Ledger responds to Monokh’s challenging security claim

Hardware wallet producer, Ledger was forced to respond to Monokh claims about holes in its Bitcoin app after the former failed to address the issue in time.

By · Aug 6, 2020 . 4min read

Ledger responds to Monokh claim

Hardware wallet manufacturer, Ledger has announced an update to its Bitcoin app. The update is a response to the findings of software security researcher Monokh. The findings were facilitated because of a bug bounty program announced for external security researchers to avoid impactful vulnerabilities.

Monokh found a vulnerability within Ledger’s app. A malicious wallet application could exploit this weakness and trick users into thinking they have conducted a Bitcoin derivatives transaction. In actuality, users are simply creating a Bitcoin transaction. Hackers can also use this vulnerability to verify a receiving address through a wrong derivation path.

Ledger states that hackers can not use the flaws in the software to gain access to users private keys or recovery phrases. It would also not affect any other cryptocurrencies.

Ledger detailed in a blogpost how it fixed the problem. The app will essentially double-check the derivation path of each transaction. If something unusual comes up, users will be notified. Messages such as “The derivation path is unusual” and “Sign path is unusual” will pop up followed by a “Reject if you’re not sure” option. Ledger claims that some wallet applications used non-standard custom paths. This is why they do not block all derivation paths. It is to allow users as much freedom as possible to conduct their operations.

Standard procedure for when organisations like Monokh find security issues involves notifying the company and giving them 90 days to fix the issue before going public. In this instance, Ledger failed to address the issue in time and as such Monokh released the findings before Ledger could do anything about it. Ledger acknowledged its mistake in the blog post and thanked Monokh for its work.

Earlier we also reported on how Ledger suffered a data breach in it’s marketing and e-commerce platforms.