Laser Attack Resets Tangem Wallet Passwords, Exposing Unpatchable Security Flaw
Researchers from Ledger’s Donjon security team have uncovered a significant vulnerability in Tangem crypto wallet cards. By utilizing a precisely timed laser pulse directed at the chip within these cards, an attacker can reset the wallet’s password to any value of their choosing. This flaw raises serious concerns regarding the security of Tangem wallets, particularly for users who may be unaware of the risks involved.
The implications of this discovery are profound. Once the password is reset, the attacker gains complete control over the wallet, allowing them to transfer any cryptocurrency held within. Notably, this attack requires physical access to the card and specialized equipment, estimated to cost around $250,000. Additionally, executing the attack necessitates cutting open the card, leaving visible damage that cannot be concealed. As a result, the attack cannot be conducted remotely, and there is no software fix available; Tangem cards are incapable of receiving updates, meaning that all previously sold cards are affected by this vulnerability.
Understanding the Security Mechanisms of Tangem Wallets
Tangem wallets resemble standard bank cards and operate in conjunction with a companion app that communicates with a Samsung S3D232A chip embedded within. This chip is designed as a secure element, certified to a high standard known as EAL6+, which is intended to resist tampering. The security model relies on two primary factors: possession of the card and knowledge of the password.
However, the password reset feature presents a critical weakness. Tangem sells its cards in linked sets, allowing users to reset their password by holding two cards together. During this process, the card performs a check to determine if it is in recovery mode. If the check confirms recovery mode, the card accepts a new password without requiring the old one.
An attacker can exploit this by firing a laser pulse at the chip at the precise moment the check is performed. This pulse disrupts the chip’s circuitry, tricking it into behaving as if it were in recovery mode, thus allowing the attacker to set a new password without any prior authentication.
The Complexity of the Attack and Its Unfixable Nature
Executing this attack is not straightforward. It demands advanced hardware skills, a laser rig, and sensitive measuring equipment to identify the exact timing and location for the laser pulse. The card must be physically altered, which leaves clear evidence of tampering. According to Donjon, once the attack parameters are established, it can be executed on any card in approximately two hours.
The permanence of this flaw poses a significant challenge. Tangem’s design philosophy emphasizes an unchangeable firmware as a security measure, preventing any remote tampering. However, this same characteristic means that the vulnerability cannot be patched or corrected, leaving all existing cards susceptible to this attack.
Tangem’s Response to the Vulnerability
In response to the findings, Tangem has publicly asserted that the attack method is not unique to its cards but rather a laboratory-based technique applicable to secure element chips in general. The company highlighted that Donjon is affiliated with Ledger, a direct competitor, which may influence the framing of the vulnerability.
Tangem also pointed out that the cards do not inherently reveal ownership or value, making it difficult for an attacker to justify the expense of executing the attack without knowing the potential reward. The company claims that no users have reported losing funds due to laser attacks on hardware wallets, asserting that the practical risk for everyday users remains minimal.
Both parties present valid arguments. The flaw identified by Donjon is indeed real and unpatchable, affecting every Tangem card. Conversely, Tangem’s assertion that the cost and effort involved in exploiting this vulnerability may deter most attackers is also reasonable.
Contextualizing the Attack Within the Industry
This incident is not an isolated case. Earlier in June, Donjon employed a similar laser fault injection technique on the TROPIC01 chip used in the Trezor Safe 7. This attack bypassed the chip’s firmware signature check, allowing the execution of unauthorized code. However, Trezor has since implemented interim measures to address the vulnerability, reinforcing the security of their next-generation hardware.
Historically, less sophisticated attacks have targeted wallets with weaker security measures. For instance, the same research team previously extracted recovery seeds from earlier Trezor models using equipment costing around $100. The introduction of Tangem’s hardened chip has raised the bar for physical attacks, requiring a much more significant investment in resources.
Recommendations for Users
For the majority of Tangem wallet users, the best course of action remains unchanged: ensure the card is stored securely to prevent unauthorized access. This attack is not feasible against cards that users still possess. However, if a Tangem card is lost or stolen, particularly one containing significant value, users should transfer their funds immediately using another card from their set or a seed phrase, if available.
For further information on this vulnerability and its implications, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East.


