I’ve discovered this vulnerability as part of my work at Mycelium, in November 2018. With Leo Wandersleb’s help we were able to localize the problem and reported it to Ledger’s bug bounty program. Now it’s fixed and enough time passed after the rollout to disclose details.

Brief description

If your wallet was compromised It might have had an ability to trick your Ledger Hardware Wallet into sending funds from all your accounts to the attacker’s wallet while you were sending just a small amount from one of them - without anything hinting at something being wrong on the hardware wallet.

(Only for the purpose of this video we’ve created a modified version of our wallet which would never/has never been published or even been signed to be published.)

A bit less brief description

At my job as a developer at Mycelium, during our efforts to provide SegWit for the users of our Android Wallet we ran into issues around our mixed spending mode in combination with hardware wallets. Change outputs would go into a different account depending on which address you pay to. As can be seen in this issue, that was a real problem on Trezor, less a problem on KeepKey but no problem at all on Ledger Blue and Ledger Nano S. The Ledger would simply accept that change was sent to the hardware wallet and thus did not ask the user about confirmation thereof. We were a bit surprised and decided to check which derivation paths would be accepted without warning the user, assuming there was some protection to prevent what this pull request actually claims to fix. But things went in much more interesting ways: The wallet did not care if the change went on a change address at all! The Ledger Wallets were hiding second - supposedly change - output… If I’ve been passing empty array as change path. (You may observe code, which changed, take a close look on btchip_apdu_hash_input_finalize_full.c file)

So, in fact that’s all. Pretty simple. Pass one output and another. Pass empty path and all the funds you can see are your’s and user himself would confirm that.

Hey, stop. I’m a Ledger user and have 1 billion dollars on there! Should I be worried?

In fact, you shouldn’t if you updated your wallet to the latest firmware recently. The fix was released in December (it’s possible to only update BTC app instead of upgrading whole firmware) and updated firmware with new BTC app was released in January.

Update:
If you don’t want to upgrade firmware, and your BTC app version is below 1.3.3 please follow Ledger’s update app guide to update it to the latest version.