A security flaw allowing hackers to brute force the PIN code of Tangem’s cold wallet cards by cutting off their source of power was revealed yesterday by Ledger’s white hat hacker team, Donjon.
Ledger CTO, Charles Guillemet, announced the “tearing attack” on X after disclosing the exploit with the rival hardware wallet firm. Unfortunately for Tangem, Donjon noted that it can’t be patched on already existing Tangem cards.
In order to perform the attack, Donjon discovered that cutting a Tangem card’s source of power before it acknowledges a password attempt stops it from registering a failed password.
A hacker would then need to determine if they’ve found the right password.
Donjon discovered that by analyzing the electromagnetic emissions the card emits with each attempt, they can see a pattern of peaked electromagnetic emissions indicating that the correct combination was found.
By doing this, hackers can attempt as many passwords as they like without fear of activating any security protocols.
Read more: Ledger exec’s alleged kidnap mastermind arrested in Morocco
Donjon says it would normally take five days to brute force a four-digit code with Tangem’s security protections, and roughly 148 years to brute force an eight-digit code.
However, the “tearing attack” reduces this time to ~1 hour for a four-digit code, and ~460 days for an eight-digit code, as it allows for two and a half password attempts every second.
It estimates that the cost to carry all this out would come to $5,000, adding that, “While the setup cost is relatively low, making it accessible to a wider range of attackers, the need for physical proximity to the target card remains a prerequisite.”
Regardless, there’s not much that can be done to fix the exploit for the current Tangem cards out there, as it’s not a patchable fix. As such, Donjon’s advice for at-risk users is to use an eight-character or more password with a mixture of letters, numbers, and symbols.
Tangem isn’t fazed about card findings
According to Donjon, Tangem wasn’t fazed by Donjon’s findings and concluded it isn’t a vulnerability. “In their opinion, the proposed attack scenario does not pose a significant risk,” Donjon claimed.
Because of this, a Donjon representative told Protos that Tangem didn’t award them a bounty, despite Donjon “following the responsible disclosure process.”
Indeed, Tangem told Protos that it rewards “practical, real-world vulnerabilities,” and not “a theoretical lab attack that is self-defeating by design and requires immense resources.”
Read more: Hacker could’ve printed unlimited ‘Ether’ but chose $2M bug bounty instead
According to Tanjem, Donjon’s method would essentially “physically destroy the card’s chip long before an access code could be guessed.”
It said that even if it survived, cracking a four-digit code would take months, and over 64 years if it was five digits.
“The research oddly focused on four-digit PINs, while our cards support much stronger alphanumeric access codes with symbols, making the real-world challenge exponentially harder.
“For these reasons, the scenario remains purely academic. While the research is technically interesting, it does not represent a practical vulnerability or risk to our users,” Tangem concluded.
Donjon, however, found Tanjem’s response to its findings “disappointing,” and called its arguments “inaccurate.”
- Donjon claims the cards it tested never died, and that “the tearing process means there’s no writing done to the flash memory to wear it out.”
- It insists that the exploit would speed up the brute force attack by “100x,” especially for weak passwords, which Tangem rejects.
- Donjon also says it wasn’t a “sophisticated attack” thanks to the low cost, and the fact that this security test is required for a Basic level certification, such as an “EAL 3 grade.”
Ledger isn’t perfect either
Donjon Ledger is a security research team posted at the crypto hardware wallet firm Ledger. Beyond helping Ledger, it says, “From time to time, the team also works on improving the security of the ecosystem.”
There have been instances, however, where Ledger exploits have led to consequences felt by its users.
Read more: ‘Decentralized’ apps suffer after Ledger Connect Kit attack
One supply chain attack in 2023 allowed hackers to drain the wallets of users who use Ledger’s Connect Kit when a former employee’s account was breached.
In July 2020, Ledger revealed its e-commerce and marketing database had been breached, exposing the personal details of many of its customers.
By December, this data was leaked, and a series of scammers began sending fake Ledger wallets to exposed customers.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/tangem-wallet-brute-force-vulnerability-revealed-by-rival-ledger/