CYNTRI AIAutonomous DeFi
๐Ÿ”SEARCH
THE BODY COUNT
HACK DATABASEยท๐Ÿ”“

They Reset a Hardware Wallet's Password With a Laser, and It Can Never Be Fixed

Tangem built its wallet cards with no firmware updates and called it a security feature - nothing can be changed, so nothing can be tampered with. Then Ledger's researchers pointed a laser at the chip, flipped one bit, and reset the password without knowing the old one. The flaw is now permanent on every card ever sold.

S
SYNTHยทHack Database
They Reset a Hardware Wallet's Password With a Laser, and It Can Never Be Fixed
In July 2026, Ledger's Donjon research team showed a single nanosecond laser pulse could reset the password on a Tangem hardware wallet card - a flaw that can never be patched because the cards take no firmware updates

Tangem's whole pitch is simplicity. Its hardware wallet is not a gadget with a screen and buttons. It is a card, the size and shape of a credit card, that you tap against your phone. Inside is a Samsung S3D232A secure element, an EAL6+ certified chip that generates and stores your private key and signs transactions. The master key never leaves the card. And here is the selling point Tangem made loudest: the card takes no firmware updates. Nothing can be changed after it ships. Tangem framed that as a security feature. Immutable means tamper-proof. Nothing to update means nothing to corrupt.

In July 2026, Ledger's Donjon research team turned that feature into a life sentence.

Donjon is Ledger's in-house security lab, and Ledger happens to be Tangem's biggest rival, which matters to the story and we will get to it. What they found is a laser fault injection attack. In plain terms: you physically open the card, expose the silicon chip inside, and fire a single, precisely-timed nanosecond laser pulse at one exact spot on the chip's surface. The pulse flips one bit at one moment. That is all it takes.

CyntriAI
PREDICTIVE DEFI
Stop chasing yields across five chains.
Cyntri AI agents predict, execute, and rebalance your DeFi positions using advanced predictive models.
ETHSOLARBBASEOP
Read the Whitepaper
cyntriai.org
A Cyntri AI Project

The bit it flips is the check that guards the password reset. Tangem cards ship in sets of two or three that share one master key, with a recovery feature enabled by default: if you lose your password, you hold two linked cards together and the card walks through a challenge-response exchange to let you set a new one. That legitimate flow hinges on a single conditional check inside the card's SetPin command, which asks one question: is this card actually in recovery mode? The laser pulse lands right as that check runs and forces it to answer yes when the honest answer is no. The card accepts a brand new password. No old password. No backup card. No recovery steps. The attacker now controls the wallet and can sign transactions and drain every coin.

Donjon reported it worked on every card they tried, at about two hours per card.

Now the permanence, which is the part that should make you wince. On a normal hardware wallet, the vendor finds a flaw like this and ships a firmware update. Problem patched. Tangem cannot do that. The exact design decision Tangem sold as a strength - no firmware updates, ever - means there is no mechanism to fix the code. The flaw is baked into the silicon of every card the company has ever sold. As the researchers put it, there is no patch, but the attack is physical and invasive. The good news and the bad news are the same sentence. It cannot be done remotely, over NFC, or through the app. But it also cannot be fixed. Forever.

Tangem pushed back hard, and their rebuttal is fair, so here it is straight. The attack is lab-only. It needs the physical card in your hand, a setup Donjon puts at around $250,000, side-channel analysis tools, deep hardware expertise, and cutting the card open, which leaves damage nobody could miss. There is no slipping the card back into a pocket afterward. Tangem called the everyday risk "virtually non-existent" and noted, correctly, that laser fault injection works against secure element chips in general, not just theirs. They also pointed out that Donjon belongs to Ledger, a direct competitor, and said readers should weigh that when reading the report. All true. This is not a threat to the average person whose card is sitting in a drawer.

But Tangem's own framing names the real victim. The people who should care are anyone whose card is lost or stolen while holding serious value. A Tangem card looks exactly like a plain bank card. If a sophisticated thief with lab access ends up holding your card, the password that was supposed to protect your funds is no longer a wall. It is a suggestion the thief can overwrite with a beam of light. And because there is no patch coming, the only defense is the old one: treat a missing card like a missing wallet, and move your funds off it immediately.

The deeper lesson is about the word "unhackable," which the hardware wallet industry loves and which keeps not being true. Ledger has had its own embarrassments. Now Tangem has one. An EAL6+ certification covers the chip's resistance to physical attack, but security also depends on the closed-source firmware running on top of it, and that firmware had one unguarded check that a laser could flip. The certification was real. The confidence was not. And this time, the vendor cannot even fix it. They designed that option away and called it a feature.

The Aftermath

Tangem did not issue a fix, because its cards have no firmware-update mechanism by design, leaving every card in circulation permanently exposed to the attack if it is ever physically obtained by someone with lab-grade equipment. The company maintained that the practical risk to ordinary users was negligible given the physical-access requirement, the ~$250,000 lab setup, and the visible destruction of the card. Ledger's Donjon countered that the case demonstrated an EAL6+ certified secure element does not guarantee protection against every attack, since security also depends on the firmware running on the chip. The realistic guidance for Tangem owners became straightforward: physical possession is the entire security model, so a lost or stolen card should be treated as compromised and its funds moved to a new wallet immediately.

LESSONS LEARNED

!Immutability cuts both ways. Tangem sold 'no firmware updates' as tamper-proofing. The same decision means that when a flaw is found in the code, it can never be corrected - the strength and the fatal weakness are the identical design choice.
!An EAL6+ certification covers the chip's physical resistance, not the closed-source firmware running on top of it. One unguarded conditional check in that firmware was all a laser needed. The certificate was real; the 'unhackable' marketing built on top of it was not.
!For any hardware wallet, physical possession is the real security boundary. If a card can look like an ordinary bank card and be silently valuable, then losing it has to be treated as losing the funds - because a determined, well-funded thief may be able to overwrite the password entirely.

COMMENTS

CMZ
END OF FILE
Filed under Hack Database