https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
"There is absolutely no way that an attacker could replace the firmware and make it pass attestation without knowing the Ledger private key," officials said in 2015. Earlier this year, Ledger's CTO said attestation was so foolproof that it was safe to buy his company's devices on eBay.
On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog , Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long and causes the device to generate pre-determined wallet addresses and recovery passwords known to the attacker. The attacker could then enter those passwords into a new Ledger hardware wallet to recover the private keys the old backdoored device stores for those addresses.
Using the same approach, attackers could perform a variety of other nefarious actions, including changing wallet destinations and amounts for payments so that, for instance, an intended $25 payment to an Ars Technica wallet would be changed to a $2,500 payment to a wallet belonging to the backdoor developer. The same undetectable backdoor works on the $200 Ledger Blue, which is billed as a higher-end device. Variations on the exploit might also allow so-called "evil maid attacks," in which people with brief access to the device could compromise it while they clean a user's hotel room.
Good thing Ledger is french, if it was AT&T this kid would've had the FBI knock down his door in the middle of the night and spend the next decade inside a jail cell.