Tangem wallet brute force vulnerability revealed by rival Ledger

A security flaw allowing hackers to brute force the PIN code of Tangem‘s cold wallet cards by cutting off their source of power was revealed yesterday by Ledger’s white hat hacker team, Donjon.

Ledger CTO, Charles Guillemet, announced the “tearing attack” on X after disclosing the exploit with the rival hardware wallet firm. Unfortunately for Tangem, Donjon noted that it cant be patched on already existing Tangem cards.

In order to perform the attack, Donjon discovered that cutting a Tangem cards source of power before it acknowledges a password attempt stops it from registering a failed password.

A hacker would then need to determine if theyve found the right password.

Donjon discovered that by analyzing the electromagnetic emissions the card emits with each attempt, they can see a pattern of peaked electromagnetic emissions indicating that the correct combination was found.

By doing this, hackers can attempt as many passwords as they likewithout fear of activating any security protocols.

The makeshift antenna Donjon created to focus on the chips electromagnetic emissions

Read more: Ledger execs alleged kidnap mastermind arrested in Morocco

Donjon says it would normally take five days to brute force a four-digit code with Tangems security protections, and roughly 148 years to brute force an eight-digit code.

However, the “tearing attack” reduces this time to ~1 hour for a four-digit code, and ~460 days for an eight-digit code, as it allows for two and a half password attempts every second.

It estimates that the cost to carry all this out would come to $5,000, adding that, “While the setup cost is relatively low, making it accessible to a wider range of attackers, the need for physical proximity to the target card remains a prerequisite.”

Regardless, there‘s not much that can be done to fix the exploit for the current Tangem cards out there, as it’s not a patchable fix. As such, Donjons advice for at-risk users is to use an eight-character or more password with a mixture of letters, numbers, and symbols.

Tangem isnt fazed about card findings

According to Donjon, Tangem wasn‘t fazed by Donjon’s findings and concluded it isnt a vulnerability. “In their opinion, the proposed attack scenario does not pose a significant risk,” Donjon claimed.

Because of this, a Donjon representative told Protos that Tangem didnt award them a bounty, despite Donjon “following the responsible disclosure process.”

Indeed, Tangem told Protos that it rewards “practical, real-world vulnerabilities,” and not “a theoretical lab attack that is self-defeating by design and requires immense resources.”

Read more: Hacker could‘ve printed unlimited ’Ether but chose $2M bug bounty instead

According to Tanjem, Donjon‘s method would essentially “physically destroy the card’s chip long before an access code could be guessed.”

It said that even if it survived, cracking a four-digit code would take months, andover 64 yearsif it was five digits.

The research oddly focused on four-digit PINs, while our cards support much stronger alphanumeric access codes with symbols, making the real-world challenge exponentially harder.

“For these reasons, the scenario remains purely academic. While the research is technically interesting, it does not represent a practical vulnerability or risk to our users,” Tangem concluded.

Donjon, however, found Tanjems response to its findings “disappointing,” and called its arguments “inaccurate.”

• Donjon claims the cards it tested never died, and that “the tearing process means theres no writing done to the flash memory to wear it out.”
• It insists that the exploit would speed up the brute force attack by “100x,” especially for weak passwords, which Tangem rejects.
• Donjon also says it wasnt a “sophisticated attack” thanks to the low cost, and the fact that this security test is required for a Basic level certification, such as an “EAL 3 grade.”

Ledger isnt perfect either

Donjon Ledger is a security research team posted at the crypto hardware wallet firm Ledger. Beyond helping Ledger, it says, “From time to time, the team also works on improving the security of the ecosystem.”

There have been instances, however, where Ledger exploits have led to consequences felt by its users.

Read more: ‘Decentralized’ apps suffer after Ledger Connect Kit attack

One supply chain attack in 2023 allowed hackers to drain the wallets of users who use Ledger‘s Connect Kit when a former employee’s account was breached.

In July 2020, Ledger revealed its e-commerce and marketing database had been breached, exposing the personal details of many of its customers.

By December, this data was leaked, and a series of scammers began sending fake Ledger wallets to exposed customers.