Mastodon Mastodon Mastodon Mastodon

Tangem Hardware Wallets Exposed to Costly Laser PIN Reset Attack

Photo of author

CyberSecureFox Editorial Team

Published:

The Ledger Donjon research team has disclosed a vulnerability in Tangem cryptocurrency wallets: a precisely timed laser pulse aimed at the card’s chip allows an attacker to reset the device password to an arbitrary value — without knowing the old password and without a second card. The attack requires physical access to the device and about $250,000 worth of lab equipment, but its fundamental danger is that Tangem cards do not support firmware updates, which means the vulnerability cannot be fixed on any card already sold. Owners of lost or stolen cards holding a substantial balance are advised to immediately move their funds to another wallet.

Attack mechanism

Tangem cards use a Samsung S3D232A secure element certified to EAL6+. The chip stores the private key and never exposes it externally. Protection is built on two factors: physical possession of the card and knowledge of the password.

According to the researchers, the vulnerable logic lies in the password recovery mechanism. Tangem sells cards in linked sets, and if the password is lost, the user can set a new one by tapping two cards together. Inside this process, the chip performs a single check: whether the card is in recovery mode. If it is, the new password is accepted without requesting the old one.

A laser pulse directed at the chip at the exact moment this check is executed briefly disrupts the circuit’s operation. As a result, the check returns a false positive, and the card behaves as if it were in recovery mode. After that, the standard SetPin command accepts a new password — without the old password, without a second card, and without any recovery phase. According to the researchers, disabling the recovery function does not help, because the same check is performed on every card.

To carry out the attack, the card must be opened and the chip exposed, which leaves obvious physical damage. According to Donjon, once the parameters are tuned, the attack worked on every tested card and took about two hours. The team reported the issue to Tangem on 10 February 2026.

Tangem’s position and conflict of interest

Tangem published a response describing the method as a laboratory physical attack applicable to secure elements in general, not exclusively to Tangem cards. The company emphasized that Donjon is owned by Ledger — a direct competitor in the hardware wallet market.

Tangem also presented an economic argument: the card does not contain information about the owner or the balance size, so an attacker who has spent $250,000 on equipment and ruined several cards while tuning the setup cannot know in advance whether a stolen card holds $50 or $50 million. According to the company, no hardware wallet user has lost funds as a result of a laser attack, and the practical risk to ordinary users is “virtually non-existent.”

Both sides are partially correct. The vulnerability is real, present in every card, and cannot be fixed — this is a confirmed fact. However, the cost and complexity of the attack do indeed make it impractical in the overwhelming majority of scenarios. The real risk window is narrow: a lost, stolen, or seized card whose value the attacker has reason to suspect.

It is also important to consider the disclosure context: all statements about the technical details of the attack come from a single research group owned by a Tangem competitor. Independent verification of the results by a third party is not documented in publicly available sources.

Broader context: a series of attacks on hardware wallets

This is not Donjon’s only study in the area of laser fault injection. In early June, Trezor and its chip development partner Tropic Square disclosed the results of a similar study: Donjon applied the same technique to the TROPIC01 chip in the Trezor Safe 7 wallet, bypassing the firmware signature check and running its own code. Trezor stated that users’ funds were not affected thanks to a three-layer security architecture — the PIN protection layer held. Unlike Tangem, Trezor and Tropic Square were able to respond: they released a temporary fix for current chips and are working on strengthening the next silicon revision.

This is already Donjon’s third finding involving Tangem. Previously, they discovered a vulnerability that bypassed authenticity checks in the Android application (fixed, since it was in updatable software) and a password brute-force method, which, like the laser attack, affects the card firmware and cannot be fixed.

The fundamental difference between Tangem and early Trezor models, from which Donjon extracted the seed phrase using $100 worth of equipment, is the use of a secure element. It is the secure element that raises the attack cost to a quarter of a million dollars. However, EAL6+ certification confirms the security of the chip itself and its built-in mechanisms, not the code that the wallet manufacturer runs on top of it — and according to the researchers, that is exactly where the vulnerability resides.

Recommendations

  • The card is in your possession: there is no threat. The attack cannot be performed remotely and requires physical access to the device.
  • The card is lost or stolen, and the balance is significant: immediately transfer the funds using another card from the set or the seed phrase (if it was configured). Do not rely on the password as the sole protection for a card you no longer physically control.
  • For all Tangem owners: ensure the physical security of your cards. Store them as you would cash of an equivalent amount — in a safe or other secure location.
  • When choosing a new wallet: consider firmware upgradability as a factor in long-term security. Immutable code protects against remote attacks but removes the ability to fix discovered flaws.

This vulnerability does not warrant panic, but it does require a sober assessment of your threat model. If your Tangem card is in your possession, the practical risk is minimal. If the card is lost and it holds significant funds, there is only one reliable course of action: transfer your assets to another wallet right now, without waiting for confirmation that someone has decided to spend $250,000 specifically on your card.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.