Hardware wallet security is no match for scammers’ ingenuity
It is often noted that hardware cryptocurrency wallets are one of the better options for keeping one’s private keys safe: they are not affected by malware, the private keys are usually stored and used in a protected area of a microcontroller (and cannot be transferred out of the device in a plaintext format), and they are convenient and easy to use.
But “safer” does not mean “completely safe,” just that successful attacks should be more difficult to execute.
Still, as one user of the popular Ledger wallet discovered, a simple scam can lead to a complete bypass of all security measures put in place by the manufacturer.
The scam
The user, who lost a sizeable amount of money and took to Reddit a few days ago to find how it could have happened, explained that he bought the Ledger Nano wallet from an eBay seller.
He posited that someone at the manufacturing company has access to his Ledger or the seed words (a passphrase consisting of 24 words that is generated once the device is initiated, and which allows users – or attackers, if they know it – to retrieve the bitcoins should the Ledger Wallet be stolen, lost, or damaged).
When another user said it was impossible, as “the device generates the seed words right inside of it when you initialize it,” the unfortunate soul revealed that “the Ledger came with a recovery sheet which had a 24 word recovery seed, to see the seed [he] had to scratch off the silver foil/paint that was covering it.”
The mystery was thus solved: the seller of the item initialized the device, printed the created recovery seed words and included them with the device to make it look like they were provided by the manufacturer. Once the user put his funds in the wallet, the scammer waited for a few days, then used the seed words to retrieve the stored currency.
In follow-up Reddit post Ledger’s CEO Eric Larchevêque explained that the incident is the result of a low tech scam and that the device has not been tampered with as there was no need. (Also, the Chrome app needed to use the Ledger checks the hardware device, and would recognize if the firmware has been tampered with.)
“[The scam] relies on the fact that new users wouldn’t find strange to have a predefined seed,” he noted. “It is quite difficult to mitigate this kind of scams. Even with the warning on our apps page users are not paying a lot of attention when using the devices.”
As a direct consequence of these scams, the company is now creating a task force with their General Counsel and a newly hired Trust & Safety Manager is contacting victims and helping them file a formal criminal complaint and promises to do everything they can to bring the scammers to justice.
They are also implementing extra safety protocols in their firmware to notify the apps in case a PIN has been changed or a seed has been restored. The apps will show warnings and reminders about the importance of the self-generation of the seeds. Finally, the company is adding more emphasis on seed safety management in their FAQs and tutorials.