HomeBlockchainSecurityLedger: new vulnerability for the hardware wallet

Ledger: new vulnerability for the hardware wallet

Yesterday the Monokh team reported a piece of shocking news, as they discovered a vulnerability in one of the most famous hardware wallets, which is considered among the most secure, i.e. Ledger.

As can be read, the problem concerns transactions that are not processed correctly, making users believe that other blockchain transactions are executed instead of Bitcoin (BTC) transactions.

The problem occurs using apps other than the official wallet apps, for example, if we confirm a Litecoin transaction we will be signing a Bitcoin transaction instead.

In detail this is what happens:

  1. Open the Litecoin app;
  2. Retrieve mainnet bitcoin (segwit) addresses using getWalletPublicKey(’84’/0’/’).publicKey;
  3. Query UTXOs and construct a bitcoin transaction to spend outputs;
  4. Send createPaymentTransactionNew(…) to prompt device for signing this transaction;
  5. Receive Bitcoin Mainnet valid signed transaction.

Ledger, an already known vulnerability

Although this problem was reported to Ledger over a year ago, precisely on January 18th, 2019, nothing has been done about it and therefore it has been published, so now Ledger will have to intervene to solve the problem.

These are the versions affected by the problem, so please check whether your Ledger was involved:

  • Firmware: All versions. Currently 1.6.0;
  • App Versions: All versions. Currently 1.4.3;
  • Apps: Any apps deriving from the Bitcoin app as for btchip_context.h;
  • Apps Tested: Bitcoin Testnet, Litecoin.

The most disconcerting thing about Ledger is the number of errors that are emerging. 

For example, the recent vulnerability discovered on Ledger Nano X, or the data breach confirmed a couple of days ago where more than 1 million email addresses have been stolen from over 9,500 customers.

Let’s not forget that criminals now have this data and they could exploit it to their advantage and target everyone who has the device containing this vulnerability.


Alfredo de Candia
Alfredo de Candia
Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.