Skip to main content

Stephen

The Ledger response to the hack is the concern

7 min read

While I am not personally affected by the Ledger hack, the response of the Ledger company itself is a massive red flag for me.

The hack has been known for a long time. The /r/ledgerwallet subreddit has been discussing it and trying to deal with it since June when the first reports of phishing spam started showing up. The fact these spam campaigns were happening on both email and SMS demonstrates that the hack was more than just a mailing list breach.

While the community has been dealing with these problems, Ledger themselves has been trying to downplay the issue. Initially they claimed only 9000 customers were affected. Then they said only some of the mailing list subscribers details got out. Now we know they lied in both cases. The personal details of nearly 300,000 customers, including full names, postal addresses, phone numbers, email addresses, were stolen in the hack. To compound matters, over 1,000,000 email addresses of the mailing list were also hoovered up by the hacker(s).

Now, as someone that has worked in the ICT industry for most of my working life, and a significant part of that was as a security engineer, the first rule of any internet connected service is to assume it WILL be breached. Your job is to mitigate those possible ingress vectors and try to make it as difficult as possible. Strong data practices are neccessary. Such a stance is even more important when you are a company selling security devices, dealing with extremely sensitive information, and there is a chance your customers will be relying on your product to secure extremely valuable or important data.

In this case, you're a security company selling cryptographic devices used to store the cypher keys that protect a persons Cryptocurrency assets, can be used as a Second Factor Identification device, can be used to generate deterministic passwords and other security devices based on the cryptographic cypher keys the device is supposedly protecting.

You could argue that any and every device that has ever been sold by Ledger is not in any way compromised by this hack. That is absolutely true. But the $5 wrench attack became a whole lot more of a concern for anyone that bought from Ledger. In fact, we're seeing exactly those kinds of threats, and worse, being made to people who's details were in the hacked database.

 

• Posted by u/jurban84 23 hours ago

I just got a death threat

I was in one of the 270k people. I am Polish.

Normally, I would ignore it, but the email was written in perfect Polish, which google translate always struggles with, sender name is also correct Polish (unusual for phishing), it was sent from a Polish domain, and a Polish IP, play mobile network to be exact.

He says I need to transfer 1000 PLN or he'll kill me.

 

So thank you Ledger. For the first time I fear for my life.

 

EDIT: So I went to the police. Apparently, I was already a second person who came in today with this. At my local precinct. In Poland.

How the hell is it that Ledger still continues to down play this entire issue? Their response? To paraphrase their CEO, "Our devices are not compromised, so nothing to worry about." Sure... For Ledger itself... Ledger staff aren't at risk because they didn't buy devices from the company using the same web portal that the rest of the world went through. 

 

received phone call threatening kidnapping and murder over my ledger.

Earlier today I have received a phone call from a fake number (it appeared as the phone number of my local police station).

A male, Anglo-accent caller asked if I was <my full name> and claimed to be a drug addict, and gave me my full address, and said he knows I have a lot of bitcoins. When asked how, he said my information has been leaked on the dark web. I played dumb and he eventually says I purchased a ledger hardware wallet and “only loaded c*nts” buy them.

He told me a sob story about how he is addicted to meth, is about to run out, and needs monero to buy more. He demanded 10 XMR and said if it’s not sent by midnight, he will show up at my house, kidnap me, and “stab to death” any relatives living at my address. I was able to record this phone call as I put him on speaker phone.

I have went to the police and filed a police report. They are going to try and trace the caller and has sent a police car to wait outside which I am very grateful for. All of my doors etc are locked and I have the officer’s phone on speed dial.

I just want to warn everyone about the dangers of Ledger’s recklessness. If there is a class action lawsuit I will gladly join and submit this as evidence.

Just think about that for a moment. You've bought a device that is designed to make it impossible for someone online to steal your digital assets. You've bought it from a company in France, that is subject to the EU privacy laws including the GDPR. You've bought it from a company that asserts it is a security company building a security device. You would expect that such a company employs extremely smart people that are aware of best security practices when it comes to OpSec online. You give that company your money, AND your trust.

Then it turns out that not only are they retaining ALL their customer data, they make no effort at all to obfuscate it, and they're storing it in what I can only describe as being misconfigured or mismanaged servers... At the very least. 

Now you're getting kidnapping and death threats.

Lets load on a heap of conjecture. How can we as prospective customers, or existing customers, now trust their devices? The code that runs on these devices is closed source. They make the desktop and mobile apps source code available via GitHub, and provide a lot of example code for installing apps onto the devices, but they do not make the firmware of the devices open source. There is no way I can be certain that the code they compile into their firmware is secure. There is no way I can be absolutely sure that their source trees were not also compromised.

One need only look at what is happening in the fallout of the SolarWinds Orion hack to see just one example of why I do not support such a business model. Not when it comes to software that is managing or responsible for core assets. Whether that be your network infrastructure, or your crypto keys.

In light of all this, I cannot, and do not, endorse Ledger wallets or products. I believe they have lost any possible trust I (and possibly the community) had. At this point, my recommendation would be to use a Trezor device as an alternative. Trezor make their firmware code available as opensource, so you can build it and run it for yourself. You can even build your own version of a Trezor Wallet on a Raspberry Pi if you want. There are other brands of hardware wallets, but very few of them make their code open source.

If you are serious about Crypto Currencies, then you absolutely do need an offline hardware wallet or cold storage. Until now Ledger Nano devices have been the best available because of the feature set. But I don't think the feature set can outweigh the security risks of their closed source any longer. It's just not worth the risk.