Security researchers disclose security vulnerabilities in Ledger signatures, which may lead to the theft of user funds

Security researcher Monokh wrote an article to disclose the security vulnerabilities of the Ledger hardware wallet, the cryptocurrency wallet. Monokh pointed out that the vulnerability could lead to the theft of user funds. Ledger will disclose the Bitcoin (mainnet) key and signature information on applications other than Bitcoin, and will provide misleading transaction confirmation requests. Taking Bitcoin and Litecoin applications as examples, the vulnerability attack path is: 1. Open the Litecoin application; 2. Obtain the Bitcoin Segregated Witness address; 3. View UTXOs based on the address; 4. Initiate a Bitcoin transaction and send it to Ledger The device requires a signature; 5. Obtain valid signed bitcoin transaction information. Ledger should have identified the error in the second and fourth steps above and blocked it, but it still prompted the user to make a transaction. All firmware versions and App versions are affected by this vulnerability. Monokh recommends that Ledger disable the Altcoin application on the real-time application catalog until a patch is released. According to the vulnerability disclosure process table, in January 2019, Monokh initially disclosed privacy-related security vulnerabilities to Ledger in January 2019. Subsequently, Ledger updated the firmware but did not update the application, and stated that it would Immediately disclose the vulnerability. In April 2019, Monokh contacted Ledger again to request an application update, but received no feedback. In May of this year, Monokh put the root cause of the vulnerability in the signature function, which may result in the theft of user funds. Since then, Ledger said it is investigating the vulnerability. After that, Monokh contacted Ledger several times and asked to disclose the vulnerability and fix it, but did not receive a response, and Ledger did not fix or disclose the relevant vulnerability.