Side Channel Vulnerability in Ledger Nano S and Nano X Devices
CVE-2019-14354

2.4LOW

Key Information:

Vendor: Ledger
Status: Nano S Firmware
Vendor: CVE Published:; 10 August 2019

What is CVE-2019-14354?

A side channel vulnerability was discovered on Ledger Nano S and Nano X devices, which can potentially allow attackers to recover sensitive information displayed on the OLED screen. This occurs due to variations in power consumption based on the number of illuminated pixels on the display. If an attacker has the capability to monitor power usage via a hardware implant in the USB connection, they may exploit this channel to ascertain confidential secrets such as PINs or mnemonic phrases. Notably, this vulnerability is only exploitable under specific conditions, such as when the device is actively displaying sensitive data, making physical security and controlled access critical factors in mitigating risk.

References

https://ledger-donjon.github.io/oled-vuln/

x_refsource_MISC

CVSS V3.1

Score:

2.4

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 10, 2019
Vulnerability Reserved
Jul 28, 2019

CVE-2019-14354 Data

JSON