Full Report
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs
Analysis Summary
# Vulnerability: Password Reset Bypass via Laser Fault Injection (LFI) in Tangem Wallets
## CVE Details
- **CVE ID:** Not explicitly assigned in the provided report (Common for hardware-specific side-channel attacks).
- **CVSS Score:** Approximately 6.8 (Medium)
- **Severity:** Medium (High technical complexity and physical access requirements mitigate the critical nature of the logic bypass).
- **CWE:** CWE-1256: Improper Adherence to Expected Physical Phenomena (Logic/Fault Injection).
## Affected Systems
- **Products:** Tangem Hardware Wallet Cards.
- **Versions:** All current firmware versions (notably those utilizing the Samsung S3D232A Secure Element).
- **Configurations:** All cards, regardless of whether the "Access Code Recovery" feature is enabled or disabled in the app.
## Vulnerability Description
The vulnerability is a **Laser Fault Injection (LFI)** attack targeting the hardware's password validation logic. Tangem cards allow password resets if a second linked card is present (Recovery Mode). Researchers discovered that a precisely timed laser pulse aimed at the chip during the "Is this card in recovery mode?" check can disturb the chip's circuitry. This causes the check to fail open, tricking the Secure Element into believing it is in recovery mode. Consequently, the card accepts a `SetPin` command to overwrite the password without requiring the original password or the presence of a second backup card.
## Exploitation
- **Status:** PoC demonstrated by Ledger Donjon; not currently exploited in the wild.
- **Complexity:** High (Requires approximately $250,000 in lab equipment, decapping the chip, and precise nanosecond timing).
- **Attack Vector:** Physical (Requires possession of the card and invasive hardware modification).
## Impact
- **Confidentiality:** High (Full access to private keys/seed phrases stored on the card).
- **Integrity:** High (Attacker can reset credentials and authorize transactions).
- **Availability:** High (The card must be physically decapped/damaged to perform the attack).
## Remediation
### Patches
- **None Available:** Tangem cards are designed with non-updatable firmware to prevent remote tampering. This design choice prevents the deployment of a software-based fix for this hardware-level flaw.
### Workarounds
- **Physical Security:** Ensure the card remains in a secure, tamper-evident location.
- **Funds Migration:** For users with high-value holdings who suspect their physical card security has been compromised, migrating funds to a new wallet/seed is the only definitive mitigation.
## Detection
- **Indicators of Compromise:** Physical inspection of the card. The attack requires "decapping" (cutting open the card and removing layers to expose the silicon), which causes permanent, visible structural damage.
- **Detection Methods:** There are no digital logs or software-side indicators of this attack; detection relies entirely on physical tamper-evidence.
## References
- **Ledger Donjon Research:** hXXps://donjon[.]ledger[.]com/blog/bypassing-tangem-card-security-with-laser-attack/
- **Tangem Official Response:** hXXps://tangem[.]com/en/blog/post/lfi-response/
- **News Source:** hXXps://thehackernews[.]com/2026/07/laser-attack-resets-tangem-wallet.html