Security

Tangem Wallet PIN Brute Force Vulnerability Uncovered

A critical vulnerability in Tangem cold wallet cards allows attackers to bypass PIN attempt limits via a "tearing attack," enabling brute force theft.
September 18, 20253 min

A close-up view reveals a sophisticated, translucent blue electronic device with a central, raised metallic button. Luminous blue patterns resembling flowing energy or data are visible beneath the transparent surface, extending across the device's length
The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Briefing

A significant vulnerability has been disclosed in Tangem cold wallet cards, enabling a “tearing attack” that bypasses PIN attempt limits. This flaw, identified by Ledger’s Donjon team, allows for accelerated brute-force attacks on the card’s PIN by interrupting power during failed attempts. While the attack requires physical proximity and specialized equipment, it drastically reduces the time needed to compromise a wallet, posing a direct threat to user asset security. The vulnerability is unpatchable on existing cards, highlighting a critical hardware-level security concern.

A transparent, interconnected network structure, resembling a molecular lattice, features vibrant blue liquid contained within spherical nodes and flowing through connecting channels, with metallic components integrating into the system. The clear material allows visibility of the blue liquid's movement, suggesting dynamic processes within the complex arrangement

Context

Hardware wallets are designed to provide robust offline security for digital assets, often relying on physical tamper-detection and limited PIN attempts to prevent unauthorized access. The expectation is that such devices are resistant to physical brute-force methods. However, the discovery of this “tearing attack” reveals a previously unaddressed attack surface, challenging the fundamental security assumptions of certain cold storage designs and demonstrating that even physically secured devices can harbor subtle, exploitable flaws.

A detailed macro shot focuses on the circular opening of a translucent blue bottle or container, showcasing its internal threaded structure and smooth, reflective surfaces. The material's clarity allows light to refract, creating bright highlights and subtle gradients across the object's form

Analysis

The incident centers on a physical “tearing attack” against Tangem cold wallet cards. The specific system compromised is the card’s internal security mechanism that registers failed PIN attempts. By physically cutting the card’s power supply precisely as a PIN attempt fails, the attacker prevents the card from recording the failed attempt, thereby circumventing the built-in attempt limits.

Simultaneously, electromagnetic emissions analysis is used to detect when a correct PIN combination is entered, streamlining the brute-force process. This chain of events allows an attacker with physical access to bypass the intended security measures and rapidly discover the user’s PIN, fundamentally undermining the card’s protection against unauthorized access.

A highly detailed, abstract render showcases a futuristic technological device with a clear, spherical front element. This orb is surrounded by segmented white plating and numerous angular, translucent blue components that glow with internal light

Parameters

  • Targeted Hardware → Tangem Cold Wallet Cards
  • Attack VectorBrute Force via “Tearing Attack”
  • Vulnerability Type → PIN Attempt Limit Bypass
  • Discovery Source → Ledger’s Donjon Team
  • Estimated Attack Cost → $5,000
  • Estimated Time (8-digit PIN) → ~460 days (down from 148 years)
  • Patch Status → Unpatchable on existing cards
  • Disclosure Date → September 18, 2025

A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic

Outlook

Users of Tangem cards are advised to immediately strengthen their PINs to eight or more alphanumeric characters and symbols, as existing cards cannot be patched. This incident underscores the necessity for rigorous, adversarial physical security testing in hardware wallet design and the importance of multi-factor authentication beyond simple PINs. It will likely prompt a re-evaluation of certification standards for cold storage devices and emphasize the need for transparency in vulnerability disclosures across the digital asset security industry.

A gleaming, futuristic modular device, encrusted with frost, splits open to reveal an internal core emitting a vibrant burst of blue and white particles, symbolizing intense computational activity. This powerful imagery can represent a critical component of Web3 infrastructure, perhaps a blockchain node undergoing significant transaction validation or a decentralized network processing a complex consensus mechanism

Verdict

This hardware-level vulnerability in Tangem cold wallets represents a significant, unpatchable flaw that necessitates immediate user action and a re-evaluation of physical security assumptions in the digital asset ecosystem.

Signal Acquired from → Protos

Micro Crypto News Feeds

asset security

Definition ∞ Asset Security refers to the measures and protocols implemented to safeguard digital assets against unauthorized access, theft, or loss.

security assumptions

Definition ∞ Security assumptions are fundamental premises or beliefs about the operational integrity and trustworthiness of a system or protocol, upon which its security design is predicated.

cold wallet

Definition ∞ A cold wallet is a cryptocurrency storage device or method that is kept offline, disconnected from the internet.

unauthorized access

Definition ∞ Unauthorized access describes the act of gaining entry to a digital system, network, or data without explicit permission or authorization.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

brute force

Definition ∞ Brute Force refers to a trial-and-error method used to gain access to information or systems by systematically checking all possible combinations.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

Tags:

Tags: