After Rashid sent the research to Ledger, he saw that the flaw wasn’t taken seriously by the team. However, they did publish a firmware update on Mar. 6, which was heavily criticized by Rashid. He posted his opinions on Twitter, since he believed that the team should either have posted it as a critical update or disguised it so that hackers didn’t get time to use this trick. As one of the security researchers, I urge to update now. This article doesn’t make it clear enough how dangerous this issue can be. Potential issues include compromised recovery seed generation or private key extraction. https://t.co/Z2WGFZnFAA— Saleem Rashid (@spudowiar) March 6, 2018Panic spread among users, who took to Reddit to discuss their next move. Eric Larchevêque, Ledger’s CEO, replied to one such post saying it was “a massive FUD”, and that Rashid was trying to bring attention to himself, when the problem was clearly not high-priority. “Saleem got visibly upset when we didn’t communicate as “critical security update” and decided to share his opinion on the subject,” wrote Larchevêque. On Mar. 20, Ledger published another update that explained three problems discovered by bounty program researchers: Timothée Isnard, Saleem Rashid and Sergei Volokitin. Interestingly, Rashid denied this statement because signing Ledger’s Bounty Program Agreement would disallow him for publishing a technical report, which he clearly did on the very same day. As for the new updates, Rashid explained that he wasn’t allowed to receive the ‘release candidate’ by the company, but he believed that the new fixes were not completely free from hacker attacks.”Is it truly possible to use a combination of timing and “difficult to compress” firmware to achieve security in this model?”, wrote Rashid. He received support from cryptographer Matthew Green, who explained in a lengthy Twitter thread how the teenager was able to break through Ledger’s secure tactic. The teenager, who lives in U. K., previously uncovered a problem in cryptocurrency hardware wallet TREZOR One. The issue was resolved with a healthy communication between both parties. SatoshiLabs CEO, Marek Palatinus, even praised Rashid for his work, “His out-of-the-box thinking and creative approach help us to make an even more secure product.”Featured image from Ledger