Ledger Donjon researchers have identified a critical security flaw in Tangem hardware wallet cards that allows attackers to bypass password protection using a precision laser attack, potentially enabling full access to stored cryptocurrency assets.
The vulnerability, detailed in Ledger Donjon's technical report, enables an attacker to reset the card's password and gain complete wallet access with a single targeted laser pulse. The flaw persists even when password recovery functions are disabled in the application settings, and affects all Tangem cards currently in circulation. Critically, the vulnerability cannot be patched through firmware updates due to the nature of the hardware implementation.
However, the attack's practical threat remains limited to sophisticated threat actors. Exploiting the vulnerability requires physical possession of the card, specialized laboratory equipment costing approximately $250,000, and deep expertise in hardware security attacks—capabilities beyond typical cybercriminals. For ordinary users, real risk is confined to scenarios involving card theft or physical loss.
Tangem has not yet publicly commented on remediation strategies. The discovery underscores the ongoing tension between hardware wallet security design and advanced physical attack vectors in the cryptocurrency custody landscape.