Derivation path vulnerability in Bitcoin derivatives

On the 2nd of May 2020, a security researcher reported a vulnerability in the Bitcoin derivative apps (Litecoin, Dogecoin, etc.) that could be used to trick users into signing a transaction for a different coin than the one they want to sign for. 

Making use of this vulnerability, a malicious wallet could pretend to make a Dogecoin transaction while the user is in fact signing a Bitcoin transaction, for example.

What’s the current situation?

Version 1.4.6 of the Bitcoin app fixes the issue in the Bitcoin derivative apps and will be released today, on August 5. With this version, whenever a user requests an address or tries to sign a transaction on a derivation path not belonging to the coin application that is opened on the Ledger hardware wallet, a warning will be displayed.

What can I do to protect myself?

Update the Bitcoin app to version 1.4.6 in the Manager in Ledger Live. This will automatically update all Bitcoin derivative apps. As the issue is specific to Bitcoin derivative apps, you can continue to use other apps without any concern.

How does the Bug Bounty Program work?

Ledger has a Bug Bounty Program whose goal is to allow external security researchers to report vulnerabilities in Ledger products. Basically, once a security researcher reports a potential vulnerability through the bounty@ledger.fr email address, the following steps occur. The security team first acknowledges receipt of the email and a 90-days deadline is set. The issue starts being investigated and, if confirmed, it means that:

  • The teams involved do their best to fix the issue within 90 days. This 90-days deadline, initially set by Google Project Zero, is now common across the industry.
  • Once the deadline is reached, the researcher is allowed to publish his/her findings.
  • If the issue is fixed sooner and if there is a mutual agreement between the security researcher and the security team, the disclosure might happen before the 90-day deadline.

During these 90 days, the security team coordinates with other Ledger teams (engineering, testing, etc.) in order to develop and review a patch that fixes the vulnerability. Meanwhile, a Ledger Security Bulletin is written to share the technical details with external security researchers and publicly track the security issues reported through the Bug Bounty Program.

Once a new version of the app or the firmware is made available, a reward amount is paid to the security researcher, the security bulletin is published and the security researcher is allowed to publish his/her findings.

What went wrong with this vulnerability?

In this case, we regret not having respected the disclosure deadline, leading the security researcher to publish a blog post on his website before a fix was made available for the users.

Besides other issues being handled at the same time, internal discussions to find an appropriate fix and coordination with other engineering teams took longer than expected. This led to a new version of the Bitcoin app being published after the scheduled deadline (that was set to 90 days after the vulnerability report). 

Miscommunication didn't help to solve the issue sooner. The reporter sent Twitter DM messages that were missed by most of the security engineers. Indeed, the bounty@ledger.fr email address is the only way to reach the whole security team.

What is the vulnerability?

The Ledger Nano S and Nano X are Hierarchical Deterministic (HD) wallets. This means that they can derive different cryptographic secrets from a single seed coming from the 24-word recovery phrase that users write on their Recovery sheet. Some of these secrets are used to sign cryptocurrency transactions.

Each application is usually restricted to their specific HD paths. For instance, the Zcoin app is allowed to use its own derivation path (m/44'/136’/) and cannot derive keys on the Dogecoin derivation path (m/44'/3'/). This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions. 

An attacker who managed to install malware on the victim computer or smartphone can trick users into accepting to sign a Bitcoin transaction using an altcoin app on their Ledger Nano S/X app instead of the Bitcoin app.

This vulnerability does not enable attackers to extract any secrets from the Ledger devices such as the private keys used to sign transactions. It also does not enable attackers to bypass the PIN authentication. Thus, the physical device security remains untouched.

More technical details can be found in the Ledger Security bulletin 014: Path derivation too permissive in Bitcoin derivative apps.

Why do you display a warning instead of blocking such transactions?

If these transactions would be blocked, this would lock the funds of many of our users. This is an industry-wide problem caused by the structure of early Bitcoin forks - transactions are indistinguishable from the point of view of an offline signing device.

My Ledger device displays a warning about an unusual derivation path or an unusual sign path, what does it mean?

If you see this warning, it means the wallet application you are using does not use the correct derivation path linked to the coin application you opened. Please verify that the derivation path is correct before you sign such a transaction.

Updating the Bitcoin app to version 1.4.6 fixes the vulnerability for all Bitcoin derivative apps. This version should not introduce any visible changes for Ledger Live users. 

A new message The derivation path is unusual is shown when exporting public keys for a Bitcoin derivative that does not respect the coin type of the application. Likewise, a new message The sign path is unusual. Reject if you're not sure is shown when signing a transaction. 

However, users of third-party wallets (Electrum, Magnum Wallet, etc.) might also see this warning message even if the public key or signature request comes from a legitimate wallet. This is due to the fact that these wallets use an incorrect derivation path, which can also be valid for Bitcoin. Unfortunately, there is no way for the app on your Ledger device to tell whether this path is legitimate. We encourage developers to derive and sign on the correct derivation path.

Was this article helpful?
19 out of 41 found this helpful