French crypto hardware wallet maker Ledger recently revealed that their white hat team, the Ledger Donjon, discovered a flaw in Tangem cards that reportedly makes “brute force attacks possible.” As always, the team at Ledger claims that they followed so-called “responsible disclosure,” but can now share their findings in full.
Tangem cards are credit-card-shaped hardware devices that are used as a non-custodial cold storage wallet for cryptocurrency. The cards reportedly come in a set of two or three, feature a secure chip, and use Near Field Communication (NFC) in order to connect wirelessly with smartphones through the Tangem app. This aims to offer a more convenient way “to use a highly secure cold wallet.”
As explained in a blog post, Ledger Donjon discovered a relatively new online brute-force attack against Tangem cards that reportedly exploits vulnerabilities in their secure channel implementation leveraging a “tearing” technique.
As noted in the update from Ledger, this allows attackers to bypass the card’s security delay mechanism after failed authentication attempts, “enabling them to try approximately 2.5 passwords per second, significantly accelerating the time to crack passwords, especially weak ones.”
The vulnerabilities cannot be patched on existing cards because they’re “not upgradable.” Users are advised to use “strong passwords (at least 8 characters with a mix of digits, letters, and symbols).”
Ledger claims that all findings have been disclosed responsibly “with a delay of 90 days.” Tangem assessment of the Donjon’s report concluded “that it won’t be classified as a vulnerability.” In their opinion, the proposed attack “scenario does not pose a significant risk.”
Without robust password policies, users employing “weak passwords face considerable risk, as they cannot rely on the security delay countermeasure.”
As clarified in the update, this attack requires physical access to a Tangem card. Although the setup cost is relatively low, “making it accessible to a wider range of attackers, the need for physical proximity to the target card remains a prerequisite.”
The update also noted that this vulnerability enables a brute-force rate that is considered to be a major increase from the “usual security delay rate of 1 password every 45 seconds.”
This accelerates password brute-forcing by “over a hundred times compared to relying on the security delay countermeasure.”
Further optimization and specialized hardware “could enhance this brute-force rate.” It’s clear now that even hardware wallets are not a fully secure of storing digital assets. Users must always remain alert and vigilant. Crypto security is not just the responsibility of service providers. Moreover, it is a shared responsibility that requires cooperation and consistent effort from both end-users and product development teams.