Vulnerability Discovered in Tangem Hardware Wallets Raises Security Concerns

By Patricia Miller

3 min read

Ledger's research reveals a vulnerability in Tangem cards, manageable only through costly, specialized attacks, leaving users' assets at risk.

#What vulnerability has been discovered in Tangem hardware wallet cards?

Recent findings from Ledger's security research team, known as Donjon, have revealed a significant vulnerability affecting Tangem hardware wallet cards. The method employs a precisely aimed laser pulse that can effectively bypass the password protection mechanism by targeting the Samsung S3D232A secure element chip embedded in the cards. This sophisticated attack manipulates the firmware to reset the access password without requiring the original credentials.

The alarming aspect for users of Tangem cards stems from their lack of a firmware update option, rendering this vulnerability unpatchable. As a result, every Tangem card currently in circulation remains susceptible to this flaw, and there is no fix forthcoming from the company.

#How does the laser fault injection technique operate?

The process utilized in this attack is known as laser fault injection, or LFI. In practical terms, researchers can manipulate the chip by firing a rapid laser pulse at a precise location when the chip is conducting a security check. This pulse induces a temporary glitch that alters the logic gate responsible for verifying passwords. Consequently, instead of returning a negative response when given an incorrect password, the chip mistakenly believes it is in a recovery state, allowing an attacker to set a new password and access the wallet's contents.

Despite the chip boasting an EAL6+ security certification, it is crucial not to dismiss this vulnerability hastily. The attack necessitates physical access to the card, high-end laboratory equipment, and an investment of approximately $250,000 in setup costs. Additionally, expert knowledge in hardware security is crucial for executing this strategy, as well as the capability to navigate protections like flash-write fault detection.

#How has Tangem responded to the discovery?

After being informed of this vulnerability on February 10, 2026, Tangem has since downplayed the potential risks associated with this specific attack. They characterize it as theoretical and not scalable, suggesting that it poses little threat to the average user. While this viewpoint may hold some validity, it does not change the uncomfortable reality of an unpatchable security flaw.

This incident marks the second security concern identified by Donjon within a relatively short span. The first issue highlighted in September 2025 described a brute-force attack method on Tangem cards.

#What protective measures does Tangem provide?

Despite the highlighted vulnerabilities, Tangem's architecture has some built-in defenses. The cards employ a seedless model where private keys are stored entirely within the chip and are never exported. Furthermore, Tangem cards do not retain personal information about the user or their asset balances. This design complicates any efforts to target specific cards, as attackers must first identify potentially valuable cards without assistance.

#What implications does this have for hardware wallet users?

For many cryptocurrency holders, especially those with smaller portfolios, the substantial cost of executing a laser attack may not be a realistic threat. The vast economic disparity between the attack costs and the value of most wallets makes the risk negligible for average users. However, for individuals with significant assets or organizations holding millions in cryptocurrency, the implications of an unpatchable security vulnerability become quite serious. The fact that no firmware updates can protect against this risk indicates a permanent flaw in device security that could impact high-value users in particular.

Important Notice And Disclaimer

This article does not provide any financial advice and is not a recommendation to deal in any securities or product. Investments may fall in value and an investor may lose some or all of their investment. Past performance is not an indicator of future performance.