Ledger Says Tangem Cards Can Be Brute-Forced Faster, Wallet Maker Disagrees

TLDR:

• Ledger Donjon researchers revealed Tangem cards allow unlimited PIN guesses using a tearing attack technique.
• The flaw bypasses security delays, enabling 2.5 password attempts per second instead of days of waiting.
• Tangem responded, saying the attack is impractical due to chip endurance limits and required lab equipment.
• Security experts urged users to set long, complex passwords to reduce risk from brute-force attacks
  

A new wallet security issue has sparked a heated debate among crypto holders. Ledger’s security researchers have disclosed a flaw in Tangem hardware wallets. The weakness could let attackers bypass security delays and guess passwords much faster.

Tangem pushed back, saying the risk is minimal in real-world conditions. The clash highlights how hardware wallet security remains a constant arms race.

Ledger Researchers Reveal Tearing Attack

Ledger’s Charles Guillemet shared that its Donjon team discovered a “tearing attack” on Tangem cards. This attack works by cutting power before a failed password attempt is logged. 

Without logging the failure, the card never activates its security delay. That allows attackers to try unlimited passwords without being locked out.

Researchers said this method increases password guessing speed up to 100 times. At 2.5 attempts per second, a 4-digit PIN could be cracked in about one hour. They warned that simple or short passwords are especially vulnerable to this technique. 

Guillemet urged users to set long passwords with letters, numbers, and symbols.

Ledger stressed that its disclosure followed responsible security research protocols. They notified Tangem privately before going public. The team stated that the vulnerability shows why upgradable security features are important.

Tangem Pushes Back on Risk Level

Tangem responded, saying the research was a sophisticated hardware exercise but impractical for real attackers. The company said disabling the delay does not speed up brute-force attacks enough to make them feasible.

They explained that a 4-character password would still take about 245 days to break at four attempts per second. Using five or more characters increases the time to decades. Tangem also said the chip would likely fail under such repeated attempts.

The wallet maker pointed out that physical possession of the card is required for the attack. Specialized lab equipment is needed, raising the difficulty further. They emphasized that Tangem’s app encourages users to create robust access codes with numbers and characters.

This back-and-forth underscores the tension between wallet makers and security researchers. Both agree that password complexity is a critical defense. For now, Tangem users may want to review their access codes to ensure they meet strong security standards

The post Ledger Says Tangem Cards Can Be Brute-Forced Faster, Wallet Maker Disagrees appeared first on Blockonomi.