Yesterday the Kraken security team brought to light a vulnerability that afflicts Ledger Nano products of the X series only.
Ledger itself publicly thanked the exchange and promptly intervened to fix the bug.
Thank you @krakenfx for the great report. Users' security is our top priority. Rest assured that #crypto on your #Ledger Nano X remain secure. Its security relies on the Secure Element – not the MCU chip. We patched this with the latest firmware update:https://t.co/z6skQbQE0J
— Ledger (@Ledger) July 8, 2020
The security of hardware wallets
Most people involved with the blockchain and crypto world often hear that they need to use secure wallets to store their assets, preferably a hardware wallet and the brand that is often recommended is Ledger.
A hardware wallet allows only the owner to sign transactions without the private keys being exposed to third parties, which means that no one can steal them.
The surprise came when the Kraken team discovered that some models of the Ledger Nano X had been altered before they even reached the end-user.
How does the vulnerability occur
Thanks to the debugging mode, it was possible to flash the original firmware of the product by inserting a malicious one, obviously aimed at stealing the crypto of the unsuspecting user.
The vulnerability was made possible because retailers would have modified the firmware of these products before selling them.
Thus we are talking about unofficial channels where usually the price of these devices is lower and the user, thinking to save money, rushes to buy the device.
This vulnerability was actually discovered several months ago by Kraken and Ledger was immediately informed to fix the leak and prevent access to private keys.
The advice, in any case, is to never buy used Ledger devices through unofficial channels in order to avoid this kind of problems. It is best to visit the official website of the product.