Loading prices…
〽️NEUTRAL

Ledger Donjon Uncovers Tangem Wallet PIN-Reset Flaw

Both vendors agree the bug is real on a lab bench; Tangem argues it stays academic because resetting the PIN needs a laser, the card in hand, and rare know-how.

Ledger's Donjon security research team disclosed a vulnerability in Tangem hardware wallets on Thursday that lets an attacker reset a user's PIN through laser fault injection, effectively wiping the existing password and exposing whatever sits on the card.

The bug sits in Tangem's firmware running on an EAL6+ secure element. Ledger's researchers showed that a precisely timed laser pulse can skip a critical recovery-state check, dropping the device back into a freshly issued state.

Why it matters

Tangem pushed back on the practical significance, calling the risk to everyday users "virtually non-existent." The company noted that pulling off the attack requires physical possession of the card, specialized lab equipment on the order of a laser fault-injection rig, and rare expert know-how. Both points are technically true and consistent with Ledger's own framing of similar work on competing wallets.

The disclosure still matters because Tangem's pitch to consumers leans heavily on the secure element's certification. A confirmed bypass of a recovery-state check, even one that requires physical access, presses against that marketing claim.

Frequently asked questions

  1. What exactly did Ledger Donjon find in Tangem's wallet?

    Researchers showed a laser fault injection can reset a Tangem card's PIN by bypassing a recovery-state check in the firmware running on the EAL6+ secure element.

  2. Does the attack work remotely against regular Tangem users?

    No. Tangem says the attacker needs physical possession of the card, a specialized laser fault-injection rig, and rare expert know-how, making everyday-user risk "virtually non-existent."

  3. Why does an EAL6+ secure element not block this attack?

    The bypass sits in Tangem's firmware layer above the certified chip. The laser pulse skips the code check that verifies a recovery flow, so the secure-element certification does not by itself close the gap.

  4. Has Tangem released a patch or firmware fix for the flaw?

    The seed does not state whether Tangem has shipped a firmware patch. The disclosure notes the firmware flaw is the relevant variable, not the underlying secure element.

  5. How do Ledger and Tangem usually handle each other's bug reports?

    The two companies have a long history of disclosing bugs in each other's products and publicly crediting the research, framing this finding as part of an ongoing technical dialogue rather than a confrontation.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 1h ago
Open original →