From Ledger, "At the 35th Computer Chaos Congress in Leipzig, Dmitry Nedospasov, Thomas Roth and Josh Datko gave a presentation called wallet.fail, where they tried to demonstrate that Hardware Wallets were vulnerable to several types of attacks. Concerning Ledger, they presented 3 attack paths which could give the impression that critical vulnerabilities were uncovered on Ledger devices. This is not the case."
TREZOR's manufacturer SatoshiLabs responded to the vulnerabilities on Twitter, saying "With regards to #35c3 findings about @Trezor: we were not informed via our Reponsible Disclosure program beforehands, so we learned about them from the stage. We need to take some time to fix these and we'll be addressing them via a firmware update at the end of January."
SatoshiLabs also responded in their subreddit with slightly more detail, "Per my latest information (I am not present at the conference), we were not informed about this vulnerability via our Responsible Disclosure process, and therefore we are working with the information as it arrives. We will address this vulnerability as soon as possible, though we will need some time. Until then, you can mitigate it by using a passphrase (make sure to learn how it works first, as in case of passphrase-loss your funds are irrecoverable), or by making sure you do not lose physical access to your device. To exploit the vulnerability, the attacker needs to have physical access to your device — directly to its board."
Of interest, neither manufacturer was notified of these vulnerabilities prior to it's disclosure on stage at CCC through their responsible disclosure programs so have been caught unaware. SatoshiLabs and Ledger will both be patching their devices by the end of January.
Submitted December 28, 2018 at 08:36PM by FortuitousIdiom http://bit.ly/2QaBZ7H
No comments :
Post a Comment