How Ledger's security model could be used to rob exchanges, targeted users, or just go wrong and reveal someone's private keys
Disclaimer: I'm just a student, and this is what I THINK about Ledger's security model. If something is wrong, I'll happily edit the post to add corrections. I'll also add anything Ledger wants people to know about.
PS: please forgive my bad english.
So, I've bought a Ledger Nano S assuming it was fully open source. When it arrived, I got a little disappointed when I discovered that its firmware is not open source. As explained in this post: https://medium.com/@Ledger/introducing-bolos-blockchain-open-ledger-operating-system-b9893d09f333, it doesn't need to be, because while the firmware is closed source, apps are open (you can, for example, see the source code for the bitcoin, litecoin, etc hardware programs here), and the communication between ledger and PC is done by these apps, not by the firmware.
So, let's understand how it works in detail:
We’re pleased to introduce our new Operating System, designed by our firmware team and leveraging on the expertise of powering millions of embedded Secure Elements in our past ventures : the Blockchain Open Ledger Operating System, also known as BOLOS.
The communication between the computer and the ledger is mediated by a unsecure MCU (STM32), of which the code is open source. It just receives the USB packets and relay it via SPI to the ST31, which is the secure element. In the secure element, the closed-source firmware guarantees that every open-source program will run isolated with no access to the other programs. When you boot your Ledger, the firmware runs an open-source app that let you select which of the open-source apps you want to run, like: bitcoin, litecoin, ethereum, fido U2F, or any other app that you could've written.
It's important to mention that BOLOS design is as it is, because ST (the company behind the secure element) won't let Ledger release the firmware's code, as it'd reveal the chip's internals. I don't know about chip security, but I don't find security through obscurity a good model at all.
So, that's the security model: if you know the code of the open source app, then you shouldn't be worried that the firmware would have any backdoors, because all the code that could extract any information from the hardware (private keys, for example), is trusted by you. In theory, there's no possibility for a backdoor on the firmware to be effective… Well, turns out, there's a way:
The hardware's open-source apps (like the bitcoin, litecoin, ethereum apps) have full control over the received USB packets. Since you can audit their code, you should be able to trust them. But they need to do system calls to the firmware for many things, one of them being the cryptographic functions. The most critical one is the ECDSA system call, which is the Elliptic Curve Digital Signature Algorithm, which basically is the function that signs your bitcoin transaction. If it's badly written, it could just not sign properly and your transaction would not be accepted by the network, or it could leak your private keys, like in this incident with Sony's Playstation 3. The problem relies on this fact:
Every time you sign a message with ECDSA, you need to generate a random number k. It must be truly random, and if it's used more than once it reveals your private key. One way to prevent the reusage of k is via the RFC6979 standard, which eliminates the randomness of k by a totally deterministic process: k is determined by the message itself, not by randomness.
You might be thinking: "well, but I can sign a message and verify in my PC that it was signed correctly, there's no possibility of k reusage". Well, you, as an individual, can verify that for your particular address, in this particular time, the message got signed correctly. But what if the closed-source firmware was written in a way that it signs everyone's messages correctly, except for some targeted addresses like cold-wallet exchanges? Let's think about the scenarios:
1 — Ledger is an evil company
I'm not saying people behind Ledger would do it, but since hardware wallets should be secure by their own means, and not by a company's reputation, suppose you're a bad guy working at Ledger's firmware. You lookup the addresses of the most famous exchange's cold wallets or richest single addresses of the blockchain and hard code it into the firmware in a way that k would only be reused if the message was to be signed for these particular addresses. You could just wait for these signed messages to pop up into the blockchain (or just for it to be relayed by a node) for you to extract k and rob millions of dollars.
Another more clever backdoor would be to make a ECDSA signing function that analyzes some pattern in the address (you can create addresses with patterns, like vanity bitcoin addresses) and only signs with k in a malicious way when this pattern is contained in the OUT address of the transaction to be signed. You, the evil guy, knowing that the person has a Ledger (not difficult, as every owner would post a photo of its new item on social media), could 'mine' an address to have this pattern and then ask for the person to send you some bits for some purpose. Then you grab the transaction's signature and extract the private key.
2- Ledger employees are humans, and humans commit mistakes
In this case, the message could be badly signed randomly because of some bug. While its hard to, as effect of a bug, wrongly sign a message in a way that it reveals a private key and still be accepted by the network, it could be that it randomly signs the message in a way that it is relayed by nodes but not accepted by miners. The message would still have reached lots of users on the network, which is enough to steal the private key.
Conclusion
You could always verify the signatures on your computer before broadcasting the message to the network, but it completely eliminates the purpose of a hardware wallet, which is to work securely even on PCs with malwares (its even advertised as having this feature).
I'd not trust all my Bitcoin funds to a single device like Ledger. In fact, I didn't even use it to store my funds since its arrival (some weeks ago). My recommendation is to create a multisignature between the Ledger and another device (not the computer in which it'd be working with). Unfortunately, not all cryptocurrencies have support for multisignature, and Ethereum's multisignature scheme is too complex that it is hard to trust.
On the other way, Trezor hardware wallet doesn't have a secure chip like Ledger, so vulnerabilities like this were possible. However, its firmware and applications are truly open source (it makes me wonder if there are some Ledger vulnerabilities 'secured' through obscurity). If I buy a Trezor I'll write about it here too.
Did you like what I wrote? Leave me a tip!
Bitcoin: 1LPp7EFyiC9vvBmf95NAUdGuUMJPryT31z
Litecoin: LaaVxiSouwgCBSeLJWouEDdhLzx7sZN8qs
Ethereum: 0xd033b36df5ac084b0c83f6736773b5925555423e
Dash: Xetj6DaVmnPpGrm94ur7uizhkAFDzPe6AF
zCash: t1VDyvv2RbskxV2MWudwZzpf6aPZ8fzL469
