The Tangem Vulnerability That Cannot Be Patched

The Tangem Vulnerability That Cannot Be Patched

A vulnerability has been found in Tangem hardware wallets. The findings were published by the research team at Ledger - a direct competitor of Tangem that also makes hardware wallets.

Tangem wallets are fairly widely used. They have one feature that is unique among hardware wallets: users can move funds into a smart contract and spend them through a virtual Visa card. As far as I know, Tangem was actually the first to offer a way to spend crypto assets via card payments while still holding the keys to those assets yourself.

And now, out of nowhere, a competitor has found a vulnerability affecting literally every Tangem wallet ever sold - past or present. In theory, this should be the end of Tangem. One of the defining features of their devices is that they cannot be reflashed. Customers saw that as a strength, but in this case it means the only real fix would be recalling every device they have ever shipped and starting over with a fundamentally new design. What company could survive a hit like that?

But there is one interesting detail. Exploiting this vulnerability requires physical access to the device, expensive lab-grade laser equipment, and serious expertise in hardware hacking. On one hand, that might suggest most users have nothing to worry about: it is unlikely anyone with that level of resources would bother targeting them. On the other hand, a vulnerability is still a vulnerability.

So the real question becomes: who does Tangem itself consider the main threat:

  • entities with the full toolkit - the equipment, the highly skilled personnel, and the ability to seize devices from their owners,
  • or ordinary thieves?

If it is the former, existing wallets will get recalled. If it is the latter, they will be left in circulation.

Who do you think is the bigger threat?