Although hardware wallets are considered the gold standard in cryptocurrency cold storage, they are only truly secure when used correctly, and must not have passed through a third-party before reaching your hands.
Unfortunately, one of the most common methods to compromise the security of a hardware wallet is through what is known as a ‘man in the middle’ attack. In essence, this essentially means that what would otherwise be a perfectly secure hardware wallet is first intercepted or modified somewhere along the supply chain before reaching its intended owner.
When intercepted, the attacker would apply an exploit, or otherwise subvert the security of the device in a variety of ways — many of which prey on customer’s lack of awareness regarding proper security protocols.
If you have just got our hands on a Ledger Nano S, we recommend performing the following checks before trusting it with your funds.
Check for Tampering
When receiving your Ledger Nano S, you should automatically notice that the package does not come with a security seal, or tamper-proof sticker, but is instead simply wrapped in cellophane.
Because Ledger is confident in the security of their device, it was decided that these superficial security practices were not necessary, since the Ledger device itself is secure by design. However, while though there are no known ways to compromise the Ledger secure chip, it is a good idea to check that your Ledger device has not been structurally compromised.
To do so, check whether the device appears to have been disassembled. If there is evidence that the casing has been pried open or modified in any way, we do not recommend using the device, since there is always the chance that a new exploit could have been found.
Beyond this, if you did not purchase your device from an authorized Ledger reseller, there is a chance that you could be shipped a counterfeit device, and will need to proceed to perform an authenticity check below.
Verify the Device Authenticity
One of the surest ways to verify whether your Ledger Nano S has been tampered with is by performing a hardware authenticity check.
When Ledger devices are created, they are built with a secret key that can be used to verify its authenticity, allowing it to interact with Ledger applications, whereas counterfeit devices will fail this check.
To verify whether your device is authentic, simply connect it to your computer using an official Ledger USB cable, load up Ledger live, and attempt to connect to Ledger manager. If you are able to successfully connect to Ledger manager with your device, then there is a very good chance that it is genuine, and it should be safe to use.
Ensure the Device is Unused
As of writing, there are no known attack vectors that can successfully exploit an unused Ledger wallet. However, there are known examples of Ledger devices being intercepted on the way to the recipient, with a pre-generated seed phrase and password being supplied with the device.
Of course, since the seed phrase allows you to recover your wallet should you ever lose your device, this also means that the person who intercepted the device to generate this code can also do so. Normally, the attacker would supply the defective device, wait a certain amount of time until the new owner generates a sizeable portfolio, before using the seed to steal their funds.
If your device comes with a pre-generated recovery code, or prompts you to enter a password when connecting the device for the first time, then it is very likely that your device has compromised. If you’re sure the device is an authentic Ledger device, it should be safe to simply enter the wrong password three times to reset the device, before setting it up again to generate a new seed phrase using this tutorial.
Image credits: Ledger