A 15-year-old schoolboy from England Salim Rashid said that he managed to crack one of the the most popular USB-wallets for crypto-currency Ledger. Vulnerability, found by Rashid, allowed to forge electronic signatures stored on device.
Ledger use two work cards - one of the them is protected on hardware level, but not knows how to work with USB, buttons and interfaces. The other way around, it all can, but not protected. AND Here if to correct a program code of the second payment, then you can access private keys of users.
The whole process of hacking it documented in detail in a small video clip , and So I also put the program code on GitHub .
What the Ledger creators say
Rashid claims that he told the authors of the purse about the vulnerability four months ago, but they were not very compliant. Founders Ledger at the same time wrote that all 4 months kept in touch with the guy and did not worry about than. First , to crack the wallet you need to modify the firmware. Therefore, in first of all, those who bought Ledger from hands on eBay or another trading platform. Secondly , they have released a new firmware version 1.4.1, which fixes three exploits, one of which found Rashid.