christopher
@christopher
Saddest six-word story: "For sale: gifted Ledger, never used."
6 replies
4 recasts
33 reactions
polymutex
@polymutex.eth
Is the sad part the lack of adoption... ... or is it that the buyer is about to have a bad time? Yes.
1 reply
0 recast
0 reaction
Chris Carlson
@chrislarsc.eth
You can safely buy used ledgers. Resetting completely wipes it and ledger has a “genuine” check when you connect for the first time. Zero risk if the check passes
1 reply
0 recast
1 reaction
polymutex
@polymutex.eth
Sure, though that's only zero risk under the assumption that the user desktop starts out uncompromised when running the Ledger Live software during setup. And if you can make that assumption, that removes part of the value prop of buying a Ledger to begin with.
1 reply
0 recast
1 reaction
polymutex
@polymutex.eth
There is also the attack vector of the internals of the Ledger are gutted and replaced with a BadUSB-style board which forcefully installs and overrides the Ledger Live application on the user's desktop before the real Ledger Live software can do anything about it. Overall, doesn't seem truly zero-risk to me.
1 reply
0 recast
0 reaction
Chris Carlson
@chrislarsc.eth
The practicality of this is non-existent. I can’t even enumerate the list of things that would have to happen for this to be worth the attacker’s effort
0 reply
0 recast
1 reaction
