Posted on

French Cybersecurity Agency Grants Security Certificate to Ledger Nano S Hardware Wallet

The Ledger Nano S from French crypto hardware wallet firm Ledger has received a First Level Security Certificate.

The Ledger Nano S from French crypto hardware wallet firm Ledger has received a First Level Security Certificate (CPSN) from France’s national cybersecurity agency, ANSSI. The development was shared with Cointelegraph on March 18.

The National Cybersecurity Agency of France (ANSSI) reports to the Secretariat-General for National Defence and Security (SGDSN) in order to assist the French Prime Minister in matters of defence and national security. According to their list of certified products, 122 out of 261 products that ANSSI has started evaluating since June 1, 2018, have been certified.

Products aspiring to receive a CPSN certificate undergo a series of evaluations by an ANSSI lab, with testing for multiple attack scenarios that challenge the product’s security. Evaluations span “firewall, identification, authentication and access, secure communications, and embedded software.”

Claiming a crypto hardware wallet industry first, Ledger underscores the importance of receiving an independent third party certification to attest to the security of its offering, and says the CPSN for Ledger Nano S is the beginning of an overall effort to certify all of their products.

The blog post outlines that Ledger also operates its own in-house security evaluation “Attack Lab,” dubbed Ledger Donjon, which tests products’ resilience for a variety of threat scenarios.

The company has also reportedly developed a custom operating system, BOLOS (Blockchain Open Ledger Operating System), to couple software and hardware strategies that enhance security.  

According to the blog post, the CPSN certificate covers a gamut of core embedded security functions, including a true random number generator, which is created via hardware and then post-processed through BOLOS, in compliance with security guidelines established in France’s Security General Referential.

Other CPSN-certified security functions include a root of trust — which ensures that a given Nano S is authentically issued by Ledger — end-user verification measures, such as mandatory PIN numbers for accessing services, and post-issuance capability, which occurs over a secure channel.

As Cointelegraph reported last December, researchers have claimed they were able to hack the Ledger Nano S, as well as crypto hardware wallet Trezor One, and Ledger’s most expensive hardware wallet offering, the Ledger Blue. The day after the report, Ledger argued that the reported vulnerabilities in its hardware wallets were not critical.

This February, Ledger apologized for — and pledged to remedy —  issues with a recent firmware update for Nano S, which had inadvertently decreased the device’s storage capacity.

Posted on

Trezor Responds to Ledger Report on Vulnerabilities in Its Hardware Wallets

EU hardware wallet manufacturer Trezor has responded to a report from its competitor Ledger that described vulnerabilities in Trezor’s devices.

Prague-based crypto wallet manufacturer Trezor has responded to а report about hardware vulnerabilities from its competitor Ledger on Tuesday, March 12.

Trezor claims that none of the weaknesses revealed by Ledger in a detailed report on March 10, are critical for hardware wallets. As per Trezor, none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.”

Trezor further cites the results of a recent security survey performed in partnership with major cryptocurrency exchange Binance. According to the survey, only around 6 percent of respondents believe that physical attack is the biggest threat to their crypto funds, while 66 percent claim they consider remote attacks a main problem.

Furthermore, Trezor noted that a “$5 wrench attack” — a targeted theft when the user is forced by intruders to disclose his password — cannot be prevented by a hardware barrier set by the manufacturer. Nonetheless, in the case of accidental thefts, the probability of cracking a Trezor wallet is relatively small, as the criminals will not be able to find the necessary equipment, the company states.

Of the five vulnerabilities in Trezor One and Trezor T disclosed by Ledger, Trezor said that four of them are patched, non-exploitable or require a pin. Trezor also noted that the manufacturing process for its devices is closely monitored.

Trezor’s response to the recent Ledger report on their wallet vulnerabilities. Source: blog.trezor.io

Trezor’s response to the recent Ledger report on their wallet vulnerabilities. Source: blog.trezor.io

Ledger initially disclosed its findings during the #MITBitcoinExpo at the Massachusetts Institute of Technology this weekend. The company focused on hacking attacks that require access to device. In particular, Ledger described an option to extract a secret key via a side-channel attack, and the possibility of stealing confidential data from the device.

Posted on

Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets

Ledger’s Attack Lab has found five vulnerabilities in hardware wallets of its direct competitor Trezor.

Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11.

As of press time, Trezor was not immediately available to comment on Ledger’s findings.

The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended.

The first issue is related to the genuineness of the devices. According to the Ledger team, the Trezor device can be imitated by backdooring the device with malware and then re-sealing it in its box by faking a tamper-proof sticker, which is reportedly easy to remove. Ledger states that this vulnerability can only be tackled by overhauling the design of the Trezor wallets and, in particular, by replacing one of the core components with a Secure Element chip.

Secondly, Ledger hackers reportedly guessed the value of the PIN on a Trezor wallet using a side-channel attack and reported it to Trezor in late November 2018. The company later solved the issue in its firmware update 1.8.0.

The third and fourth vulnerabilities, which Ledger also offers to solve by replacing the core component with a Secure Element chip, consist of the possibility of stealing confidential data from the device. Ledger states that an attacker with physical access to Trezor One and Trezor T can extract all the data from the flash memory and gain control over the assets stored on the device.

The last weakness discovered is also related to Trezor’s security model: according to Ledger, the crypto library of the Trezor One does not contain proper countermeasures against hardware attacks. The team claims that a hacker with physical access to the device can extract the secret key via a side-channel attack, although Trezor has claimed that its wallets are resistant to it.

In November 2018, Trezor itself warned that an unknown third party was distributing one-to-one copies of its flagship Trezor One device. The fake wallets seemed to originate from China, and the company thus urged owners to buy wallets only from Trezor’s website.

However, in the recent report, Ledger claims that users cannot be sure even when they purchase hardware from the official Trezor website. The attacker could possibly buy several devices, backdoor them, and then send them back to the manufacturer asking for reimbursement. In case the compromised device is sold again, the user’s crypto funds can be stolen, Ledger concludes.

In November 2018, the research team behind the so-dubbed Wallet.fail hacking project demonstrated how they hacked the Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. Both Trezor and Ledger than admitted to the found vulnerabilities — with Trezor noting that a firmware update would address them — but Ledger also added that they were not critical for its wallets.

Posted on

Texas: Proposed Bill Requires Identification of Buyers Paying in Digital Currencies

A bill regulating digital currencies has been filed in Texas that requires users to identify themselves before making payments.

A bill requiring users to identify themselves while using digital currencies has been filed on March 8, according to the official Texas legislature portal.

The bill’s text contains the definitions of digital currencies, digital wallets, distributed ledgers and verified identity digital currencies (VIDC). The latter is defined as “a digital currency that allows the true identities of the sender and the receiver to be known before a person has access to another person’s digital wallet.”

Per the proposed bill, before accepting a payment in digital currency, a person must verify the identity of the person sending the payment unless a VIDC is used. Moreover, the proposed regulation also specifies:

“This state may not use a digital currency that is not a verified identity digital currency.”

The bill further declares that the Texas Department of Banking, Credit Union Commission, Texas Department of Public Safety and State Securities Board will work together to support the application of VIDCs.

Such encouragement is defined as providing tools to distinguish VIDCs from other digital currencies, educating law enforcement and promoting the use of VIDCs. The bill also specifies how those guidelines should be implemented, noting that the aforementioned organizations should adopt rules to carry out these directives.

Recently, Russia’s Duma Committee on Financial Markets also announced that they are considering the adoption of a mandatory identification process for users of digital assets.

As Cointelegraph reported in February, the Texas State Securities Board issued a total of 16 orders against suspected cryptocurrency scam investments in 2018.

Also in February, the Texas’ state securities regulator announced it had reached an agreement with four cryptocurrency companies it accused of selling unregistered securities.

Posted on

Twitter CEO Jack Dorsey Snaps Up Trezor To Store Bitcoin (BTC)

Dorsey Looks To Secure Bitcoin (BTC) Stash

Twitter and Square CEO Jack Dorsey is back to shilling the cryptocurrency space yet again. Most recently, Dorsey took to his personal feed to reveal that he bought a hardware storage device from Trezor, a leading cryptocurrency wallet provider, through the Cash App, a Bitcoin-friendly project that he headed.

In a tweet, he revealed he spent 0.06639… BTC on the device, with reports claiming that this implies he bought a Trezor Model S (no, not a Tesla).

It is presumed he bought the device to store the Bitcoin that he has recently begun to accumulate, in seeming preparation for the next bout of mass adoption.

Interestingly, Dorsey hinted at the reasoning why he chose a Trezor instead of a Ledger device. In response to a point about the fact that the France-based Ledger’s software is proprietary and not fully open-source, the Twitter CEO replied with “This.” Funnily enough, the team at not Dorsey-endorsed wallet creator, whose CEO called for an extended crypto winter, issued a response.

They wrote that offering open-source software isn’t the silver bullet, but made it clear that they are appreciative of signal boosting that Dorsey has done for Bitcoin in recent weeks.

An Ongoing Story

Dorsey’s most recent public tweet in regards to the cryptocurrency space, or Bitcoin more specifically, comes just weeks after he doubled-down on his support for this space amid this brutal market winter. Here’s a bit of background.

In recent weeks, Dorsey has risen from a nobody in the Bitcoin community to part of its upper echelons. It started when he appeared on the “Joe Rogan Experience” to talk about a number of subjects, eventually leading to Bitcoin. Host Rogan, who has expressed interest towards Bitcoin previously (he had Andreas Antonopoulos on a number of times), brought up Square’s crypto integration and Dorsey’s comments on how BTC is vying to be a ubiquitous currency. Explaining that rationale behind this statement, the Twitter CEO proudly stated:

“The Internet will have a single native currency, which will likely be Bitcoin. It is something that was born on the internet, that was developed on the internet, that was tested on the internet. It is of the internet.”

Following that podcast, he began to tout Bitcoin and facets of this nascent ecosystem on Twitter. He lauded the Lightning Network, before bashing altcoins, like Tron and Ethereum, and touting the merits of projects built using the aforementioned scaling solution. Dorsey even appeared on a number of Bitcoin-centric podcasts, revealing that he has accumulated $10,000 worth of BTC over the past week. He alluded to the fact that he does this every week, claiming that he has maxed out the Cash App’s BTC purchasing option.

Dorsey’s involvement with this industry is evidently an ongoing story. But where will the Silicon Valley entrepreneur show his face in the industry next? Many sure do hope it will be Square’s acceptance of the Lightning Network.

Title Image Courtesy of Descryptive.com Via Unsplash

The post Twitter CEO Jack Dorsey Snaps Up Trezor To Store Bitcoin (BTC) appeared first on Ethereum World News.

Posted on

SWIFT, HSBC, Deutsche Bank to Conduct Blockchain-Based E-Voting PoC

Global financial messaging network SWIFT is carrying out a DLT-based shareholder e-voting proof-of-concept in the first half of this year.

Global financial messaging network, the Society for Worldwide Interbank Financial Telecommunication (SWIFT), is carrying out a blockchain-based shareholder e-voting proof-of-concept (PoC) with major financial institutions. SWIFT announced the news in a press release published on March 6.

Per the press release, the PoC will be jointly conducted in the Asia Pacific region with Deutsche Bank, DBS, HSBC, Standard Chartered Bank, securities software provider SLI and the Singapore Exchange (SGX). The test is meant to establish whether distributed ledger technology (DLT) can simplify the management of shareholder meetings.

More precisely, the test, which is set to run during the first half of 2019, is meant to accomplish four main goals, the press release explains. First of all, it is designed to test the deployment of a voting solution in collaboration with the issuers and a Central Securities Depository (CSD) while storing and managing data on a permissioned private blockchain.

Secondly, the PoC also seeks to demonstrate the viability of hybrid solutions “combining messaging and DLT to foster interoperability and avoid market fragmentation.”

The initiative will also test SWIFT’s capacity to host third-party applications in its DLT environment and reuse its security and interface stack.

Lastly, the PoC looks to confirm the use of a particular financial electronic data interchange standard — ISO 20022 — in the process.

While DBS and SGX will be both participants and issuers in the initiative, HSBC, Deutsche Bank, and the Standard Chartered Bank will be only participants. According to the release, the whole project will be facilitated by SWIFT’s DLT sandbox testing environment.

Additionally, the existing SWIFT network and infrastructure will be used to access, test and validate the applicability of the technology.

The press release quotes a SWIFT executive as saying:

“The emergence of blockchain technology is a new opportunity to look at improving these [current] processes. It is also an opportunity for SWIFT to offer flexibility in the adoption of this new technology through the re-use of ISO 20022 based solutions together with a high level of security and resilience that our industry requires.”

As Cointelegraph reported at the end of January, SWIFT has revealed that it plans to launch a PoC of a gateway — dubbed GPI Link — that will allow enterprise blockchain software firm R3 to link to GPI (Global Payments Innovation) payments from its platform.

Also at the end of January, reports surfaced that Iran was planning to unveil a state-backed cryptocurrency meant to skirt United States sanctions and the SWIFT system at the Electronic Banking and Payment Systems conference in Tehran that week, though the currency was not officially announced.

Posted on

Ledger Devs Post Warning About Monero Client After User Reportedly Loses 1,680 XMR to Bug

The Ledger developers team posted a warning on Monero’s subreddit advising users not to use the Nano S Monero app.

The Ledger developers team posted a warning on Monero’s (XMR) subreddit on March 4 advising users not to use the Nano S Monero app.

Apparently, a bug associated with the app had been discovered when, earlier today, user MoneroDontCheeseMe posted on Reddit a claim that he or she believes to “have just lost ~1680 Monero [around $80,000] due to a bug.” In the account, the user stated that after transferring about 0.000001 XMR from the Ledger to a view-only wallet, the user sent another 10, 200 and then 141.9 XMR.

According to the report, before sending the last transaction, MoneroDontCheeseMe had about 1,690 XMR in the wallet and 141.95 XMR in an unlocked balance, which is why he or she decided to send 141.9 XMR. Still, after the transaction, the user’s wallet is reportedly showing a balance of 0 XMR.

Furthermore, according to the Reddit user, the amounts sent and the transactions recorded on the blockchain “don’t line up.” MoneroDontCheeseMe wrote that the 200 XMR transaction actually deducted 1691.001 XMR from the Ledger Wallet, and also that the amounts reported for the 10 XMR transaction are incongruous.

In the comments to the post, Nicolas Bacca, chief technical officer at Ledger, stated that the most likely scenario — given how extensively the app has been tested — is a synchronization issue. Still, the warning issued later specifying a change address problem confirmed that this was not the case.

About two hours later, Ledger developers published the aforementioned warning on the Monero subreddit, and the official Monero Twitter account retweeted a tweet containing a link to the warning submitted by the official Ledger Twitter account. The warning post specifies that the problem presents itself when using the latest version of Monero client with application 1.1.3.

Monero team members have not answered Cointelegraph’s request for comment by press time.

Per CoinMarketCap data, Monero is the 13th biggest cryptocurrency by market cap, equivalent to over $800 million at press time. It is particularly known for his focus on privacy, as well as use by hackers in cryptojacking malware. In February, news broke that a new hacking tool is propagating throughout the online community of Windows’ users in an attempt to install cryptocurrency mining malware that mines XRP.

As Cointelegraph reported at the end of last year, researchers have reportedly shown how they were able to hack crypto wallets Trezor One, Ledger Nano S and Ledger Blue at the 35C3 Refreshing Memories conference. However, the next day, Ledger released an announcement stating that they regret that the researchers hadn’t disclosed the findings responsibly and that the discovered vulnerability is not critical.

Posted on

Ledger: Recently Discovered Wallet Vulnerabilities Not Critical

Ledger claimed that the recently uncovered vulnerabilities in their hardware wallets are not critical.

Ledger claimed that recently uncovered vulnerabilities in its hardware wallets are not critical in an official Medium blog post on Dec. 28.

Yesterday at the 35C3 Refreshing Memories conference in Berlin, researchers claimed that they were able to hack the Trezor One, Ledger Nano S and Ledger Blue cryptocurrency wallets.

In the post, the company explains that there appeared to be “three attack paths which could give the impression that critical vulnerabilities were uncovered,” but according to them “this is not the case.”

The reason Ledger says that the vulnerability is not critical is that “they did not succeed to extract any seed nor PIN on a stolen device” and “sensitive assets stored on the Secure Element remain secure.”

According to the company, the Ledger Nano S vulnerability “demonstrated that physically modifying the Ledger Nano S and installing malware on the victim’s PC could allow a nearby attacker to sign a transaction after the PIN is entered and the Bitcoin (BTC) app is launched.”

This, Ledger claims, is “quite unpractical, and a motivated hacker would definitely use more efficient tricks.” While the researchers claimed that the vulnerability allowed them to “send malicious transactions to the ST31 [the secure chip] and even confirm it ourselves” Ledger denies its, stating:

“Their firmware runs snake on the MCU in Bootloader mode. This means that you have to push the left button at boot and the Secure Element does not even boot.”

Ledger also claims that the demonstration of the Ledger Blue attack is “a bit unrealistic and not practical,” claiming that “the position of the receiver and the attacked device must be exactly the same,  the position of the USB cable is also paramount (as it acts as an antenna).”

The post stated that “if the conditions are not exactly the same, the machine learning classifier won’t work properly.” For this reason, Ledger concluded:

“This attack is definitely interesting, but does not allow to guess someone’s PIN in real conditions (it requires that you never move your device at all).”

Furthermore, because of this vulnerability, Ledger stated that the next Ledger Blue firmware update will feature a randomized keyboard for the pin.

The company also stated that they “regret that the researchers did not follow the standard security principles outlined in Ledger’s Bounty program.” According to Ledger “in the security world, the usual way to proceed is responsible disclosure. This is the model in which a vulnerability is disclosed only after a reasonable period of time that allows for the vulnerability to be patched as well as to mitigate risks for users.”

In November, Ledger announced its expansion to New York in order to develop its institutional custody offering Ledger Vault. Moreover, the company also recently signed an agreement with crypto payment startup Crypto.com to allow users to pay for its products with cryptocurrencies.