After British 15-year-old Saleem Rashid created code to ‘backdoor’ Ledger’s wallets in November 2017, the company released posts describing the events as “NOT critical” and said possible attacks “cannot extract the private keys or the seed.”
Rashid then refuted the claims on social media and a post on his personal blog entitled “Breaking the Ledger Security Model” March 20, stating he could still “autonomously extract the root private key once the user unlocks the device” and use to it instigate manipulation of destination addresses for transactions.
The argument puts pressure on both Ledger and its millions of users, who had until now broadly accepted the company’s claims its wallets were 100% secure.
Hardware wallets are often recommended by the Bitcoin industry’s best-known names, including educator Andreas Antonopoulos, who like many others attempts to dissuade cryptocurrency investors from online storage of funds.
Ledger attempted to patch a total of three security vulnerabilities in its hardware this month, including that identified by Rashid. In a post March 20 describing the progress in security upgrades, Ledger told users they would be fully protected after updating their wallets:
“The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.”