A potential hack can exploit a vulnerability in Ledger wallets to redirect transactions to a wrong receiving address. According to a Twitter post, all wallets could be affected, but there is a way to protect yourself.
Ledger warned on Twitter that a “man-in-the-middle” attack could cause cryptocurrencies to be sent to an incorrect receiving address. This attack can only occur if the computer used with the Ledger device is infected with malware. The malware operates in a simple but stealthy way.
Every time a new transaction is created to receive Bitcoin or Ethereum on a Ledger wallet, a new receiving address is generated. That address is generated via JavaScript, and this is where the vulnerability lies and where attackers may target the process.
If the computer involved is compromised, a falsified receiving address may be shown, causing funds to be routed not to the user’s Ledger but to an intermediary. Both the displayed address and the QR code can be manipulated in this scenario.
When a Bitcoin transaction is initiated, the Ledger device displays a Bitcoin address on its screen, and that address must match the address shown on the computer. This check lets the user confirm the correct recipient address. If the addresses differ, the PC is likely infected with the malicious software. The address can be verified by clicking the “monitor button” on the device.
To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device’s screen by clicking on the “monitor button” pic.twitter.com/EMjZJu2NDh
— Ledger (@LedgerHQ) February 3, 2018
This verification is currently possible only for Bitcoin transactions. For Ethereum, Dash, or other digital currencies, the receiving address is not shown on the Ledger device. As a precaution, Ledger recommends running the operating system from an external medium—such as a Live CD—to ensure the environment is malware-free before using the wallet.
If you’re using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix.
Of course, this measure is not absolutely foolproof—no solution is 100% guaranteed—and a small residual risk will always remain. Ledger is currently working on a fix to address the issue.