"there's no patch, but the attack is physical and invasive," Donjon researchers wrote — and that blunt assessment is the hinge of a new set of hardware findings that leave every Tangem card already in circulation unfixable by software.
Donjon's laser fault injection on Tangem cards
Researchers on Ledger's Donjon team demonstrated that a precisely timed laser pulse, aimed at the secure element inside a Tangem crypto-wallet card, can reset the card's password to any value the attacker chooses. The exploit does not extract the private key; instead it causes the card to accept a new PIN without the old one, allowing whoever performs the procedure to control the wallet and move coins out.
The technique requires physical possession of the card, specialised lab equipment Donjon places at roughly $250,000, sensitive measurement gear, and deep hardware skill. The card must be cut open to expose the chip — a destructive step that leaves obvious damage — and Donjon reports the attack worked on every card it tried once the attack settings were locked in, taking about two hours per card. It cannot be performed remotely over the internet.
How the Samsung S3D232A secure element and recovery-mode check are abused
A Tangem card looks like a plain bank card but contains a Samsung S3D232A secure element certified to EAL6+. That chip stores the secret key and is meant to keep the key inside the chip. Tangem's password-recovery mechanism is designed so two cards in a linked set can reset a forgotten PIN: deep in that process the chip runs a single check — "is this card in recovery mode?"
Donjon's laser pulse, timed to the exact instant the chip performs that check, briefly disturbs the chip's circuitry so the test misfires and the card behaves as if it were in recovery mode when it is not. With that check defeated, the normal SetPin command will accept a brand-new PIN without asking for the old one. Turning off the recovery feature does not prevent the problem: the same check still runs on every card.
Tangem's design choice: non-updatable firmware and the unpatchable flaw
Tangem builds its cards so their firmware cannot be updated, a design the company promotes as a security feature because "nothing can be changed" after manufacture. That same choice means a firmware-level flaw cannot be corrected after sale. Donjon's summary — "there's no patch, but the attack is physical and invasive" — captures both sides of that tradeoff: the vulnerability is real and permanent, but it cannot be fixed with a software update.
Tangem pushed back publicly, characterising Donjon's method as a "lab-only physical method" that affects secure element chips in general rather than a problem unique to Tangem. The company noted that Donjon is part of Ledger, a major rival, and highlighted practical limits: a ruined card gives no on-card indication of value or ownership, so an attacker spending $250,000 and destroying cards has no guarantee a target is worth the expense. Tangem also stated that no one has lost funds to a laser attack on any hardware wallet so far and described the "practical risk" for everyday users as "virtually non-existent."
What this means for Tangem card owners, technologists, and attackers
- Owners of Tangem cards: The one clear, immediate action is for anyone whose card is lost or stolen and who holds serious value on that card to move the funds now — using another card in the set or a seed phrase if one was provisioned — and stop relying on the PIN to protect a card no longer in your control.
- Technologists and wallet makers: Tangem's non-updatable firmware means this specific firmware-layer flaw cannot be patched on already sold cards; by contrast, other vendors facing related laser fault results have been able to ship stopgaps and harden future silicon (see below).
- Adversaries and high-end labs: The attack raises the bar rather than removes the barrier. Donjon's work shows a motivated attacker with a quarter-million-dollar rig, two hours per card once tuned, and willingness to ruin cards can bypass the PIN check — but cost, device destruction, and uncertainty about value limit practical returns.
Related Donjon findings: Trezor Safe 7 and previous Tangem work
This is not Donjon's first laser-based result this year. In early June, Trezor and its chip partner Tropic Square disclosed that Donjon used laser fault injection on the TROPIC01 chip in the Trezor Safe 7, slipping past the chip's firmware signature check to run its own code. Trezor said funds remained safe on Safe 7 because the device stacks three security layers and the PIN-guarding layer held firm; Trezor and Tropic Square shipped a stopgap for current chips and are hardening the next silicon.
Donjon has also found earlier issues affecting Tangem: an Android app bypass that Tangem could patch because it resided in software Tangem controls, and a brute-force password method that, like this laser result, sits in firmware that cannot be changed after sale.
The record here is stark and narrow. Donjon's laser fault injection demonstrates a permanent firmware-level weakness in every Tangem card sold; Tangem's business choice to make cards non-updatable is the reason there is no patch. For most users, Tangem and Donjon agree the risk is low in practice. For owners of lost or stolen cards with substantial holdings, the recommendation is immediate: move the funds and cease depending on a PIN to protect a card you no longer physically control.




