Mar 06

New firmware update 1.4.1 available for the Nano S

 

We’re thrilled to announce the release the Ledger Nano S firmware 1.4 (available as version 1.4.1), which brings several functional changes, new UX features as well as a few important security improvements. One key update that we’re really excited about: with the firmware 1.4, you’ll be able to install many more applications on your Ledger Nano S!

We highly recommend all our users to update their Nano S by following these steps.

Important note: there are some claims on Reddit and Twitter about a critical security issue being found on the Nano S. This is incorrect. The issues found are serious (that’s why we highly recommend the update), but NOT critical. Funds have not been at risk, and there was no demonstration of any real life attack on our devices. We will disclose all technical details after March 20th.

 

New features to significantly improve user experience…

  • The number of apps which can be loaded onto the Nano S at the same time can be raised to up to 18 (depending on the cryptocurrencies see FAQ), thanks to some refactoring on the BOLOS app management. As a reminder, deleting an app does not impact your cryptocurrency holdings: when the app is reinstalled, the original balance is retrieved.
  • The screen lock management has been slightly modified. A long press (3 seconds) on both buttons of your Nano S when it is in use (whether in the dashboard or while using apps) will enable you to lock the screen.
  • To ensure that the user has backed up correctly the 24 words, all of them must now be confirmed during the onboarding.
  • Several other optimizations have been implemented in order to improve the user experience. For instance, the device is now faster using some cache optimizations.

 

… While we keep improving your security

BOLOS (Ledger OS) has evolved. You’ll find below some of the latest modifications:

  • The apps are now split in 3 segments (code, data, installation parameters). Two different hashes are computed (code + data and code + data + installParams). This allows the user to verify the data loaded even for apps which have secret data.
  • U2F tunnel is now supported for APDUs in the dashboard and also in the SDK. It’ll make it possible to support all communication protocols with a single interface and avoid using the “Browser Support” options. U2F tunnel is very convenient to interface with a web application (such as MyCrypto / MyEtherWallet).
  • The SDK now offers another primitive for comparing memory pointers securely (memcmp).

The cryptographic support has been widely extended. A lot of new Elliptic Curves are now supported:

  • SEC curves (SECP384R1, SECP521R1),
  • Brainpool Curves (P256R1, P320T1, P320R1, P384T1, P384R1, P512T1, P512R1)
  • ANSSI Curve (FRP256V1),
  • Edwards Curves (Ed448), and
  • Goldilocks’s curve (Curve448).

The firmware 1.4 includes a few other security improvements. For instance, the policy to load 3rd party apps slightly evolved. The custom Certification Authority (CA) management is now only available under recovery mode. It is intended to make malware applications less attractive to promote for inexperienced users.

Also, we would like to congratulate two of our security researchers, who successfully found bounties in our firmware 1.3. Though these issues were not critical and apply only under quite uncommon conditions, they are now solved in our firmware 1.4 – consequently, we strongly recommend  to update. We will share more details about these issues soon. We are very thankful for these two researchers for raising these issues with us, and are going to reward them with a bounty for their help and responsible disclosure.

This is also a great opportunity for us to promote our Bounty Program: we definitely encourage our users to challenge the security of our products. If you find a vulnerability or a bug on our design, you can get rewarded in bitcoins by following the Bounty Program guide.

Charles GUILLEMET – Chief Security Officer at Ledger

 

For more information: