9 July 2020: JTAG/SWD Protocols Enabled on STM32WB55 Unsecured Processor
Debug interfaces were left enabled on Ledger Nano X MCU, STM32WB55. This processor is responsible for USB and Bluetooth communication between the Secure Element and the client (computer or mobile device).
These interfaces were initially enabled to allow advanced users to check the integrity of the code running on the MCU, by reading the flash content of the MCU. This requires connecting a debugger to the physical JTAG interface of the chip. Debugging capabilities are permanently switched off as soon as an application is installed. This feature is documented on Ledger’s website FAQ.
In the Nano X threat model, this processor can be fully compromised while funds, handled by the ST33 Secure Element, remain secure. However, replacing the code on this chip can lead to several attack scenarios, as showed by the Kraken Security Labs.
Several attacks can be conducted:
- “Rubber Ducky” attacks: an attacker can flash the chip with a physical access, and transform it into a malicious device, for example by emulating a USB keyboard.
- Social engineering: a PIN driving the screen is connected to the STM32WB55. An attacker can, with a firmware modification, turn off the screen and try to trick a user by asking him, with a fake website, to press various buttons until he validates a transaction.
The Secure Element chip is not affected, nor code running on it or user secrets.
These attacks cannot be performed once an application has been installed on the device. They can be led for example in a supply chain attack scenario.
Do not press buttons if a fake website asks you to do so while your screen is switched off.
A firmware update, 1.2.4-2, has been released. It fixes the vulnerability by checking the integrity of the whole MCU by the Secure Element at each boot, like on the Nano S.
Update can be installed through the latest Ledger Live.
Debug interfaces are disabled on all the newly manufactured devices.
We would like to thank the researchers from the Kraken Security Labs who reported the vulnerabilities through our bug bounty program.