Threat Model - Transport Security

USB is the standard way to communicate with Ledger signers while the Ledger Nano X, Nano Gen5, Stax and Flex also feature Bluetooth Low Energy (BLE) connectivity.

As these protocols expose a broad attack surface, there is a dedicated and untrusted piece of hardware, the MCU, whose main role is to implement these communication protocols. Once the packets are decoded by the MCU, their content is forwarded to the Secure Element which has little to no knowledge about the original communication protocol. Specifically, under Ledger signers threat model, USB and BLE transports are considered as the outside world (cf. Security model of BLE for Nano X). No security assumption is done on the data coming from them.

Associated Threats: The Operating System of the user can be compromised and send ill-formed USB/BLE packets. This could be leveraged by an attacker to exploit vulnerabilities, eventually leading to arbitrary code execution on the MCU and to access to the communication channel with the Secure Element. If doing so increases the attack surface of the Secure Element (compared to communicating with the Secure Elements over USB or BLE), it would be a threat against this property.