Ninjastic
Home
Search
Users
Boards
Addresses
Ctrl + K
Toggle theme
Open menu
Post
Edited versions
Quotes to this post
Post
25356748
Topic
2162410
Board
Wallet software
Re: Ledger Nano: is it secure?
by
bob123
on
28/11/2017, 07:32:32 UTC
Quote from: Kico on November 28, 2017, 01:59:30 AM
How can I be sure that device executes the code posted on github, not a different one?
You can verify the integrity of the software running on your device. As in their ledger blue checkGenuine.py (
https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py#L72
).
Basically you are using:
Code:
pip install --no-cache-dir ledgerblue
python -m ledgerblue.checkGenuine --targetId 0x31100002
You find the secp256k1 public key for the current batch here:
Code:
args.issuerKey = "0490f5c9d15a0134bb019d2afd0bf297149738459706e7ac5be4abc350a1f818057224fce12ec9a65de18ec34d6e8c24db927835ea1692b14c32e9836a75dad609"
(
https://github.com/LedgerHQ/blue-loader-python/blob/master/ledgerblue/checkGenuine.py#L119
)
To go even further you could try to open your ledger and check whether there is an additional chip implemented and the MCU is an stm2f042k6 (with 32 Kb flash, as a bigger flash could contain code fooling the Secure Element validation). Ledger has described this pretty comprehensibly here:
https://ledger.zendesk.com/hc/en-us/articles/115005321449-How-to-verify-the-security-integrity-of-my-Nano-S-