WikiBit 2026-07-10 19:08Ledger researchers disclosed a laser attack that resets Tangem card passwords by bypassing a recovery-state check in the firmware.
Quick Take
Ledger Donjon researchers disclosed a security vulnerability in Tangem hardware wallet cards that allows an attacker to reset the cards password through a laser fault injection attack.
The exploit requires physical access to a Tangem card, specialized laser fault-injection equipment, side-channel analysis tools, and hardware security expertise. Ledger Donjon said in a blog post that its laboratory setup cost about $250,000, while the vulnerability affects all Tangem cards currently in circulation and cannot be patched because the cards lack a firmware update mechanism.
According to the post, researchers prepared the card by exposing the secure element and connecting it to custom hardware before using a nanosecond laser pulse to target a specific area of the chip.
The fault injection bypassed the firmware check that verifies whether a card is in an authorized recovery state, allowing the SetPin instruction to accept a new password without the existing password or backup card.
Implications
Once the password is reset, an attacker gains control of the wallet and can use the card to sign transactions, allowing funds associated with the wallet to be moved.
Ledger Donjon said it reproduced the attack on a second and third card after demonstrating the initial exploit, with each reproduction requiring about two hours of preparation and exploitation time.
“What this means for users: there‘s no patch, but the attack is physical and invasive so it can’t be done covertly and the card returned intact,” the researchers wrote. “The only real risk is a lost or stolen card; if yours stays in your possession, the attack described here cannot be performed.”
The researchers recommended that secure element firmware use multiple independent checks for sensitive operations, strengthen state validation methods, and ensure password changes remain protected when recovery features are disabled. They said EAL6+ certification alone does not prevent fault injection attacks if firmware contains exploitable logic flaws.
Prior to this discovery, the researchers had uncovered a genuine check bypass on the Tangem Android application and a brute-force attack on the card's authentication protocol. The vulnerability was disclosed to Tangem in February.
Tangem responds
In a post on X following Ledger Donjon's disclosure, Tangem disputed the practical significance of the findings, highlighting the attack requires expensive laboratory equipment, physical possession of the card, and specialized expertise, making the risk to everyday users “virtually non-existent.”
“Its also worth noting that while Ledger Donjon presents itself as an independent research unit, it operates within Ledger, one of our largest competitors. Their findings should be read with that in mind,” the firm said. “Given enough time, funding and access, the firmware on any secure element can eventually be reverse-engineered and exploited.”
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Bitdeer stock jumps 14% as company expands US mining hardware production
WikiBit 2026-07-10 05:00Ethereum Foundation says AI agents find real bugs, but most are false positives
WikiBit 2026-07-10 03:51CryptoQuant says bitcoin rebound remains a bear-market recovery, not a trend reversal
WikiBit 2026-07-10 03:45White House says it received no Democratic response related to SEC, CFTC vacancies
WikiBit 2026-07-10 05:00Bitwise says bitcoin's 'floor is rising' despite AI boom and regulatory delays
WikiBit 2026-07-10 05:54White House defends Trumps regulatory appointments as CFTC vacancies complicate crypto bill push
WikiBit 2026-07-10 01:53CFTC Chair Selig warns regulators will end up 'writing all the rules' for crypto if Clarity Act stalls
WikiBit 2026-07-09 19:42INTERPOL operation blocks illicit crypto transfers and leads to 5,811 arrests
WikiBit 2026-07-09 18:55Bitcoin ETFs end 'most overwhelming' $2.7B sell-off amid new $85M net outflow
WikiBit 2026-07-09 21:00MARA gains 14% after unveiling 2 GW Texas AI and bitcoin mining campus plan
WikiBit 2026-07-09 22:380.00