Home Apps and Security Updates

Ledger Finds Tangem Card Flaw Enabling Brute-Force Attacks

By
phveektor
-
Ledger Finds Tangem Card Flaw Enabling Brute-Force Attacks
Ledger’s white hat team, Ledger Donjon, has reportedly discovered a flaw in Tangem cards, potentially making them vulnerable to brute-force attacks. Is your crypto cold storage suddenly feeling a bit chilly? Let’s dive in!
Tangem cards, resembling credit cards, offer a non-custodial cold storage solution for cryptocurrency. These NFC-enabled cards promise a convenient way to interact with your crypto via the Tangem app, all while maintaining a high level of security. Or so we thought…

Supposedly, these cards come in sets of two or three. The idea is to offer a user-friendly alternative to more complex hardware wallets. But with convenience, does security take a hit? Let’s see what Ledger‘s team found.

Ledger Donjon claims to have uncovered a relatively new online brute-force attack against Tangem cards. This exploit reportedly targets vulnerabilities in the secure channel implementation, utilizing a “tearing” technique. Sounds technical, right? Essentially, it bypasses the card’s built-in security delays after multiple failed authentication attempts.

According to Ledger, this bypass allows attackers to attempt approximately 2.5 passwords per second, dramatically speeding up the process of cracking those passwords, especially the weaker ones. Imagine trying to guess a PIN code – now imagine doing it hundreds of times faster. Not a good look for security.

You can learn more about brute force attacks and how to protect yourself from resources like OWASP’s guide on brute force attacks.

Here’s the kicker: these vulnerabilities cannot be patched on existing cards because they’re “not upgradable.” That’s right, if you have a Tangem card, it’s essentially a fixed piece of hardware with this potential flaw. The recommendation? Use strong passwords – at least 8 characters with a mix of digits, letters, and symbols.

While Ledger claims responsible disclosure, Tangem’s assessment of the report downplays the risk, stating that the proposed attack “scenario does not pose a significant risk.” This difference in opinion highlights the ongoing debate about security vulnerabilities in the crypto space. Tangem does have some great resources on their website, including this article about cold storage, but it’s still important to be aware of the risks.

The good news? This attack requires physical access to a Tangem card. While the setup cost is relatively low, potentially making it accessible to a wider range of attackers, the need for physical proximity is still a hurdle. However, the vulnerability accelerates password brute-forcing by over a hundred times compared to relying on the security delay countermeasure. That’s not nothing!

Even hardware wallets aren’t foolproof. Crypto security is a shared responsibility, requiring cooperation and consistent effort from both end-users and product development teams. Strong passwords, vigilance, and staying informed are crucial in protecting your digital assets. Always stay up-to-date with the latest security threats and best practices, like the ones detailed in NIST Special Publication 800-63.

LEAVE A REPLY

Please enter your comment!
Please enter your name here