Kraken Security Labs Identifies Supply Chain Attacks Against Ledger Nano X Wallets

Kraken Security Labs has identified two new attacks that, if executed successfully by malicious actors, could compromise the security of Ledger Nano X wallet owners.

These attacks affect wallets tampered with prior to the user receiving the wallet, as might occur in the event it is intercepted during shipment or purchased from a malicious reseller.

As shown below, the attacks could allow malicious actors to take control of computers connected to the wallets and install malware that might result in the loss or theft of funds stored.

Bad Ledger

In this scenario, the firmware of the non-secure processor is modified using a debugging protocol to act as an input device, like a keyboard, that can then send malicious keystrokes to the user’s host computer.

The Ledger Nano X ships with the debugging functionality enabled on its non-secure processor, a feature that is disabled as soon as the first ‘app’, such as the Bitcoin app, is installed on the device.

However, prior to any apps being installed, the device can be reflashed with malicious firmware that can compromise the host computer, similar to “BadUSB” and “Rubber Ducky” attacks.

The proof-of-concept video above shows an infected Ledger Nano X that acts as a keyboard when connected to a computer. Using keyboard shortcuts, it opens a browser and navigates to www.kraken.com.

Alternatively, the infected Nano X could have executed malware on the victim’s machine. Neither the Ledger Nano X device nor the Ledger Live software application display indication of tampering and identify the device as genuine.

Blind Ledger

A single connection controlled by the non-secure processor allows it to reset the display. Hence, malicious code running on the non-secure processor can turn off the display even while it’s running on battery only.

This might be leveraged as part of an elaborate social engineering attack where the infected Ledger Nano X shuts off its display while malware on a computer convinces the user to press a series of buttons to approve a malicious transaction (e.g., “Your Ledger Nano X stopped responding, please hold both buttons to restart the device”).

As the display is disabled, the user would not notice or be able to verify the transaction on the hardware wallet.

Here is what you can do to protect yourself:

  • Only buy Ledger devices from trusted stores. Don’t plug the Ledger Nano X that you got in a free giveaway or found in the parking lot into your computer.
  • Always verify transactions on the Ledger Nano X wallet. Be extremely cautious if the device acts strange (e.g., the display turns off).

At Kraken Security Labs, we try to discover attacks against crypto users before the bad guys do. Upon discovery, Kraken Security Labs responsibly disclosed the full details of these attacks to the Ledger team on April 9, 2020.

You should review the Ledger team’s response at: https://donjon.ledger.com/lsb/013/

Technical Details

The Ledger Nano X is the latest hardware wallet from Ledger, the manufacturers of the Ledger Nano S hardware wallet.

The primary differences between the Ledger Nano X and the Ledger Nano S are:

  • The addition of Bluetooth as a communication method
  • A small battery for battery-powered operation when used over Bluetooth
  • The newer STMicroelectronics ST33 secure processor (the Nano S uses the ST31 for secure processing and both wallets use the STM32 as non-secure processors). The ST33 secure processor provides significantly more I/O pins, which allows the  ST33 to be directly connected to the display and buttons on the Ledger Nano X. This is different from the Ledger Nano S, which required these peripherals to be connected to the ‘non-secure’ STM32 processor. This limitation in the older Nano S was leveraged in several attacks presented by the Wallet.Fail team at 35C3.


Issues Identified in Attack Research

Ledger states on its website that JTAG is left enabled on the STM32WB55 processor for the purpose of allowing end-users to verify whether the STM32WB55 has been tampered with:

Figure 1: Ledger FAQ entry on leaving JTAG enabled.

This is misleading, because Ledger currently does not actually publish any hashes that would make it possible to check the memory contents against a known firmware image.

Ledger states that “upon any signed application launch, the JTAG channel will be permanently closed and cannot be reopened.” However, it was found that the STM32WB55 is not validated at runtime at all. Hence, malicious firmware in which the code to lock JTAG after a signed application launch was removed, ran without any issues or without being detected by the ST33.

A PoC patch to the the Ledger Nano X firmware could be implemented as follows:

Figure 2: Example binway patch for keeping SWD enabled. (Red marks the modified bytes.)

This change does not adversely affect the behaviour of the device, it continues to operate nominally. Moreover, the Ledger Live app will still continue to report that the device is genuine:

Figure 3: The Ledger Live application failing to detect modified STM32WB55 firmware.

To allow easier programming of the STM32WB55 using JTAG, a Ledger Nano X was soldered to a breakout board to provide easy access to all the programming pins using the standardized ST-Link interface. In a real-world attack, because the firmware only needs to be modified once, namely before any Apps are installed, a spring-loaded pogo-pin interface could be used instead.

This would have the advantage of being indistinguishable from the programming method used during normal manufacturing and would require no additional modification to the overall device.

Figure 4: The modified Ledger for easy programming access

Bad Ledger Attack

On the Ledger Nano X, all of the USB communication between the host and the hardware wallet is handled by the STM32WB55 processor.

As a result, by executing malicious code on the STM32WB55 it is possible for an attacker to repurpose a genuine Ledger Nano X into a malicious device, without hardware modifications.

Because the STM32WB55 controls all of the USB communications, a Ledger Nano X executing malicious code can identify itself and behave like any arbitrary USB device to the host. For example, a malicious firmware can implement all the necessary USB communications to identify itself as and emulate a USB-Keyboard to the host PC.

The firmware can then send standard keyboard scan codes to execute malicious commands as the currently authenticated user. 

A proof-of-concept was developed that, when plugged into a Mac OS running computer, opens https://www.kraken.com and then boots the original Ledger firmware. The Ledger Live application was not able to detect this tampering and identified the device as genuine.

Blind Ledger Attack

On the Ledger Nano S, only the older ST31 secure processor was trusted. However, the display, buttons and USB were all controlled by the “non-secure” STM32F0 processor. As a result, malicious firmware executed on the non-secure processor could bypass the secure element by mimicking user input, for example to confirm a malicious transaction. 

On the Ledger Nano X, this attack is no longer possible. One of the substantial design changes of the Ledger Nano X is an architectural change in which the peripherals, i.e. the display and the buttons, are directly connected and controlled by the ST33 secure processor and not to the “non-secure” STM32WB55. During the analysis of the underlying hardware, it was identified that the ST33 does indeed control the buttons and the display.

However, a single connection was identified between a GPIO pin of the STM32WB55 and the display. By driving this pin with values set using a debugger connected over the JTAG/SWD interface, the behaviour was found to be similar to the reset pin for the display. Setting the Output Data Register (ODR) bit of the corresponding GPIO pin to 0 turns off the display while the device continues to operate nominally.

Once the display is turned off there is no way for the user to identify what is being output on the display, nor can a user identify whether or not the device is actually running. Externally, the device looks like it’s turned off but is in fact still capable of accepting user input. Moreover, the device can still communicate with a host PC, including with the Ledger Live application.

A malicious attacker capable of flashing malicious firmware onto the STM32WB55 could combine this attack with social engineering. For example:

First, a malicious firmware image is programmed onto the STM32WB55. This malicious (backdoored) firmware will include code to turn off the display when certain conditions are met. Next, a malicious application running on the host PC such as a malicious version of the Ledger Live application can display a message, such as “Your Ledger Nano X stopped responding, please hold both buttons to restart the device.”

By communicating with the malicious firmware being executed on the Ledger Nano X, the ST33 receives and displays a malicious transaction. Unwittingly, the user is tricked into confirming the transaction by pressing the physical buttons on the Ledger Nano X, by following the instructions of the malicious application running on the PC.

Figure 5: Setting this bit to 0 will disable the display, without stopping the device from working regularly.

Continuing Research

During this research, the official Ledger Live app would not start on Mac OS Catalina, as it was not signed by the official Ledger developer account. The official Ledger guidance for this issue was a set of instructions on how users can bypass the enforced code signing, putting users at risk of opening malicious Ledger Live versions.

Since, Ledger has yet to ship a software update to the ST33 firmware and has yet to release an SDK for developing Apps for the Ledger Nano X, neither of these components was tested as part of this research.

Source Link