17 May 2021: Length-extension attack on SCP.
A length-extension attack was found on the Secure Channel established between the Ledger Nano devices and Ledger’s HSMs. It allows to downgrade the security of the MAC to 2^15 instead of 2^128.
Breaking the MAC allows to create a padding-oracle attack, as padding was not fully checked in a certain mode. It allows an attacker to decrypt a block of application data and firmware updates. However, as applications are open source and firmware updates have an additional layer of encryption, impact is limited.
Fixes are available in:
- Firmware 2.0.0 (Ledger Nano S)
- Firmware 1.3.0 (Ledger Nano X)
Loading and upgrading BOLOS
The load and upgrade of BOLOS and Nano applications are performed using a secure channel. This secure channel is inspired from the Global Platform SCP-02 standard, modified by replacing T-DES with AES. This protocol, based on an Encrypt then MAC scheme, guarantees authenticity and confidentiality.
Every chunk of data exchanged between a device and Ledger’s HSMs are authenticated using a MAC. For historical reasons, CBC-MAC was chosen. This mode is secure if a single key is used for messages of a fixed length.
However, this method not secure for only secure with fixed-length messages. If an attacker knows two messages-tag pairs, he will be able to generate a third message and its authentication tag.
As the tag in SCP is truncated to 14 bytes, attacker has to perform a bruteforce on 2^16 values to retrieve the 2 missing bytes and achieve the length-extension attack.
Padding oracle attack
Another weakness has been identified on the check of a padding scheme (ISO/IEC 9797-1 method 2), also used for historical reasons. Padding attacks on such scheme is a bit different from the “classic” padding attack on the PKCS #7 mode.
Combining these two vulnerabilities allows, in practice, to decrypt the last block of data sent by the HSM in a communication between an HSM and an app, in a couple of hours.
Two workarounds have been implemented:
- ISO/IEC 9797-1 method 2 padding is fully checked in constant time.
- Secure channels are immediately closed once an error is detected.
Additionally, a new secure channel protocol will be deployed in subsequent firmware releases.
Impact on Ledger devices
There is no impact regarding the security of the device. Even if firmware updates are encrypted, Ledger device security does not rely on the confidentiality of the apps or the firmware.
On the contrary, what is important from a user perspective is to be able to prove the genuineness of the device and the authenticity of the firmware. Those two security claims remain intact.
We would like to thank the security researcher Timothée Isnard from Tanker who discovered the vulnerability and reported it through our bug bounty program.