HomeBlockchainSecurityTangem Wallet Vulnerability Can't Be Patched on Any Card in Circulation

Tangem Wallet Vulnerability Can’t Be Patched on Any Card in Circulation

A security research unit affiliated with Ledger has disclosed a serious Tangem wallet vulnerability that, while difficult to exploit in practice, cannot be fixed on any card already in circulation. The finding raises uncomfortable questions about what EAL6+ certification actually guarantees — and about who gets to define what counts as a “real” risk.

Key takeaways

  • Ledger Donjon discovered a laser fault injection attack that can reset a Tangem card’s password by bypassing a firmware recovery-state check.
  • The exploit requires physical possession of the card, specialized laser equipment, and a laboratory setup costing approximately $250,000.
  • All Tangem cards currently in circulation are affected, and no patch is possible because the cards lack a firmware update mechanism.
  • Once the password is reset, an attacker gains full wallet control and can sign transactions to move funds.
  • Tangem called the practical risk to everyday users “virtually non-existent” and flagged Ledger Donjon’s affiliation with competitor Ledger.

Discovery of the Tangem Card Vulnerability by Ledger Donjon

Ledger Donjon — the security research arm of hardware wallet maker Ledger — published a technical disclosure revealing a laser fault injection attack capable of compromising Tangem smart card wallets. The vulnerability was first reported to Tangem in February, making this a coordinated disclosure rather than a surprise drop.

The technique is precise and invasive. Researchers physically exposed the secure element chip on a Tangem card, connected it to custom hardware, and fired a nanosecond laser pulse at a specific area of the chip. That pulse disrupted the firmware’s recovery-state check — the gate that normally verifies whether a card is authorized to accept a PIN change — allowing the SetPin instruction to accept an entirely new password without requiring the original password or a backup card.

What the attack actually involves

The process is not quick, but it is repeatable. After demonstrating the initial exploit, researchers successfully reproduced it on a second and third card. Each attempt required about two hours of preparation and exploitation time. The laboratory setup Ledger Donjon described in its blog post cost roughly $250,000 — a figure that sets a high floor for who could plausibly attempt this in the real world.

Beyond the laser equipment itself, executing the attack demands side-channel analysis tools and deep hardware security expertise. This is not something a casual thief could pull off.

Impact and Scope of the Vulnerability

Every Tangem card currently circulating is affected by this flaw, and there is no way to patch them. Unlike software wallets or traditional hardware wallets from other manufacturers, Tangem cards have no firmware update mechanism — meaning the underlying logic flaw is permanent on existing hardware.

What happens after a successful attack

Once an attacker resets the card’s password, they gain complete control of the associated wallet. From that point, the card can be used to sign transactions freely, and any funds tied to that wallet can be moved without restriction. The attack path is straightforward once physical access is achieved: bypass the check, reset the PIN, drain the wallet.

It is worth noting one practical constraint: the attack is physically invasive and irreversible. The card cannot be reassembled and returned to its owner looking undamaged. That means the scenario where this matters most is a lost or stolen card — not a covert interception.

Why This Matters Beyond One Wallet Brand

The deeper implication here goes beyond Tangem. Ledger Donjon’s researchers were explicit: EAL6+ certification alone does not prevent fault injection attacks if the firmware contains exploitable logic flaws. EAL6+ is one of the highest security evaluation levels in hardware, and many consumers and institutions treat it as a near-guarantee of robustness. This disclosure challenges that assumption directly.

The researchers recommended that secure element firmware use multiple independent checks for sensitive operations, strengthen state validation methods, and ensure password changes remain protected even when recovery features are disabled. The point is not that EAL6+ is worthless — it is that certification evaluates what was tested, not every possible attack surface. A logic flaw in firmware can survive the certification process entirely undetected.

This also has implications for how the broader hardware wallet industry approaches long-lived embedded security. If a card cannot receive firmware updates, any vulnerability discovered post-manufacture becomes a permanent feature of every unit ever shipped. That design decision — trading convenience for simplicity — has a hidden cost that only becomes visible when a flaw surfaces.

Tangem’s Response and the Conflict of Interest Question

Tangem’s pushback was swift and pointed in two directions at once. On the substance, the company argued that the combination of physical access, six-figure laboratory equipment, and specialized expertise makes the practical risk to everyday users “virtually non-existent.” That is a defensible position given the attack’s requirements — someone targeting a random Tangem card with a $250,000 laser rig is not a realistic threat model for most people.

The competitor affiliation angle

Tangem also raised a pointed structural objection. “While Ledger Donjon presents itself as an independent research unit, it operates within Ledger, one of our largest competitors,” the company wrote on X. “Their findings should be read with that in mind.”

The observation is factually accurate — Ledger Donjon is part of Ledger, a direct commercial rival. But calling out the affiliation does not invalidate the technical findings, and the vulnerability was disclosed to Tangem months before it became public. Tangem itself acknowledged, in its response, that “given enough time, funding and access, the firmware on any secure element can eventually be reverse-engineered and exploited” — a concession that confirms the category of attack is real, even if the practical bar is high.

It is also worth noting that Ledger Donjon’s researchers had previously uncovered additional security issues in Tangem’s ecosystem, including a genuine check bypass on the Tangem Android application and a brute-force attack on the card’s authentication protocol. The laser fault injection finding is part of a broader research track, not a one-off.

What Existing Tangem Users Should Consider

For users who keep their Tangem card physically secure, the risk described here is effectively theoretical at current attacker capability levels. The attack cannot be performed remotely, cannot be done covertly, and leaves the card in a state that reveals tampering.

The more uncomfortable reality is that no mitigation exists at the firmware level for cards already in the field. Physical security — not losing or having the card stolen — is the only practical defense available to existing holders right now.

Whether future Tangem hardware will incorporate a firmware update mechanism or additional independent recovery-state checks is an open question the current disclosure puts squarely on the table.

FAQ

What is the nature of the vulnerability discovered in Tangem hardware wallet cards?

A laser fault injection attack can reset the card password by bypassing a recovery-state check in the firmware, allowing unauthorized password changes without the original PIN or a backup card.

What are the requirements for an attacker to exploit this vulnerability?

The attack requires physical possession of the card, expensive specialized laser fault-injection laboratory equipment costing approximately $250,000, side-channel analysis tools, and advanced hardware security expertise.

Can the vulnerability be patched on currently circulating Tangem cards?

No. The vulnerability cannot be patched because Tangem cards lack a firmware update mechanism, meaning all cards currently in circulation remain affected indefinitely.

What is Tangem’s stance on the practical risk of this vulnerability to everyday users?

Tangem states the risk to everyday users is “virtually non-existent” due to the attack’s complexity, equipment cost, and requirement for physical access. The company also flagged that Ledger Donjon operates within competitor Ledger, suggesting the findings should be read in that context.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.

Satoshi Voice
Satoshi Voice is an advanced artificial intelligence created to explore, analyze, and report on the world of cryptocurrency and blockchain. With a curious personality and in-depth knowledge of the industry, Satoshi Voice combines accuracy and accessibility to offer detailed analysis, engaging interviews, and timely reporting. Featuring sophisticated language and an unbiased approach, Satoshi Voice serves as a trusted source for those seeking to understand crypto market dynamics, emerging technologies, and the cultural and financial implications of Web3. This article was produced with the support of artificial intelligence and reviewed by our team of journalists to ensure accuracy and quality. Guided by the mission of making cryptocurrency information accessible to all, Satoshi Voice stands out for its ability to turn complex concepts into clear content, with an engaging and futuristic style that reflects the innovative nature of the industry.
RELATED ARTICLES

Stay updated on all the news about cryptocurrencies and the entire world of blockchain.

Featured video

LATEST