Unpatchable Security: The High Cost of Frozen Firmware
A high-tech laser attack bypasses security checks on Tangem hardware wallets, highlighting the double-edged sword of unpatchable firmware.
For cold-storage cryptocurrency enthusiasts, the physical wallet is the ultimate vault—an offline fortress designed to keep digital assets safe from remote exploits. The unspoken promise of these devices is that physical possession combined with a password is an impenetrable defense. Yet, what happens when that security is bypassed not by a remote hacker, but by a microscopic beam of light in a specialized laboratory? A recent breakthrough demonstrates that even robust hardware security claims can be undermined when physical access falls into the hands of a funded adversary equipped with precision technology, transforming a trusted card into an open gate.
The tension between physical security and firmware adaptability has long divided hardware engineers. This is not Ledger's Donjon security team's only laser attack this year, or even their first finding on Tangem. In early June, Trezor and its chip partner Tropic Square disclosed a related result where Donjon used the same laser fault injection technique on the TROPIC01 chip in the new Trezor Safe 7. In that instance, the exploit slipped past the chip's firmware signature check to run its own code, though funds stayed safe because the Safe 7 stacks three separate security layers. Historically, cheaper attacks go back further, but they hit softer targets. Years ago, this same team pulled the recovery seed straight off a stolen Trezor One or Trezor T with a rig costing about $100, because those wallets guarded secrets with an ordinary microcontroller and no secure element.
This reality was highlighted in coverage by Swati Khandelwal, detailing how Ledger's Donjon security team demonstrated a sophisticated vulnerability involving the Tangem crypto wallet. By aiming a precisely timed laser pulse at the internal Samsung S3D232A chip—a secure element certified to EAL6+—researchers forced the card into accepting any new password. Normally, the companion app relies on a password-reset feature requiring two linked cards. If the card is in recovery mode, it permits a password change without requesting the original credentials. However, by firing a laser pulse at the exact microsecond this status check runs, the chip's circuitry is temporarily disrupted, causing the check to misfire and falsely indicate recovery mode. This allows the attacker to run a standard SetPin command and gain control of the wallet. Because Tangem cards are manufactured with unalterable firmware, there is no way to deploy a software update. As the researchers put it, "there's no patch, but the attack is physical and invasive", meaning remote exploitation is impossible. Tangem pushed back, framing the exploit as an impractical, lab-only physical method that targets secure chips in general rather than exposing a unique design flaw. They also pointed out that Donjon belongs to Ledger, a major rival, and asserted that "the practical risk is virtually non-existent."
Examining the logistics of this attack reveals the extreme constraints under which it operates. Setting up the required laboratory environment demands specialized hardware skill, sensitive measuring gear, and a laser rig estimated to cost around $250,000. Additionally, the process is highly invasive, requiring researchers to physically cut open the card to expose the internal Samsung S3D232A chip, leaving behind structural damage. Once settings were calibrated, the Donjon team reported that the attack succeeded on every card they tested, requiring roughly 2 hours per card. While the security team disclosed this third finding to Tangem on February 10, 2026, the permanent hardware means all existing cards remain vulnerable. Tangem emphasized the economic irrationality of the exploit, noting that an attacker who spends $250,000 and wrecks cards has no way to tell whether a stolen card is worth $50 or $50 million.
For the broader cybersecurity landscape, this vulnerability serves as a stark warning about the trade-offs of immutable hardware design. When a physical device cannot be patched, users must weigh the peace of mind of zero remote vulnerability against the permanent threat of a physical flaw. If a user loses a card containing significant wealth, they can no longer rely on password protection alone; they must immediately transfer their funds to a secure, alternative wallet. This incident also highlights the limitations of third-party certifications like EAL6+, which evaluate the raw hardware chip rather than the software implementation written on top of it. Ultimately, businesses and consumers must recognize that physical security is not a binary status, but a continuous spectrum of risk.
Reporting based on original coverage from The Hacker News.
← Back to all stories