Teenage British hacker exposes major flaw in best-selling cryptocurrency wallet

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

A teenage British hacker has exposed a vulnerability in one of the world's best-selling cryptocurrency wallets.

Saleem Rashid, 15, broke into Nano S and Nano Blue devices from French hardware company Ledger after discovering a flaw that enabled him to access the products' keys and thereby gain control of the coins within.

Like passports and identity cards, Ledger's Nanos contain "secure element" chips that store payment information but which have to be connected to a micro-controller to be viewed on screen.

Rashid discovered that, by manipulating the micro-controller through the installation of his own version of the firmware that runs the Nano S, he could access its contents.

The discovery, known as a "supply chain attack", means that any Nano bought from a third party seller, for instance on eBay or Amazon, could potentially be tampered with and rendered vulnerable to theft, according to Quartz.

Rashid described the process as "trivial" in a subsequent blog post, leading Ledger's CEO Eric Larcheveque to accuse him of carrying out an "unfortunate publicity stunt".

The company's chief security officer Charles Guillemet said the crack Rashid had discovered was "serious but not critical" and that a security update for the Nano S was now available with a fix for the Blue to follow within weeks.

The discovery raises fresh concerns about the safety of the cryptocurrency sector, which has been routinely criticised as an unregulated Wild West since its inception in 2009.

While market leader bitcoin prides itself on the security of its blockchain - the public ledger that records all transactions - other aspects of this emerging industry like wallets and exchanges are less watertight.

An attempted raid on the Chinese digicoin marketplace Binance earlier this month provided one example of the crypto sector's vulnerability, the US Federal Trade Commission's lawsuit against a group of pyramid scammers another.

Twitter, Google and Facebook have all banned cryptocurrency promotions since the turn of the year in a bid to protect consumers while the UK's Chancellor Philip Hammond yesterday announced the formation of a new task force to serve British interests.