UPDATE 03/20/2018 – FULL REPORT HAS BEEN RELEASED. Some of the initial speculation regarding the exploit was correct and some was less so. If you have not updated to the latest firmware, go ahead and do so now.
Full report: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
Ledger released a new Firmware version (1.4.1) for the Ledger Nano S. “Firmware” is the embedded software on a device that works as the operating instruction for the device.
The Firmware update makes some changes to the user interface, adds support for 18 Cryptocurrency interfaces being installed on the device at one time; this was a big complaint on the previous firmware as it only allowed 4 or 5 at any one time to be installed. The new Firmware also adds some new methods to lock the device with a 3 second push of both buttons, a method to force users to confirm their recovery seed backup during the setup phase (a good thing) and some optimizations to the speed of the device.
Those are all positives updates but the security update included in the firmware, that you are most likely to hear about, is the resolution of an exploit related to exposing the Private Key on the device. You should take action to install the new Firmware ASAP, the chance of you being impacted by the exploit is unknown with the information currently released. Here is a quote from the Ledger update,
Important note: there are some claims on Reddit and Twitter about a critical security issue being found on the Nano S. This is incorrect. The issues found are serious (that’s why we highly recommend the update), but NOT critical. Funds have not been at risk, and there was no demonstration of any real life attack on our devices. We will disclose all technical details after March 20th.
From the information we have reviewed (full reports will not be released until late March as this allows people to patch before releasing full details), the hack to expose a devices private key would require physical access to the device before the seed was created, a 3rd party installing a specific firmware or application, and access to the computer you are using for the Ledger to install specific software and perform specific transaction processes (again, this is early information and some may be speculation at this point as Ledger and the security researcher that discovered the bug have not released a full report. Ledger has confirmed that there are no cases of this bug being reported in the real world and has only been reproduced in a lab.
More detailed information of new features included in this update:
New features to significantly improve user experience…
The number of apps which can be loaded onto the Nano S at the same time can be raised to up to 18 (depending on the cryptocurrencies – see FAQ), thanks to some refactoring on the BOLOS app management. As a reminder, deleting an app does not impact your cryptocurrency holdings: when the app is reinstalled, the original balance is retrieved.
The screen lock management has been slightly modified. A long press (3 seconds) on both buttons of your Nano S when it is in use (whether in the dashboard or while using apps) will enable you to lock the screen.
To ensure that the user has backed up correctly the 24 words, all of them must now be confirmed during the onboarding.
Several other optimizations have been implemented in order to improve the user experience. For instance, the device is now faster using some cache optimizations.
We do recommend you update as soon as possible to correct this potential bug and also for the new features. While we understand the wide spread concern of such bugs it is important to realize that with each bug and resulting patch/update, the systems and devices become stronger and more secure.
*Note, heavy load on the Ledger servers to pull down the Firmware update may cause some delays in downloading the update. If you are not able to update right away, wait a little while and retry.
Link to the Ledger Firmware update information page: https://www.ledger.fr/2018/03/06/new-firmware-update-1-4-1-available-for-the-nano-s/
Link to the Firmware Update instructions: https://support.ledgerwallet.com/hc/en-us/articles/360001340473