Context

Ledger is a French IT company manufacturing a hardware wallet for crypto-currencies, the Ledger Nano S. In Spring 2018, Ledger organized a Capture-The-Flag (CTF) security challenge that consisted in two phases:

1. The first phase was made of three cryptographic problems packaged in a Capture-The-Flag fashion. This phase started the 20th of March and ended the 1st of June 2018. A blog post on the Ledger website provides the solutions for all three problems. The first hundred competitors who successfully solved the first phase qualified for the second one.

2. The qualified competitors received a custom version of the Ledger Nano S. This custom version only performed one operation, which computes the scalar multiplication between an unknown 256-bit private key and the base point of the elliptic curve secp256k1 (the so-called Bitcoin curve), and sends back the associated public key, which corresponds to a public Bitcoin address storing the reward of the challenge. The second phase consisted in retrieving the private key, becoming owner of the Bitcoin wallet with the reward. Note that all custom Ledger Nano S sent to competitors contained the same key, so there could be only one winner.

NinjaLab solved the three problems of the first phase, and was the first competitor to successfully retrieve the full 256-bit private key of the second phase. Thus we became owner of the Bitcoin wallet on the 9th of June 2018, and won the Ledger Challenge.

Update

As ethical computer security researchers, we applied a responsible disclosure procedure, and are currently in contact with the stakeholders to assess risks, and determine what details of our technical work can be disclosed, and when.

At the moment, we can only share with you the ingredients of our work: side-channel attacks, scalar blinding issues, practical template attacks and German cryptanalysis sorcery served with a French flavor.

Update 2

Ledger patched the vulnerability that we exploited in their firmware version 1.5.5 released on the 16th of January 2019. More information can be found here.

Note about Ledger Nano S security model

Launching a scalar multiplication operation on the Ledger Nano S requires firstly to enter its PIN code to unlock it. Thus our attack does not break the security model of the Ledger Nano S, as we would require the knowledge of the PIN to perform our attack on a normal Ledger Nano S.

AFAWK your crypto-assets are safe if you use a Ledger Nano S.