Ledger Nano S Owners Urged to Update Firmware ASAP

Reading Time: 2 minutes

Owners of Ledger Nano S hardware wallets have been urged up upgrade to the latest firmware by Ruben Somsen, the founder of Seoul Bitcoin, who highlighted a bug on the popular wallet that might “send away ALL funds from ALL your accounts, with NO warning from the device”.

Ledger released firmware v1.5.5 in January stating that it contained a “critical security fix on the Bitcoin app”, and Somsen took to Twitter last week to outline just how critical it really is.

Exploit Discovered Last Month

The potential exploit was first discovered in January by former Mycelium blockchain engineer Sergey Lappo, who posted the find on his blog before Somsen later picked it up and highlighted it. The vulnerability relates only to the Bitcoin app and means that Ledger devices still operating on the 1.4.2 firmware can be fooled into giving away user funds in a five-step process:

1.  The user initiates a payment on malicious software.
2. All coins get used as inputs.
3. The Ledger gets fooled into accepting a malicious change address (this fault behavior is caused by simply leaving the derivation path empty).
4. The user confirms the normal looking transaction on the Ledger.
5. All coins (minus the payment) get sent to the malicious change address.

Worryingly, the hacker doesn’t need access to the Ledger device itself, just the device the Ledger is attached to. It is advised therefore that users update the firmware immediately and try to avoid connecting their hardware wallet to multiple devices, ideally just using a single secure device to interact with. The news of the potential exploit comes on the back of a presentation by a security group last month that highlighted four separate vulnerabilities in the Ledger Nano S.

How to Upgrade

Ledger advises that the update is performed using their Ledger Live app, which is available on Windows, Mac or Linux. Users are advised that they will likely have to delete all existing apps on the device before installing the firmware, but this process has no impact on funds held on the device and the apps can be easily reinstalled once the upgrade is complete.