Laser Attack Bypasses Tangem Crypto Wallet Security, Renders Cards Unpatchable
Researchers at **Ledger's Donjon security team** have demonstrated a sophisticated laser fault injection attack that can reset the password of a **Tangem** crypto wallet card. This highly technical physical vulnerability allows an attacker with specialized equipment to gain full control over a wallet, posing a significant risk for lost or stolen cards holding substantial value.
A groundbreaking discovery by **Ledger's Donjon security team** reveals a critical vulnerability in **Tangem** crypto wallet cards. Through a precisely timed laser pulse, researchers can force a password reset, granting an attacker complete control over the wallet's contents.
### The Mechanics of the Attack
The **Tangem** wallet, typically resembling a standard bank card, utilizes a **Samsung S3D232A** secure element chip, certified to **EAL6+**, to safeguard cryptographic keys. The primary defense mechanisms are physical possession of the card and knowledge of its password.
The exploit targets the card's password reset feature. Normally, users can reset a forgotten password by holding two linked **Tangem** cards together. During this process, the card performs a crucial check: verifying if it's in 'recovery mode.' The laser attack manipulates this check.
By firing a laser pulse at the chip at the exact moment this check executes, the circuitry is briefly disturbed, causing the card to erroneously believe it's in recovery mode. This bypasses the need for the old password or a second card, allowing the attacker to set a new password via the standard `SetPin` command.

### High Barrier to Entry, Permanent Flaw
This is not a simple attack. It requires a sophisticated lab setup, estimated at around $250,000, including a laser rig and sensitive measuring equipment. The process involves physically cutting open the card to expose the chip, leaving undeniable evidence of tampering. Once the setup is calibrated, the **Donjon** team reported the attack consistently worked on every card tested, taking approximately two hours per card.
A critical aspect of this vulnerability is its permanence. **Tangem** cards are designed without firmware update capabilities, a feature intended to enhance security by preventing remote tampering. However, this design choice now means the flaw embedded in the card's firmware cannot be patched. As the researchers noted in their [report](https://donjon.ledger.com/blog/bypassing-tangem-card-security-with-laser-attack/), "there's no patch, but the attack is physical and invasive."

### Tangem's Response and Industry Context
**Tangem** has responded publicly, acknowledging the attack but downplaying its practical risk. In their [statement](https://tangem.com/en/blog/post/lfi-response/), the company characterized it as a lab-only physical method applicable to secure element chips generally, not unique to **Tangem** cards. They also highlighted **Ledger** as a competitor, suggesting potential bias.
**Tangem** further argued that the financial barrier ($250,000) combined with the inability to ascertain a stolen card's value makes the attack economically unfeasible for most adversaries. They stated that no funds have been lost to laser attacks on hardware wallets to date, concluding that "the practical risk is virtually non-existent" for everyday users.
While **Tangem** is correct about the high cost and lack of remote execution, **Donjon** researchers are equally correct that the flaw is inherent and unpatchable. The overlap of concern lies specifically with lost, stolen, or seized cards that an attacker has strong reason to believe hold significant value.
This isn't the first time **Donjon** has demonstrated such an attack. In early June, they leveraged the same laser fault injection technique against the **TROPIC01** chip in the new **Trezor Safe 7**, enabling arbitrary code execution by bypassing firmware signature checks. **Trezor** and **Tropic Square** were able to implement a stopgap and are hardening future silicon versions, a stark contrast to **Tangem's** unpatchable design.
Earlier, less costly attacks by the same team targeted older **Trezor One** and **Trezor T** wallets, extracting recovery seeds due to their reliance on ordinary microcontrollers rather than secure elements. The **Tangem** card's secure element significantly raises the bar, but as this research proves, it doesn't eliminate the danger entirely. The **EAL6+** certification applies to the chip's built-in defenses, not necessarily the wallet maker's software layer, where this specific flaw resides.
This laser attack marks the third **Donjon** finding related to **Tangem**. An earlier **Android app bypass** was patchable, but this laser vulnerability and a previously discovered **password brute-force method** are both rooted in the card's unalterable firmware.
### Recommendations for Users
For the vast majority of **Tangem** users, the advice remains consistent: secure your physical card. This attack requires physical access and cannot be performed remotely. However, if a **Tangem** card is lost, stolen, or otherwise compromised and holds substantial assets, users should immediately move their funds. This can be done using another card in their linked set or via a seed phrase, if one was set up, without relying on the compromised card's password for protection.