OLED screen (minor) vulnerability

After a thorough review, the vulnerability was considered to be non-critical. To summarize, the attack scenario detailed below remains theoretical and less practical than simply installing a camera in a room to read the screen of a victim’s hardware wallet. Nonetheless, this interesting attack vector is a good reminder that using your hardware wallet in a secure environment is paramount for the security of our users’ crypto assets.

Despite a low threat level, we reproduced the setup reported by Christian Reitter to investigate the vulnerability and has developed countermeasures against it. These countermeasures will be included in regular firmware updates for the Ledger Nano S and Ledger Nano X, scheduled for Q4 of 2019.

Please see below for technical details on the vulnerability and how our team has worked to fix it.

The context

Like many hardware wallets, the Ledger Nano S and Ledger Nano X include an OLED screen to display sensitive information. In the case of Ledger’s products, the following information is displayed on the screen:

• The confidential recovery phrase during the setup,
• The PIN code entered to unlock the device.

As this information is confidential, we always recommend our users to operate their devices in a secure environment. In an unsafe place, someone could eavesdrop and gain access to critical information, and thus to your crypto assets.

The OLED side-channel attack explained

The vulnerability is based on the fact that the common SSD1306 OLED screen type used in the Ledger Nano S, Nano X and other embedded security devices has an increased power consumption when displaying screen contents with many bright pixels. As such, a direct correlation was found between the number of illuminated pixels on each row of the display and the total power consumption of the device at a particular moment.

An attacker with the ability to perform a power consumption analysis of the device while it is displaying secrets on the screen could conceivably use this partial information of the pixel distribution of each row to recover confidential information through statistical analysis. In particular, this is relevant for the 24 seed words or the PIN code.

To exploit this side-channel, the voltage potential over a so-called shunt resistor in the USB cable towards the target device has to be accurately measured, which is possible without any modifications to the hardware wallet itself. In a laboratory setting, this is done via bulky measurement equipment such as an oscilloscope or software-defined radio.

One could speculate about the fact that the required measurement equipment could be reduced so far in size that it would fit directly in hollow sections of a malicious USB cable or a power bank. Although deemed highly impractical, we also looked into how this type of malicious hardware could, in extreme conditions, be used to affect end users of the device through a supply-chain attack or evil maid attack. No evidence was found of the existence of such a hardware implant.

What we did to mitigate it

As with all security research, we took this vulnerability disclosure seriously. The first thing we did was to reproduce the researcher’s setup and observe the screen information leakage on a modified USB cable.

The setup we used: a Ledger Nano S connected to a modified cable: A resistor + power probe connected to an oscilloscope show the real-time power consumption of the device (the trace in green). Each repeated pattern corresponds to an entire screen update of the PIN interface on the Nano S device.

We then pushed their study further and mounted a side-channel attack to the point where they could actually distinguish words of a recovery phrase. This allowed us to understand the nature of the leakage exposed by the vulnerability and gave us ideas for countermeasures.

To counteract the screen vulnerability we propose a set of countermeasures:

• Act on the parameters of the screen update mechanism by continuously and randomly modifying physical parameters such as contrast, power supply, frequency of oscillation.
• Modify the screen display: all sensitive information (recovery phrase, PIN digits) will be displayed within boxes in inverted pixel mode. Since the power consumption is somehow proportional to the number of pixels set, inverting the displays adds some white noise.

When applying these countermeasures, we significantly reduce the dependency between what is displayed on the screen and what can be captured from the power consumption analysis. The countermeasures will be included in our next firmware updates, to be announced in September.

As an illustration of the work we have done on the screen display, here are two pictures showing the real-time power consumption of a Ledger Nano S before and after implementing the countermeasures.

Without the countermeasure: the exact same pattern is repeated every 5.5 ms (every screen update)

The countermeasure drastically alters the pattern by adding noise to the power consumption

Keeping users safe

As always, users of Ledger Nano S and Ledger Nano X should update their hardware wallets with upcoming firmware updates, to be released in Q4 2019. We further recommend users to set up their hardware wallets by themselves, in a safe place, and storing the recovery phrase securely. Please check this blog post on best practices for safely using your Ledger hardware wallet.

The vulnerability addressed today consists of spying users when they interact with the device. No matter the number of technological countermeasures, these vulnerabilities can never be fully solved. We advise the most prudent of users to use a wall charger to avoid connecting their Ledger Nano S to an insecure computer during setup or, in the case of the Ledger Nano X, only use the device on battery power.

We want to thank Christian Reitter for his finding and the interesting study that ensued. We appreciate his fruitful collaboration and contribution to making everyone’s hardware wallet more secure.

Frequently Asked Questions

Are my crypto assets still secure on a Ledger hardware wallet? Yes. The present vulnerability is theoretically possible, but it has not been demonstrated in practice. Using it to attack users would be less practical than installing a hidden camera to record the user while entering the PIN code or initializing the seed.

Is there anything I can do to make sure I could never be affected by this vulnerability? Since the vulnerability uses a cable connected to the USB port of the hardware wallet, extremely careful users may connect their device to a wall charger of their own during setup or, in the case of the Ledger Nano X, only use it on battery.

Is the Ledger Blue affected? The screen vulnerability applies to OLED screens. As the Ledger Blue features an LCD screen it is not affected by the present work.

Has this vulnerability been exploited? There is no evidence so far that this vulnerability has been exploited.

In case you have any questions regarding the integrity of your Ledger devices, please check the answers to frequently asked questions in our Ledger Support center.