DayFR Euro

We visited the “Dungeon”, Ledger’s fortress to protect against cyberattacks against its products

A month ago, Ledger inaugurated its new global headquarters in the heart of the Marais: “106”, in reference to its address on rue du Temple in the 3rd arrondissement of . The opportunity for the tricolor unicorn to celebrate its ten years of existence and to offer its employees a brand new and ultra-modern work tool to tackle the next ten years in the best conditions.

If the 7,500 square meter building has a plethora of spaces (cafe, bar, terraces, podcast studio, gym, basketball court, games room, etc.) to provide an optimal working environment, it also houses a very confidential and particularly strategic for Ledger: the “Dungeon”. Proof of its importance, the floor on which this “cyber-laboratory” is located is in the “orange” zone, a color reserved for “critical developments”. As for the “Dungeon” itself, it is squarely in the “red” zone for obvious security reasons. And as such, it is not possible to offer you a photo report, but we will explain to you what this little-known and essential place for Ledger looks like.

“It’s a team that takes care of breaking everything”

In this fortress with digital accents, no medieval struggle with swords and shields on the horizon, but a team of researchers who track down the slightest vulnerabilities in the French company’s products, but not only, to guarantee users Ledger wallets the best possible security. Created following the arrival of Charles Guillemet, the current CTO of Ledger, in 2017, the “Dungeon” has a mission as simple as it is vital: to heavily attack Ledger’s products like a hacker to detect all possible flaws and imaginable, in order to correct them, to always be one step ahead of cybercriminals. “It’s a team that takes care of breaking everything”summarizes with a smile Vincent Bouzon, in charge of product safety and head of the Dungeon at Ledger.

Today, this team has 17 employees, 60% working on software and 40% working on hardware. “No one has the same background”notes Vincent Bouzon, from the banking world. Indeed, very varied profiles make up this Ledger “task force”. “I wasn’t initially paranoid, but I don’t see things the same way anymore! (Laughs.). In wallets, there are the same components as in bank cards. But our developments must go further than those of the banking world”observes the boss of the Dungeon. To improve efficiency, the software and hardware teams have been combined for six months. Because a hardware flaw can lead to the discovery of a software flaw, and vice versa.

Software et hardware

The latter has two faces: one is quite classic which resembles any open space of a startup where the software teams are busy in front of their computers on which an incessant stream of lines of code scroll; the other more scientific with a laboratory where wallets from Ledger and competing companies, smartphones and even bank cards are piled up.

In this hardware part of the Dungeon, these different objects are mishandled by half a dozen tools to test the electronic chips embedded in these products. Among them, there is in particular a kind of oscillogram “to study the heartbeat and life of a flea”and the “Silicon Toaster,” a machine for testing electromagnetic chips using electric current. “We are trying to disrupt the chip to behave in a way that interests us. This makes it possible to detect flaws so that the product is resistant to any disruption. No Ledger wallet has ever been hacked”recalls Vincent Bouzon. The stakes are high as the French company claims to protect 25% of cryptocurrencies held in the world.

In this laboratory, tests of all kinds are carried out. This ranges from incessant laser attacks, to protect against it, to temperature tests to ensure that Ledger wallets never reveal their secrets to strangers. But to achieve such a degree of security, everything is not always simple. “If we start from scratch, we may need six months of analysis for a chip. But sometimes it only lasts a month or a few days if we already have a base of information. On average, it takes between two and three weeks.explains Vincent Bouzon.

“Securing the ecosystem”

Please note that the Dungeon tools are developed and used internally, but also offered as open source externally. “The Dungeon’s mission is not just to secure Ledger’s products, but to secure the ecosystem. If another player is hacked, there is no longer any confidence in the market. However, any negative disruption of the ecosystem impacts us”underlines the product safety manager. Before adding: “All our products are certified by Anssi (National Agency for Information Systems Security, editor’s note). We cannot say to ourselves that there will be a weakness one day. This is our daily burden.” And to protect this war chest, there is a “security governance” team, which is responsible for verifying that there are no internal flaws compromising the discoveries and actions of the Dungeon. “This allows us to verify that our safes are solid and well protected”indicates Vincent Bouzon.

To benefit the entire crypto ecosystem, the Dungeon shares all its research as open source. It must be said that after seven years of existence, this unique laboratory has earned itself a fine reputation. “Historically, the Dungeon has focused on software, but there have been a lot of hardware attacks in recent months. In 2025, we will focus more on DeFi blockchain and Web3. It’s an exciting universe, but one that also offers new perspectives to hackers”notes Vincent Bouzon. Before concluding: “There’s no magic at Ledger, we just don’t compromise on the safety of our products.”

It is no coincidence that thousands of people rushed to Ledger wallets after the incredible bankruptcy of FTX at the end of 2022. The tricolor unicorn, which aims to become “the largest technology company ever created in Europe” according to his boss, Pascal Gauthier, had then known “his best day, his best week and his best month”. And at a time when bitcoin is soaring again, interest in Ledger wallets risks being reinforced.

-

Related News :