The company Ledger is the most popular manufacturer of hardware wallets. This is evidenced by the fact that last year it was sold more than a million of these devices.
Hardware wallets are considered to be the safest for “cold” storage of their crypto currency, because the data of USB-devices exclude hacker attacks connected with the connection to the network.
However, in order to get or send money to the user, you still need to connect the device to the computer. It is in this moment and revealed the vulnerability of Ledger wallets.
On February 3, the company in its Twitter account issued a warning to its users about the vulnerability detected:
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
Today, there have been no reports of attacks, but the company considers it its duty to warn about it.Ledger gives practical advice to its users what steps need to be taken to avoid losing their funds.
And so, in order to avoid the so-called MiTM attack, it is necessary to check the correctness of the address every time in the manual mode, by pressing the button with the monitor displayed on the screen of your computer or other device.
It is worth noting that during the attack, the user will not even understand that his funds went wrong.Malicious software can very easily change the recipient’s address using the Ledger purse files that are located in the AppData folder.
Vulnerability exists, but as they say “forewarned, it means armed”. The proposed steps will avoid theft of funds, but this is not a perfect solution, since it depends solely on user actions.