Ledger’s security research unit has disclosed a physical attack that can reset the password on a Tangem hardware wallet card, potentially allowing an attacker to use the device to authorize c
Ledger’s security research unit has disclosed a physical attack that can reset the password on a Tangem hardware wallet card, potentially allowing an attacker to use the device to authorize crypto transactions.
Tangem acknowledged the laboratory demonstration but said the attack requires physical possession, specialist expertise and equipment worth about $250,000, making the risk to everyday users “virtually non-existent.”
Laser Attack Resets Card Password
Ledger Donjon researchers used a precisely timed laser pulse to bypass a recovery-state check in Tangem firmware running on the card’s EAL6+ secure element. The bypass allowed them to set a new password without the existing password or another card from the same wallet set. Once reset, the card could be used to sign transactions.
The attack:
- Cannot be carried out remotely.
- Requires the card to be physically dismantled.
- Does not extract the private key.
- Reportedly works even when password recovery is disabled.
Ledger said it reproduced the attack on two additional cards. After identifying the correct laser location and timing, each subsequent test took about two hours. The $250,000 estimate represents the laboratory setup, not the cost of attacking each card.
Tangem Says Attack Is Not Practical
Tangem argued that an attacker would need to steal a card, expose its chip and operate precision fault-injection equipment. The process leaves visible damage and requires advanced hardware-security knowledge. The company also said the technique does not scale and presents almost no practical risk to everyday users. Ledger Donjon similarly acknowledged that the attack is relevant mainly when a card is lost or stolen.
The disclosure comes amid broader scrutiny of wallet security, though recent incidents have involved different attack methods. A counterfeit Ledger Live app on Apple’s Mac App Store reportedly stole about $9.5 million after victims entered their recovery phrases, making it a phishing attack rather than a hardware compromise.
Separately, a Cardano holder claimed that 2.3 million ADA left a Ledger-secured wallet without approval, but no widely shared on-chain evidence initially established the cause or showed that Ledger hardware had been breached.
Existing Cards Cannot Be Patched
Ledger said Tangem cards already in circulation cannot receive a firmware fix because the devices do not support firmware updates. Tangem has promoted immutable firmware as a security feature because it prevents malicious updates. The disclosure highlights the trade-off: removing the update mechanism reduces one attack surface but prevents vulnerabilities discovered later from being corrected remotely.
The finding also shows that EAL6+ certification does not automatically protect every software function running on a secure element. Ledger’s attack targeted Tangem’s password-recovery logic rather than extracting or breaking the private key. For most users, the disclosure does not represent an immediate online threat. Its primary relevance is to cards that are lost, stolen or deliberately taken from known high-value holders.