Purchased a Ledger Nano S device from unofficial store? Better read this!
Ledger pushed a software update fixing a security flaw which allows attacker to steal all cryptocurrency from any wallet whose keys user stored on the Leger Nano S device.
The bug was related to controller chip handling interactions between the secured chip and device's interface including display, buttons and other elements.
A while back a British researcher found a way of interfering with the software running Nano S allowing it to steal private keys. Attacker would need to get a physical access to the Nano S device in order to modify a firmware. One case scenario would be a "supply chain attack", where a device delivery to customer would be intercepted during shipping or, more likely, while held with a third party re-seller.
Last years criminals bought many of Ledger devices, tampered the software and sold online on platforms like EBay. If you bought a Ledger Nano S from Ebay or unofficial source and still have access to your cryptos it may be a right time now to move them to new addresses.
High risk scenarios
- Ledger Nano S purchased from third party re-sellers
- Second hand devices
This brings us to interesting conclusion that second hand security devices like Ledger should never be purchased and only official stores should be used for buying such toys.