Laser Pulse Attack Resets Passwords on Tangem Crypto Wallet Cards, Bypassing User Authentication
What Happened — Researchers from Ledger’s Donjon team demonstrated that a precisely timed laser pulse aimed at the secure element of a Tangem hardware‑wallet card can force the chip to reset its PIN to any value chosen by the attacker. Once the PIN is reset, the attacker gains full control of the wallet and can transfer the stored cryptocurrency.
Why It Matters for Compliance & Audit Readiness
- The scenario illustrates a physical‑layer credential compromise that SOC 2 access‑control criteria (CC6.1, CC6.2) are designed to address through documented control design, monitoring, and evidence of mitigation.
- Continuous‑compliance programs must capture evidence that hardware‑based authentication mechanisms are protected against tampering, and that incident‑response playbooks cover physical‑attack vectors.
- Verisq’s SOC2 Access Controls capability provides audit‑ready evidence of password‑reset controls, hardware‑integrity monitoring, and policy enforcement to satisfy the “Logical and Physical Access Controls” trust criteria.
Who Is Affected — Financial‑services firms, crypto‑asset custodians, and any organization that issues or relies on Tangem‑style hardware wallets for secure key storage.
Recommended Actions
- Map the Tangem hardware‑wallet usage to SOC 2 CC6 controls; verify that physical‑security safeguards (tamper‑evident packaging, secure storage, access logs) are documented and monitored.
- Update your incident‑response plan to include a “hardware‑tampering” playbook, specifying evidence collection (laser‑damage forensic imaging) and escalation procedures.
- Collect continuous evidence of hardware‑integrity checks (e.g., periodic visual inspections, tamper‑sensor logs) to demonstrate control effectiveness during audits.
Source: The Hacker News
Technical Notes
- Attack vector: targeted laser pulse (physical layer) that triggers a fault injection in the secure element, causing a password reset.
- No CVE assigned; the flaw resides in the chip’s lack of protection against focused optical fault injection.
- Data at risk: private keys stored on the wallet, enabling full asset exfiltration.
Source: The Hacker News