Crypto funds’ susceptibility to hacking and theft is a major concern in the industry. Over $8 billion in bitcoin have been stolen from exchanges since 2011, Reuters has found.
So it’s not surprising that a high-security device for storing cryptocurrencies has sold over a million units. But it contained a vulnerability, a security researcher has found. Ledger, the French startup behind the Nano S, says it has fixed the problem after being notified by the researcher, but the gap still exists in a second, less popular, product, the Nano Blue—and that fix won’t be available for several weeks, the firm’s chief security officer, Charles Guillemet, said. Ledger says it is not aware of any funds that have been stolen from the devices.
The person who exposed these vulnerabilities is a 15-year-old British hacker named Saleem Rashid. He found a way for an attacker to access the cryptographic keys stored on Ledger’s devices, thus controlling any funds on the device, and even the device’s display. In a blog post explaining the vulnerabilities for the Ledger Nano S, Rashid described one attack scenario as being “trivial to perform.”
Here’s how the attack works: Ledger wallets use something called a ”secure element”—a special, tamper-proof chip—that is touted as a key security feature. Secure elements are widely used in passports, identity cards, and are used to store payment information on iPhones. But these chips often can’t process much data, or be connected to peripherals such as a display. The secure element in the Nano S is therefore connected to a micro-controller that does those things, but is itself not secure to the same degree. This micro-controller is what Rashid’s attack focuses on.
An attacker needs to somehow install a customized version of the firmware that runs on the Ledger wallet’s micro-controller. This is a process that takes 20 seconds or less, Rashid says. One way to do this is to have physical possession of a wallet before it gets into a user’s hands—which could happen if a wallet was compromised and then sold on eBay, for instance.
Such a scenario is known as a “supply-chain attack” and it could affect any devices that aren’t directly shipped from the producer to the customer. In Ledger’s case, it says the majority of its Nano S wallets are sold directly to consumers, but some are sold through third-party retailers. These range from Amazon to small businesses that specialize in cryptocurrency products. Ledger hasn’t yet provided the number of devices sold through third parties. Guillemet, the chief security officer, says the firm does not conduct any audits of its authorized resellers.
Rashid also says the less popular Ledger Blue devices were likely to suffer from the same security hole because they have a similar design, though he didn’t test the attack on Ledger Blue wallets. Guillemet confirms this, but says all Ledger Blues were sold directly to users, and only a few thousand were sold in total.
Ledger ships its devices in boxes that boast they aren’t secured by “anti-tampering” stickers. “Ledger devices are engineered to be tamper-proof,” the packaging says (whether the device is sold directly or through a third party). There are no plans to add anti-tampering stickers, or to change the language communicating this to customers, Guillemet says—partly because that wouldn’t provide meaningful protection. “We won’t add an anti-tampering sticker that anyone can buy for only one dollar,” he said.
In the meantime, unsold Ledger devices that haven’t been updated will continue to be lucrative targets for hackers. “There are tens, or hundreds of thousands of these sitting on shelves of more or less reputable sellers,” says Kenn White, a security researcher who reviewed Rashid’s work, and who is director of the Open Crypto Audit Project. “It is a golden era for scammers. In some cases, people are entrusting their life savings in these [hardware] wallets, and so the incentive for tampering is high.”
Ledger’s chief executive, Éric Larchevêque, has accused Rashid of pulling an “unfortunate publicity stunt” for the way he warned users of the vulnerability on Twitter. Public disclosures of security holes are a common practice among independent researchers. Rashid also takes issue with the way Ledger has rolled out its fix to its customers. Ledger has made the security update optional, and has described it as “serious but not critical.” Rashid says this approach leaves users vulnerable.
Rashid’s findings have long-term ramifications for the cryptocurrency industry—and Ledger. The reliance on a micro-controller that can be tampered with means that the firm is now locked in a race against would-be hackers to keep raising the defenses on this component. “The notion that users can simply update and be done is wildly naive,” says White. “Ledger will continue to add tamper-resistant measures to the [micro-controller], but ultimately, it’s just a long-form Whack-A-Mole game.”
Ledger is among the beneficiaries of the crypto gold rush, selling metaphorical picks and shovels to eager investors. It has earned over $100 million in revenue from the Nano S, and raised $75 million from marquee investors in January. It is adding features that will transform its devices from merely storing cryptocurrency to being able to trade coins with other users.
Even Ledger’s security chief acknowledges that hackers will continue to target his firm’s devices. But he’s confident Ledger has the technical chops to stay ahead of attackers. ”Security is clearly a cat-and-mouse game,” Guillemet says. “But when you play the game with a secure element, it’s easier to resist them.”
Read next: A French startup proves that selling USB sticks is one way to make big money on bitcoin
Subscribe to the Quartz Crypto Calendar to stay ahead of the crypto world’s most important and interesting happenings.