Ledger still safe?
Is Ledger even safe anymore? Once again, the largest manufacturer of hardware wallets has made a major blunder. The latest security breach gave attackers almost direct access to customer funds. A programmer is now demanding harsh consequences.
Ledger still safe? This is what the latest security breach means
Is Ledger still safe? The French company is the largest manufacturer of hardware wallets. Recently, brazen attackers were offered a drastic security hole that made a previously unknown number of users fall victim.
After several users complained about losses via dApps, Ledger reported on Twitter that it had identified an attack vector. It was said that they intervened and were able to solve the problem quickly. In a later statement, Ledger’s CEO said the attack only took place over a two-hour period.
In order to use Ledger safely, the Ledger Connect Kit must be updated to the latest version 1.1.8. It is the second time this year that Ledger has attracted negative attention.
It was only in May that the company faced major headwinds due to the technical functionality of the Ledger Nano X. Users criticized the “Account Recovery” function as a backdoor built in by Ledger.
What happened in the Ledger hack?
A former Ledger employee fell victim to phishing yesterday morning. The attacker then used the employee’s access to manipulate a Ledger library on Github.
The attacker modified the latest versions of the Ledger Connect Kit, which is used to transfer cryptocurrencies from the Ledger to dApps. Instead of sending the cryptos to the corresponding dApp, the infected version transferred the coins to the attacker’s wallet.
According to Ledger, versions 1.1.5, 1.1.6 and 1.1.7 were all successfully infected. In a period of two hours, cryptocurrencies were stolen from affected users by the malicious software.
Pascal Gauthier, CEO of Ledger, apologizes to the public in a statement. He is trying to improve the company’s security standards.
Critics are calling for harsh consequences
Critics are calling for harsh consequences after the attack on Ledger. Developer Lefteris Karapetsas describes the company’s approach as “amateurish.” This is what he writes on Twitter:
“Ledger messed up. There are virtually no security measures, no proper management of credentials, and no revocation of access for former employees. Amateurish and extremely embarrassing for a company of this size whose entire focus should be on safety. Really bad.”
Blockchain developer Riccardo Spagni agrees with this assessment. However, just criticizing Ledger for making another mistake is not enough for the South African.
“This is unforgivable. I’m tired of trying to excuse Ledger,” writes Spagni.
Ledger automatically transferred the latest version of the Connect Kit to users. According to Spagni, this is by no means a standard procedure. Only a verified version is usually transmitted.
“I really tried to understand the background. I can no longer in good conscience recommend Ledger. Ledger is the most dubious security company,” said the programmer.