Hardware cryptocurrency wallet manufacturer Ledger has discovered a vulnerability that affects all of its devices and can lead to users losing their funds, according to a report released on Saturday, Feb. 3.
Hardware wallets are regarded as one of the safest means of storing bitcoin and other cryptocurrencies. The USB cold storage devices eliminate the sort of attack vectors synonymous with being connected to the web. But to send funds or issue a receiving address, a hardware wallet has to be plugged in to an internet-enabled device, and researchers have discovered a vulnerability that affects Ledger devices at this stage.
According to the report, а “man in the middle” attack can be performed when the user attempts to generate an address to receive bitcoins to their Ledger wallet. If the computer that is used in this process is infected by malware, the attacker can secretly replace the code responsible for generating the address, causing “all future deposits to be sent to the attacker.”
How to protect yourself
Fortunately for the owners of their wallets, Ledger has also revealed how to avoid the “man in the middle” attack. According to the report, users should take advantage of an “undocumented” feature of the wallet that displays the receiving address on the wallet’s physical display.
By clicking the monitor button at the bottom left of the “Receive Bitcoins” menu and confirming the address on the hardware wallet’s display every time they generate a new one, users can ensure that the address has not been tampered with.
The report further indicates that this feature is not mandatory and is not enforced by Ledger’s own interface, placing the ultimate responsibility for the safety of the funds on users themselves.
Hardware wallets are regarded as one of the safest ways to store cryptocurrencies, as opposed to holding them on an online exchange or wallet.
However, with Ledger’s over one million users affected by the newly discovered vector of attack, it becomes clear that even having a hardware wallet does not “make you invincible,” in the company’s own words.