A significant security vulnerability has been uncovered in Tangem’s cold wallet cards, allowing potential hackers to brute force the PIN codes through a method known as the “tearing attack.” This discovery was made public by Ledger’s white hat hacker team, Donjon. Charles Guillemet, the Chief Technology Officer at Ledger, shared information about the exploit via a post on X, stating that it had been communicated to Tangem, the competing hardware wallet company.
The crux of the vulnerability lies in how the Tangem cards handle power loss during the authentication process. Donjon’s analysis revealed that disconnecting a Tangem card’s power source before it registers a password attempt could prevent it from counting failed attempts. This flaw offers hackers the unique ability to test multiple password combinations without triggering any security measures.
In a clever twist, Donjon devised a method to monitor the electromagnetic emissions released by the card with each password input. By analyzing these emissions, hackers can identify a distinct pattern indicating a correct guess, drastically lowering the effort required to crack the code.
This “tearing attack” significantly accelerates the brute-force attack timeframe. For example, while it would typically take around five days to crack a four-digit PIN under normal security protections, the new method reduces that duration to approximately one hour. Similarly, cracking an eight-digit code could go from about 148 years to around 460 days, allowing hackers to attempt more than two passwords every second.
The estimated cost to execute this attack is about $5,000. However, Donjon acknowledged that although this cost puts the method within reach of various attackers, physical access to the target card is still required for success.
Unfortunately for Tangem card users, there is no feasible patch to rectify this exploit on existing cards. In light of these findings, Donjon advised users to adopt longer, more complex passwords, including alphanumeric characters and symbols, to enhance security against such attacks.
Tangem’s response to the findings appeared dismissive. According to Donjon, representatives from Tangem did not regard the disclosed vulnerabilities as significant, stating that the described scenario posed minimal risk. They further noted that, despite the responsible disclosure process followed by Donjon, no bounty was awarded for their findings. Tangem emphasized that they prioritize vulnerabilities with practical implications over what they consider theoretical attacks requiring considerable resources.
In its defense, Tangem argued that the method proposed by Donjon would likely result in the physical destruction of the card’s chip long before any access code could be successfully guessed. They claimed that, even if the chip survived, brute-forcing a four-digit code would take months, and a five-digit code would require over 64 years.
Donjon, on the other hand, expressed disappointment with Tangem’s rebuttal, asserting that the process does not inherently destroy the card and insisting that their exploit would indeed expedite brute-force attempts by a factor of one hundred, particularly against weak passwords. They also contended that the attack is not overly sophisticated, emphasizing its accessibility and the need for basic certification standards, such as the EAL 3 grade.
While Ledger’s focus remains on strengthening the security of its ecosystem and supporting broader security initiatives, it has faced its share of vulnerabilities. Past incidents include a supply chain attack in 2023 that compromised user wallets via a breach of a former employee’s account, as well as a data breach in July 2020 that exposed customer information, leading to significant ramifications for those affected.
