Vulnerability in Tangem Wallets: Ledger Donjon Demonstrates Laser Attack on Secure Chip
Ledger Donjon's research unit, led by expert Baptiste Boileau, has identified a critical vulnerability in Tangem hardware wallets. The attack, based on laser fault injection, allows an attacker to reset the card's password and gain full control over the crypto assets stored on it. This method is a physical, invasive intervention that cannot be fixed with a standard patch, as Tangem devices do not support firmware updates.
Technical Details of the Attack
At the core of the Tangem wallet is a Samsung S3D232A secure element with EAL6+ certification, which generates and stores private keys and signs transactions. Communication with the mobile app is via NFC. Standard protection involves two factors: physical possession of the card and knowledge of the password. However, Boileau discovered that the logic of the SetPin instruction in the firmware contains a vulnerable check that determines whether the card is in an allowed recovery state. Using a single nanosecond laser pulse directed at a specific area of the chip, the researcher disrupted this check, forcing the card to accept a new password without the old one and without the presence of a backup card.
To carry out the attack, it was necessary to open the card, expose the chip, and connect it to a custom hardware platform. Using side-channel analysis, the researcher identified the exact moment the vulnerable check was executed. After configuring parameters for a specific model, each subsequent exploitation attempt takes about two hours. The cost of laboratory equipment, including the laser setup and analysis tools, is estimated at approximately $250,000. Thus, the attack requires not only physical access to the card but also significant resources and expertise in hardware security.
Tangem's Response and Expert Commentary
Tangem stated that the risk for ordinary users is "practically non-existent," emphasizing the need for expensive equipment and physical access to the device. The company also noted that Ledger Donjon is a division of one of their largest competitors, which could influence the interpretation of the results. Nevertheless, Boileau pointed out the limitations of EAL6+ certification: it confirms the chip's resilience according to certain criteria but does not guarantee the absence of vulnerabilities in the firmware logic. He recommended using multiple independent checks for critical operations and more robust state encoding.
My analysis: Although the described attack is indeed complex and expensive for mass application, it raises an important question about trust in secure element certifications. Tangem, like any hardware wallet manufacturer, must consider that device security is determined not only by the chip but also by the quality of the firmware implementation. For users with large sums, this is another reason to consider multi-factor protection schemes, including the use of multiple devices or multi-signatures.