New Hardware Wallet Vulnerabilty? Not Exactly…

February 6, 2018

The start of February has seen the dissemination of “news” that a vulnerability in hardware wallets, particularly the Ledger, has been “discovered”. Understandably, this has caused many hardware wallet owners largely unnecessary anxiety with regard to their existing wallets.

While there are attack vectors that can affect the addresses displayed or used on an infected client computer (where you connect and interact with a hardware wallet), this type of vulnerability has been around since the beginning of Bitcoin! In fact, this same class of vulnerability applies to all Bitcoin and other crypto wallets everywhere, whether software or hardware. It is not unique to Ledger devices.

I’m going to start off with some quick facts and then get to some best practices you should adopt when using your hardware wallets.

  1. Your funds are safest in a hardware wallet. No immediate action is required. This particular risk only applies once you try to send or receive crypto assets to/from the hardware device.
  2. This is not a “bug” in Ledger or any other hardware wallet. In fact, hardware wallets offer the best level of protection against this specific threat! …but some diligence is still required by the user.
  3. The attack works by either modifying the contents of your clipboard or your Ledger Wallet or KeepKey Chrome apps. Other versions could potentially affect the Trezor as well.
  4. This vulnerability cannot be easily patched or addressed. It’s better to adopt best practices when handling addresses so that you can ensure you’re not affected.

Steps you can take to prevent attacks by address-changing malware or client software hacks:

Ledger Nano S

Button to display the address on your Ledger device's screen. Check to make sure it is the same as what your computer is showing you. The first and last few characters are usually sufficient.

When receiving funds using the main Ledger Wallet Chrome app: Make sure you tap on the monitor icon at the bottom of the address display window. Compare the address shown on the Ledger device itself with that shown on your PC screen. If they are the same then great! If they are not, then you should try a different computer to see if you get the same result. Make sure you install Ledger apps yourself from the official Ledger website:

When receiving Ethereum or most other tokens (ERC-20): It may be better to use the MyEtherWallet (MEW) website instead of the Ledger Ethereum Chrome app for greater functionality. Within the Ethereum app on your Ledger device you will need to enable browser support. Once you’ve connected the Ledger on MEW, select the address you want to receive into. Make sure you click the “Display address on Ledger” link to confirm it on your Ledger device screen. If you don’t see the same address, use another computer to connect to MEW. Make sure you are going to the correct website:

When receiving into Ledger’s Ripple or other specialty apps: These apps may not yet have the ability to display their addresses on your Ledger device screen. Until that is the case you may simply send a small amount of the asset to the address shown and then, ideally, check to see if the same address and test amount appear on a second client computer as well. Although not perfect, if you can see the same address and balance on both client computers then you should be safe receiving a larger balance to the same address you used for the test. Again, only install apps from the official Ledger website.

Trezor & KeepKey

When receiving into any Trezor address: Make sure you are on the official Trezor wallet website: . Every attempt to display a new address will ask you to check that address against the one displayed on the Trezor’s screen. You can also select to view the QR code of that address and scan it directly from the Trezor device itself! Ethereum addresses and tokens work the same as the Ledger using MyEtherWallet. A similar “Display address…” link will appear to the right of the MEW interface that will show your address on the Trezor screen. Just check to make sure it is the same before receiving large amounts. KeepKey displays your addresses and QR codes on the device screen automatically every time you access an address.

Final Important Tip!

Whether your are sending or receiving using ANY wallet, software or hardware, you are probably going to be copying addresses into the local clipboard at some point. This is often necessary to transfer addresses into the client apps to pay or into an email or website to receive. Clipboard addresses can be intercepted and changed by local malware. To detect this, you want to adopt the following simple habit to protect yourself against this particular form of attack:

  • Always visually check the first and last characters of an address after pasting from clipboard. Compare those to your source for that address and make sure they match before proceeding with the transaction.