Blockchain

Ledger CTO on Cryptocurrency Security Challenges

Published

5 months ago

on

CryptoSlate caught up with Ledger’s CTO Carlo Guillemet at BTC Prague on a range of topics, from what actually happened during ConnectKit Ledgets take advantage of the complex challenges of protecting such a high percentage of the world’s digital assets. Guillemet’s background, deeply rooted in cryptography and hardware security, provides a solid foundation for his role at Ledger. He began his career designing secure integrated circuits, which later resulted in his approach to creating secure elements for Ledger devices.

Security Challenges in Blockchain and Bitcoin

During the interview, Charles Guillemet delved into the distinct security challenges posed by blockchain technology and Bitcoin. His insights were shaped by his extensive experience in secure integrated circuits and cryptography.

Guillemet explained that, in traditional bank cards and passports, the security keys are managed by the bank or the state. However, in blockchain technology, individuals manage their own keys. This fundamental change introduces significant security challenges, as users must ensure their valuables are protected from unauthorized access and loss. She highlighted:

“In accounting devices you manage your keys, while in bank cards and passport this is the secret of your bank or state. This is the big difference.”

Since users own their value, it becomes imperative to protect it, ensuring that it is not lost or accessed by unauthorized parties. This requires robust measures to prevent software malware from entering and to protect against physical attacks.

“Having a dedicated device is the best way to do this. Additionally, you need to prevent an attacker with physical access from accessing your secrets.”

The CTO also highlighted that the immutability of blockchain makes the security challenge even more significant. Ledger technology guarantees over 20% of the market capitalization, equal to approximately $500 billion. This immense responsibility is handled by leveraging the best technology available to ensure safety. Guillemet confidently said that, so far, their approach has been successful, allowing him to sleep well at night despite the high stakes.

Ledger’s response to security breaches and supply chain security

Charles Guillemet addressed Ledger’s approach to handling security breaches, specifically the incident involving Ledger ConnectKit. He described the challenge posed by software supply chain attacks, highlighting the difficulty of completely preventing such attacks.

Discussing the breach, Guillemet recounted how a developer’s account was compromised via a phishing link, leading to an attacker obtaining the API key. This allowed the attacker to inject malicious code into the NPM repository used by websites that integrate Ledger devices. She highlighted Ledger’s quick response to mitigate the impact:

“We noticed the attack very quickly and were able to kill it very, very quickly. From the moment he compromised access and we stopped the attack, only five hours passed ”.

Despite the breach, the damage was limited thanks to Ledger’s prompt action and the inherent security features of their devices, which require users to manually sign transactions, making sure to verify the transaction details.

Guillemet also discussed the broader issue of supply chain security, highlighting the complexity of managing software vulnerabilities. He stressed that while due diligence and best practices can help, completely preventing supply chain attacks remains a significant challenge. You cited an example of a sophisticated supply chain attack:

“LG recently had a package on the UNIX distribution that was backdoored by someone hacking into the open source repository, exploiting SSH servers. It spread to every single server in the world before it was noticed.”

This example illustrates the pervasive nature of supply chain attacks and the difficulty in detecting and mitigating them. Perhaps unsurprisingly, he has advocated the use of hardware wallets for cryptographic security. However, he cleverly explained why, making it clear that they offer a limited attack surface and can be thoroughly controlled.

Human and technical threats to security

Charles Guillemet provided a comprehensive overview of the multifaceted nature of security threats in the blockchain space both human and technical elements. He emphasized that attackers are highly results-oriented and constantly evolve their strategies based on the cost and potential reward of their attacks. Initially, simple phishing attacks that tricked users into entering 24-word recovery phrases prevailed. However, as users became more aware, attackers shifted their tactics towards more sophisticated methods.

Guillemet explained:

“Now attackers are tricking users into signing complex transactions they don’t understand, which leads to their wallets drying up.”

He noted the rise of the organization crypto-drainage operations, in which different parties collaborate to create and exploit crypto drainers, sharing the proceeds at the smart contract level. Guillemet predicted that future attacks could focus on software wallets on phones, exploiting zero-day vulnerabilities that can provide full access to a device without user interaction.

Given the inherent vulnerabilities of mobile devices and desk devices, Guillemet stressed the importance of recognizing that these devices are not secure by default. He advised:

“If you think your data is protected on your desktop or laptop, think again. If there is an attacker determined to extract the data, nothing will stop him from doing so.”

He advised users to avoid storing sensitive information such as seeds or wallet files on their computers, as they are prime targets for attackers.

Balancing security with usability is a significant challenge in the crypto wallet industry. Ledger’s approach prioritizes security as its North Star, continually striving to improve the user experience. Guillemet recognized that similar characteristics Registry recovery, which aim to simplify the user experience, have sparked debate. He explained that while these features are designed to help newcomers more easily manage their 24-word recovery sentences, they are entirely optional:

“We are providing options, giving choice. It is an open platform. If you don’t like a feature, you don’t have to use it.”

The goal is to satisfy a wide range of users, from those who prefer full control over their security to those who need more user-friendly solutions. Guillemet recognized that the problem of mass adoption of digital assets needs to be addressed usability problems without compromising safety. Ledger aims to find this balance by offering flexible options while maintaining the highest security standards.

Mentioned in this article

Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version