A vulnerability was found in the Bitcoin app and Bitcoin-based applications with Segwit support allowing an attacker to increase the transaction fees without the user noticing.
It is quite unlikely that this vulnerability is to be applied in practice since it only allows the transaction fees to be increased, coins cannot be stolen. More information about the vulnerability is available in this Ledger Security Bulletin.
Users are recommended to update to Ledger Live desktop version 2.4.1 and updating the Ledger Bitcoin app to version 1.4.0 in My Ledger, these updates contain a fix for the vulnerability.
Frequently Asked Questions
How could an attacker exploit this vulnerability?
The attack requires the client application to be compromised. This could be done by tricking users into installing a fake version of Ledger Live or any other wallet application. Then, when making a transaction with at least one Segwit input the user has to be tricked into making multiple transactions of which the inputs are then later combined. The attacker may then broadcast a transaction to the network with much higher transaction fees.
Has this vulnerability been exploited?
We have not seen any reports that this vulnerability has been exploited on Ledger wallets or on any other wallets. It is quite unlikely that someone would try to exploit it since the attacker cannot directly steal any coins.
How do I protect myself against this vulnerability when using Ledger Live?
If you are only using Ledger Live, you should update Ledger Live and install the latest Bitcoin application. This will protect you against anyone exploiting the vulnerability.
- Quit and restart the Ledger Live desktop application.
- Click on Download now on the update notification banner (which may take a few moments to appear). You can also download and install version 2.4.1 directly.
- Go to My Ledger and click on the Update All button to update all applications on your Ledger device. Your device will now run version 1.4.0 of the Bitcoin app.
How do I protect myself against this vulnerability when using a third-party wallet?
You should install the latest Bitcoin application in My Ledger. When you are making a transaction that could potentially be exploited, a warning will be displayed on your Ledger device. You can either cancel the transaction or proceed nonetheless.
We encourage you to reach out to third-party wallet developers to request they update LedgerJS in order to fix the vulnerability on their side.