Ledger reported that the same error we have all the purses on the market.
Despite the statements, Shift Crypto ensures that their portfolios do not have this vulnerability.
Purses hardware have excelled in the market of cryptocurrencies due to its high levels of security. However, a recent discovery is putting in doubt the reputation of these storage devices, after revelations that several companies knew about a vulnerability in the design of their purses that allowed the theft of bitcoins and not fixed immediately.
The controversial finding began the day after yesterday the cyber security expert Monokh to denounce that it is possible to steal bitcoins from the wallet Ledger. Almost a day after it was confirmed that the wallets Trezor of SatoshiLabs also have the same design error, which was known throughout the industry of purses hardware.
In addition to these two heavyweights of the market, a third was added to report of Ledger for the portfolio KeepKey of Shapeshift. Company, which still has not confirmed or denied the existence of this vulnerability in their hardware devices.
But why all this buzz? What is this vulnerability which has generated a fall of cards among the most recognized competitors of purses out of line? In a posting on his personal blog, the researcher Monokh explained that it may not withdraw these funds by running a transaction misleading with cryptocurrencies based on Bitcoin. That is to say, with forks as Bitcoin, Cash, Litecoin, and currencies of the test network of Bitcoin.
This occurs by the design of the purses, which enables you to manage keys and addresses different cryptocurrencies. But, instead of having functions for each of these assets are isolated from one another, the wallet shares the same path of Bitcoin to derive the keys of all the branches of this criptomoneda. In this sense, while a user uses a wallet of Bitcoin Cash or Litecoin, it also sets out the public key, and the functions of signature of your portfolio in Bitcoin.
This vulnerability can be exploited by third-party malicious, such as applications made by hackers or houses of change unreliable. Those who offer services to synchronize the wallet to their systems can take advantage of the error to start alleged transactions of BCH or LTC, when in reality they are conducting a transaction of bitcoins on the main network.
Even more troubling is that the wallet will not the difference between a transaction misleading of a normal. The devices show the user the transactions of altcoins as if they were such, regardless of the route of such a transaction is really in the direction of Bitcoin. Due to this, users can sign transactions malicious without even knowing that you are being robbed.
Trezor and Ledger they knew of the error and said nothing
The design error as it is worrying per se, but the community of cryptocurrencies is lifted up in a wave of criticism against Ledger —the first company to be exposed— because the board knew of this vulnerability since January of 2019. Monokh says that he then informed the company about the error, but showed no real interest in to fix it.
Because of this, the researcher has decided to publish a report on your personal blog with the goal of pressuring Ledger to correct the vulnerability. Ledger, shortly after, responded through a press release institutional where it confirmed the existence of the error in their purses, and vowed to solve.
Today the company launched a new version of the firmware of your wallet Ledger Nano S, X and Blue, update where they introduced a patch to mitigate the effects of this vulnerability. This is not a restriction in the operating system, but a warning window that will appear on the device each time you perform a transaction with a wrong course. In this way, it tries to avoid that users accept sham transactions without actually knowing it.
Some members of the community do not see the new model of Ledger as a true solution to the problem. Source: ledger.com
The solution of Ledger has not satisfied members of the community of cryptocurrencies, those who consider that it is more of a warm wet cloth for a serious problem. For example, Héctor Cárdenas, founder of Breaking News, commented in a tweet that Ledger claimed to fix the vulnerability “showing an alert that you are stealing.”
The comment of Cárdenas received answers from the team of Ledger, who assured that “All wallets have the same problem,” noting that it is upset that has the industry since the first forks of Bitcoin. The surprising answer made under the eye of the hurricane to companies like SatoshiLabs and Shapeshift, which had remained silent on the issue.
Ledger also published a series of tweets, ensuring that these two purses as well had the same design for their devices, which were also exposed to attacks of this type. He also added that we have seen in the dilemma of “choosing between security and usability” of their portfolios for cryptocurrencies.
In the midst of these statements, SatoshiLabs —company in charge of the development of purses Trezor— not issued an official statement and assuming their responsibility in this whole controversy. It does, however, published a press note to inform an update of last moment for their models Trezor T and Trezor One.
Among the changes made to these devices featured a patch for the “isolation” route, confirming that he also possessed the same vulnerability-Ledger, and that would end with a pop-up message each time you record a transaction misleading.
Shapeshift, on the other hand, has not issued any response to the tweets of Ledger, nor has release updates to their firmware. Silence that prevents to know what is the current situation of purses KeepKey.
While these companies are under the scrutiny of the community, firms like Shift Crypto has taken a step forward and ensured that not all the industry of purses hardware has this same design. The company pointed out that his wallet BitBox02 has always had each one of their applications for cryptocurrencies isolated from each other, for which no public key or to functions of the signature of Bitcoin is exposed when making transactions with altcoins.
The outcome of this situation and its possible solution is not yet clear. While some companies remain in silence and other correct errors on the fly, there is still the uncertainty of whether it really is a pop-up window will be enough to safeguard the funds of users of Ledger and Trezor to the sophisticated tools of deception that have hackers today