Recently, bitcoin.com published a blog post – Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets. We would like to address some of the claims made in the post which are unfortunately incorrect.
TL;DR: This is not a Ledger security flow, Ledger users are not at risk. As a Ledger user, you should verify new receive addresses on device screen when you want to receive fund. As far as we know, no one has ever lost any coins in this Proof of Concept.
While there are attack vectors that can modify the address displayed on an infected client computer (where you connect and interact with a hardware wallet), this type of vulnerability has been around since the beginning of Bitcoin. In fact, this same class of vulnerability applies to all Bitcoin and other crypto wallets everywhere, whether software or hardware. It is not unique to Ledger devices.
We would like to start off with some quick facts:
- Your funds are safe in a hardware wallet. No immediate action is required. This particular risk only applies once you try to send or receive crypto assets to/from the hardware device.
- This is not a “bug” in Ledger or any other hardware wallet. In fact, hardware wallets offer the best level of protection against this specific threat. However, some due diligence is still required by the user.
- The attack works by modifying the content on your clipboard or changing the displayed receive address in your Ledger Chrome apps. Other versions could potentially affect Trezor hardware wallet as well.
- This vulnerability cannot be easily patched or addressed. It’s better to adopt best practices when handling addresses so that you can ensure you’re not affected.
Steps you can take to prevent attacks by address-changing malware or client software hacks:
When receiving funds using the main Ledger Wallet Chrome app:
Make sure you tap on the monitor icon at the bottom of the address display window. Compare the address shown on the Ledger device itself with that shown on your PC screen.
If they are the same then great! If they are not, then you should try a different computer to see if you get the same result. Make sure you install Ledger apps yourself from the official Ledger website: https://www.ledgerwallet.com
When receiving Ethereum or most other tokens (ERC-20):
It may be better to use the MyEtherWallet (MEW) website instead of the Ledger Ethereum Chrome app for greater functionality. Within the Ethereum app on your Ledger device you will need to enable browser support.
Once you’ve connected the Ledger on MEW, select the address you want to receive into. Make sure you click the “Display address on Ledger” link to confirm it on your Ledger device screen. If you don’t see the same address, use another computer to connect to MEW. Make sure you are in the correct website: https://www.myetherwallet.com/
When receiving other coins using Ledger official app such as Ripple:
Right now these apps do not have the ability to display receive address on your Ledger device screen. Until that, you may simply send a small amount of the asset to the receive address. Ideally, check from another computer to see if the same address and test amount appear as well. Although this method is not perfect, if you can see the same address and balance on both client computers then you should be safe. Again, only install apps from the official Ledger website.
Final Important Tips!
Whether your are sending or receiving fund using ANY wallet, software or hardware, always visually compare the first or last few characters of the address after pasting from your clipboard. Compare the address with your source and make sure they match before proceeding the transaction.