Uncovered Vulnerability in Tangem Cards by Ledger
In a recent development, a vulnerability has been discovered in Tangem's hardware wallet cards, according to the findings of the Ledger security team. This issue, rooted in a weakness in the Secure Channel communication channel, could potentially compromise the security of these card wallets.
The vulnerability allows for brute-force attacks on the password protection system, with researchers able to determine from electromagnetic emissions whether a password input was correct, making around 2.5 attempts per second. This could potentially crack a four-digit PIN in about an hour, while longer passwords can be cracked significantly faster than normal.
Tangem, however, argues that the attack is a complex hardware experiment with limited practical relevance. The company claims that the chip would not withstand such an attack, as it would damage the embedded flash memory, making the attack impractical.
Entering an incorrect password does not permanently increment the internal counter, allowing for unlimited attempts without the usual delays. This feature, while designed for user convenience, unfortunately, exacerbates the risk of brute-force attacks.
It's important to note that physical access to the Tangem card is a prerequisite for the attack. This means that users should take extra precautions to secure their cards, especially when not in use.
For long-term storage of larger amounts, it's advisable to opt for more suitable solutions like classic hardware wallets with display, update function, and possibly multisignature setups. These features provide additional layers of security and make them more suitable for storing larger amounts of cryptocurrency.
Tangem's access code protection allows users to create robust codes from any combination of numbers and characters, with a minimum length of four digits. While this is a step towards improving security, choosing a strong password is crucial, especially for Tangem card users. Long, random passphrases consisting of a mix of numbers, letters, and symbols can significantly reduce the risk of brute-force attacks.
Card wallets like Tangem lack a display for verifying transactions, which is another potential security concern. This means that users cannot easily verify the details of a transaction before confirming it, increasing the risk of errors or unauthorised transactions.
Moreover, Tangem cards cannot be secured via firmware updates, leaving already shipped cards potentially vulnerable. This is in contrast to other hardware wallets that can be updated to patch any security vulnerabilities as they are discovered.
In the incident attempting to exploit the lack of transaction verification in card wallets, it was found that even if a single high-value card is targeted, the vulnerability can be exploited. This underscores the importance of taking precautions when using these types of wallets.
The hardware wallet cards identified as vulnerable by the Ledger security team were manufactured by Ledger. While this may raise questions about the security standards of both companies, it's important to note that the vulnerability has been documented and can be reproduced by the Ledger team.
In conclusion, while Tangem's hardware wallet cards offer convenience and portability, their security features may fall short when compared to other hardware wallet solutions. Users of Tangem cards should not permanently store larger amounts on a single card wallet and should consider using longer, more complex passwords to reduce the risk of brute-force attacks. Additionally, it's advisable to explore other hardware wallet options that offer more robust security features.
Read also:
- Elon Musk Acquires 26,400 Megawatt Gas Turbines for Powering His AI Project, Overlooks Necessary Permits for Operation!
- U Power's strategic collaborator UNEX EV has inked a Letter of Intent with Didi Mobility to deploy UOTTA(TM) battery-swapping electric vehicles in Mexico.
- Commercial-grade hydrogen enhancement systems manufacturing initiated by H2i Technology
- Toyota strikes a deal in Shanghai for a solely owned Lexus electric vehicle production plant.
