CIO Pulse Cybersecurity Crypto Consumer Tech Hardware

Ledger Finds Flaw Lets Hackers Steal PINs and Crypto Keys From Powered‑Off Android Phones

•March 26, 2026

Pulse•Mar 26, 2026

Why It Matters

The flaw demonstrates that even devices assumed to be offline can be compromised, eroding the foundational security model for mobile‑first enterprises. As more organizations adopt Android‑based solutions for field operations, remote access and payment processing, the ability to extract cryptographic keys without user interaction forces a reevaluation of device‑security policies, MDM strategies and data‑classification frameworks. Beyond immediate remediation, the vulnerability may catalyze industry‑wide pressure for more transparent hardware security roadmaps. If chipset manufacturers cannot guarantee the integrity of their TEEs, enterprises may shift toward devices with independently verified secure‑boot mechanisms or adopt external hardware security modules (HSMs) for critical key storage, reshaping the mobile device procurement landscape.

Key Takeaways

•Ledger’s Donjon team extracted PINs and crypto‑wallet seed phrases from powered‑off Android phones in under a minute.
•The vulnerability affects MediaTek processors paired with Trustonic’s Trusted Execution Environment, covering roughly 25% of Android smartphones worldwide.
•CVE‑2025‑20435 was disclosed on March 2, 2026 after MediaTek released firmware patches on January 5, 2026.
•Charles Guillemet, Ledger CTO, warned that smartphones were never designed to be vaults and urged immediate updates.
•Enterprise CIOs must enforce firmware updates, reconsider BYOD policies, and explore hardware‑independent key management.

Pulse Analysis

The discovery of a power‑off exploit in a dominant Android chipset signals a turning point for mobile security strategy. Historically, enterprises have relied on the operating system and MDM solutions to enforce encryption and access controls, assuming that a powered‑down device presented a natural barrier. This research shatters that assumption, showing that hardware‑level keys can be harvested before any software layer initializes. In the short term, CIOs will likely double down on patch management and enforce stricter USB‑port controls, but the longer‑term implication is a potential migration toward devices with verifiable secure‑boot chains and external key storage.

From a market perspective, the incident puts pressure on MediaTek and Trustonic to demonstrate faster, more transparent remediation processes. OEMs that have historically been slow to roll out firmware updates may face heightened scrutiny from both corporate clients and regulators. This could accelerate consolidation in the Android OEM space, as enterprises gravitate toward vendors with proven security track records. Additionally, the vulnerability may boost demand for third‑party mobile security solutions that operate independently of the device’s hardware root of trust, such as cloud‑based key vaults and peripheral authentication tokens.

Looking ahead, the episode underscores the need for a layered security model that does not place all trust in a single hardware component. CIOs should consider adopting a zero‑trust approach to mobile devices, where identity verification, encryption, and data access are continuously validated regardless of the device’s power state. As the threat landscape evolves, the ability to extract sensitive data from a powered‑off phone will become a benchmark for assessing the resilience of any mobile security architecture.