The Ledger Fallout : The Upgrade No One Wanted... (And Solutions)

The Ledger Fallout : The Upgrade No One Wanted... (And Solutions)

By busyjordy | crypto-corner | 20 May 2023


"Ledger Recover", Assessing the Concerns and Claims

In recent news, Ledger, the most popular crypto hardware wallet - a Paris-based company, unveiled a new feature called "Ledger Recover." This update, available for Nano X models, has sparked a ton of controversy within the crypto community. By allowing users to share their seed phrase with 3rd party custodians users can restore access to their crypto assets if they forget or misplace their seed phrases. The 3 custodians were not announced at first, but now we know they are: Ledger, Coincover, and EscrowTech.

Coincover is apparently a digital asset protection company provides digital assets insurance services including theft recovery, disaster recovery, and validator key recovery solutions. They have raised $30 million in funding led by Foundation Capital to protect people and their digital assets from hacks or human error and work with over 300 businesses, including crypto companies like BitGo, Fireblocks, and Bitso, as well as hedge funds, family offices, and banks. Coincover claims to be the first and only service to guarantee digital funds will not be lost or stolen by combining insurance with the latest security.

EscrowTech is a provider of software and technology escrow services to protect the source code of software and other materials with a third party. EscrowTech has been in business for over 25 years and has helped thousands of customers world-wide.

So, at first glance, this looks secure enough, right?

Also, this new feature relies on a mechanism called Shamir Secret Sharing or Shamir Backup, which allows for your seed phrase to be split into several parts (a.k.a. shards), each of them is useless on its own and only works when paired with another shard (or several). In this case, they will be sharing it in 3 pieces, so 2 out of the 3 will be needed, but a more secure step would have been to split it to 5 shards for instance and 3 out of the 5 will be needed or 7, where 4 or 5 out of the 7 will be needed - making it harder for a hacker to obtain all of these records and combine the shards successfully.

And this is just one of the many issues that are causing this massive outcry.

The “Ledger Recovery” service is going to be a paid, opt-in service, so it’s not a compulsory feature at this point, but it has raised important questions regarding privacy, control, and the balance between convenience and security.

What’s The Need for Seed Recovery?

Ledger recognized the growing need for a seed recovery mechanism within the crypto space. The introduction of Ledger Recover is intended to address the concerns of users who may forget or lose their seed phrases, providing them with an option to regain access to their funds. By utilizing this service, users can approach Ledger, verify their identity, and have their private key restored, ensuring peace of mind and mitigating the risk of permanent asset loss.

Well, here lies the main concern: if there is a way to extract my seed phrase from my wallet, even if this is an optional service, what is to stop them doing so without my consent?
Ledger claims that they will never do this without your consent, but the problem is that it becomes possible with this upgrade. When there is a possibility for something to occur, this is a risk that I wouldn’t want to take. Maybe it will never happen, but what if it does? What if a rogue staff member of Ledger decides to abuse this in any way? The Ledger database was hacked in 2020, where more than 200,000 users emails got leaked, so these are valid concerns.

This service really compromises the fundamental principle of self-custody, potentially exposing us, the users, to unauthorized access or control over our assets.

Other valid concerns from the crypto community include:
  • Transparency: The closed-source firmware used in Ledger Recover has drawn scepticism from those who value transparency and open-source practices. Without visibility into the inner workings of the firmware, we are unable to assess any potential hidden vulnerabilities or security risks.
  • Forceful Access: Concerns have been raised regarding the potential for unauthorized parties to forcibly extract the seed phrase from a hardware wallet. This scenario poses a significant security risk, undermining the safeguards put in place to protect user assets.
  • Security of Third-Party Custodians: The involvement of third-party custodians in storing encrypted backups of users' seed phrases introduces a potential vulnerability. Users worry about the possibility of hacks or leaks compromising the security of their confidential information.

In response to the criticism, Ledger provides the following justifications for the introduction of the Ledger Recover feature:

  1. Customer Demand: Ledger claims that the inclusion of key recovery functionality was driven by customer demand. They aimed to cater to a wider user base, making cryptocurrency more accessible to those who may be concerned about the risks associated with self-custody.
  2. Monetization for Growth: By offering value-added services such as key recovery, Ledger seeks to monetize its customer base and ensure continued growth. This strategy allows the company to fund ongoing innovation and product development.
  3. Voluntary Opt-In: Ledger affirms that the use of the key recovery service is entirely optional. Users retain the choice of whether to rely solely on self-custody or leverage the recovery mechanism offered by Ledger Recover. The company aims to uphold user autonomy and provide them with the freedom to make informed decisions regarding their funds.

All of this makes us wonder - can we still trust Ledger enough to continue using their devices? Is there any government pressure that forced Ledger to activate such feature? What if their firmware has always been open to such seed phrase extraction but we just didn’t know it as the firmware is not open source?

And their response to this didn’t help at all.

"Technically speaking it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not," Ledger said earlier in a now-deleted tweet.

This only added fuel to the fire and now I am starting to change my mind about Ledger. In my previous response video on this topic, I was much more inclined to take Ledger’s side in this debacle, seeing this as a service that will provide extra security to many users. I think - I still think that Ledger is acting in good faith and will continue to do so. As their CTO said in his twitter thread the other day:
”Using a wallet requires a minimal amount of trust. If your hypothesis is that your wallet provider is the attacker, you’re doomed.”

This is very true!
If you don’t trust the wallet provider, you shouldn’t use it. Period. But, I am not that concerned about Ledger per se, acting maliciously, I am concerned about the possible exploits and attacks that will follow soon. Phishing emails have been circulating since 2017, trying to dupe Ledger users to upgrading or signing transactions on fake websites, so your seed phrase or private keys would be compromised or exposed in some way and this is only going to get worse with this new service.

Maybe the KYC that will be implemented in order to activate this service will help stop potential future abuse, but then again, how can you trust that your data, your ID and other highly sensitive data will not be leaked just llike it happened back in 2020? It was just names and emails back then. Now, it will be much more…

Users, concerns regarding privacy, control, and potential vulnerabilities cannot be dismissed lightly. It is essential to carefully weigh-in the trade-offs and evaluate the level of trust we place in third-party custodians. As the crypto ecosystem evolves, finding the equilibrium between user convenience and the principles of self-custody remains a critical challenge that warrants ongoing discussion and consideration.

I have reviewed all major crypto wallets on the market and you can also check out this playlist on my channel with my reviews of the wallets I use and recommend: 

https://www.youtube.com/playlist?list=PLZvNwCYjY2gaqa14h-biQwYQdkdc6aKLb

 If you watch the video on top of this post, you'll find out more, so do check it out.

And remember:

☝These are my opinions, not financial advice, always DYOR.

 

🔑BEST CRYPTO WALLETS & TOP CRYPTO EXCHANGES: https://linktr.ee/cryptocorner

 

Also Check Out: https://crypto-corner.com/wallets/

 


🚩Subscribe to my bi-weekly Crypto Corner Newsletter  and get the latest news and market analysis straight in your inbox. 

CRYPTO MUST-HAVEs:

📖Dictionary: "Crypto Jargon A-Z" is the most comprehensive crypto glossary: https://www.amazon.com/dp/B07Y9DT3H6

🔒Brave Browser - earn crypto and browse the web faster and safer with the top privacy browser (better than Chrome).

💢NFT Domains - no yearly fees and censorship-free with Unstoppable Domains: https://unstoppabledomains.com/?ref=46122235f05f405

🏆Token Metrics has the most detailed statistics and analysis for all major cryptocurrencies and price predictions to help you find the right coins to trade and the right time to buy/sell - give it a try and get 10% discount.

🔑BEST CRYPTO WALLETS & TOP CRYPTO EXCHANGES: https://linktr.ee/cryptocorner


🚩OTHER TOP CRYPTO SERVICEShttps://ojjordan.com/resources

 

💻Find me on:

🔹Twitter
🔹LinkedIn
🔹Clapper
🔹My Official Websitehttp://ojjordan.com

ojjordan.com

 

⚠️ DISCLAIMER ⚠️

The information contained in this video is for informational purposes only. Nothing herein shall be construed to be financial or legal advice. The content of this video reflect solely my own opinions. Purchasing cryptocurrencies poses considerable risk of losses.

This information is what was found publicly on the internet. This information could have been doctored or misrepresented by the internet. All information is meant for public awareness and contains what is already in the public domain. Please take this information and do your own research.

How do you rate this article?

21


busyjordy
busyjordy

Crypto analyst and investor since 2015. Host of the Crypto Corner Video Podcast and crypto-corner.com Website: http://ojjordan.com Blog: https://crypto-corner.com


crypto-corner
crypto-corner

Blog about cryptocurrencies

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.