Bitcoin Forum

Ledger is preparing to launch a new service called Ledger Recover that splits a wallet recovery phrase—basically, a human-readable form of the private key—into three encrypted shards and distributes them to three custodians: Ledger, crypto custody firm Coincover, and code escrow company EscrowTech.  If somebody loses their recovery phrase, two of the three shards can be combined—pending an ID check—to regain access to the locked funds. Essentially, Ledger Recover is an additional safety net; for the price of $9.99 a month, it takes the jeopardy out of crypto’s version of stuffing dollars under the mattress. It’ll be available in the UK, EU, US, and Canada and come to other territories later in the year.
(...)
Ledger Recover is a service, he says, not a feature—one that provides all the niceties and safety mechanisms regular people are looking for. The fragments of the recovery phase are encrypted and stored by each custodian on specially secured servers, and the balance of the user’s wallet is covered up to a value of €50,000 ($55,000) if something goes awry, a little like deposit insurance at a bank. It’s also being designed with a less technical user in mind.

I guess they have released this info on the wrong day... This should have been released on april 1st, since it has to be an april fool's joke.
If this is true, i'll never point people towards ledger hardware ever again... FFS, if this is true, they're completely demolishing everything a hardware wallet stands for...

If anyone is wondering how can an entity destroy the concept of their own products - in this case by exporting the seed phrase to outside entities, even if it is encrypted - then wait no more because Ledger will launch their new service, Ledger Recover

If anyone is wondering how can an entity destroy the concept of their own products - in this case by exporting the seed phrase to outside entities, even if it is encrypted - then wait no more because Ledger will launch their new service, Ledger Recover[1]

(...)If this is true, i'll never point people towards ledger hardware ever again... FFS, if this is true, they're completely demolishing everything a hardware wallet stands for...

The device sends encrypted shards of your seed to different companies if you decide to use the service. You can of course still choose to backup it yourself.

Wait.... Just bought a Ledger wallet a week ago. I have some ETh inside. Should i take them off? Is it unsafe ?

This is a paid feature so it's not sending your seed phrase anywhere unless you pay $9.99 per month for it (which is a dumb subscription).

This is a paid feature so it's not sending your seed phrase anywhere unless you pay $9.99 per month for it (which is a dumb subscription).

So, let me get this straight: they're gonna take our recovery phrase and split it up, sending encrypted pieces to these custodians without giving us a choice?

I do not know why some people like telling people that Ledger Nano wallets are good, they should not have been trusted from the first day they created wallets in the past, because all their wallets are having close source secure elements.

If you can not verify, why trust the company when there are some alternatives that everything about their wallet makeup are open source.

So it's that subscription that is exposing the keys ?

You subscribe there in order to backup your keys?

If this is true, i'll never point people towards ledger hardware ever again... FFS, if this is true, they're completely demolishing everything a hardware wallet stands for...

~snip~

Seed plate in a secure spot and done. Is it really that difficult?

Not your keys, not your coins. Give your keys to someone else....not your keys anymore.

-Dave

We conveniently already have a name for a hardware wallet which can expose your seed phrase to the internet. It's called a hot wallet.

All correct except the last part. To become part of their revolutionary seed sharing solution, you have to subscribe to it somewhere, give your consent, and agree to pay those $9.99 per month. So, you don't have to use it. It's just an idiotic option they give you. I wonder why the Nano S Plus isn't mentioned? Maybe we can expect that in the release notes for the new S Plus firmware.   

No, you subscribe there for them to back up 2 out of 3 shards of your recovery phrase. If you lose your own, the 2 shards stored by 3rd-parties are supposed to allow you to backup your wallet.

The whole point of a hardware wallet is to store your seed phrase and private keys safely and securely inside and prevent them from being extracted. The whole point of Ledger's secure element is that there is no possible way to extract the seed phrase from it. Now we have just discovered that a simple firmware update will permit the secure element to start sending your seed phrase across the internet. Ledger have just admitted that their entire design is deeply flawed.

https://twitter.com/i/spaces/1RDxlavNoAzKL?s=20

I have a question that might be important about this service:
--> Will this update make Ledger able to extract the seed from the hard wallet? (which I thought was impossible, like you said)
or
--> Will the user have to type the seed to be stored by the ledger?

If it's the second option it wouldn't change much regarding security for those who don't opt for the service
But if it is the first option, it is a tool that can fall into the wrong hands and generate an exploit

I've skim listened to this on 2x speed, but I can't find anywhere that they actually address that there now exists the ability for Ledger wallets to export seed phrases off of the secure element. Someone please correct me if I'm wrong. They answer questions like politicians. Direct quote from Nicolas Barra (BTChip, Ledger VP): "I'm not sure what's not to like."

Why do I need Ledger Recover?
You’re responsible for storing your Secret Recovery Phrase. While this setup makes you enjoy all the benefits of self-custody and complete control over your assets, it also makes you solely responsible for their protection. Ledger Recover is designed for users who want to add an enhanced layer of security in case their Secret Recovery Phrase is lost or when they can't access it.

Who has access to my wallet with Ledger Recover?
In short, only you can access your wallet. When you subscribe to Ledger Recover, a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments, with each fragment secured by a separate company—Coincover, Ledger and an independent backup service provider. Each of these encrypted fragments is useless on its own. When you want to get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device, reassembling them to build your private key.

What if I lose my Ledger device that is associated with my Ledger Recover subscription?
Simply get another Ledger device and follow the process to recover access to your wallet.

Does Ledger Recover store my personal data?
Your identity details are collected by Ledger Recover ID verification service providers. Coincover and Ledger store an encrypted excerpt of this data. Only authorized third parties have access to it. To learn more about how we collect and use this information, please read our Privacy Policy.

What if someone gets access to my wallet using Ledger Recover?
Ledger Recover comprises extensive identity verification processes—performed by Coincover within a secure environment built by Ledger. As an added layer of protection, subject to investigation, $50,000 compensation may be available from Coincover in the unlikely event that something were to go wrong.

https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true (https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true)

And still they ignore the most pressing question that everyone is asking: Why is this even possible in the first place?

More precisely, the code running on the STM module now contains functionality to split the seed into encrypted shards, and only when the user consents to this operation with a physical button press.

These shards have additional mechanisms in place to make them truly useless for any purpose other than the Recover process that's been designed. Details for that are coming soon, but just know that this sharding cannot occur without your consent.

Since their customers were basically sold a lie - their recovery phrases would never be able to leave their device - isn't this a solid ground for a class-action lawsuit?

Coincover provides the gold standard in digital asset security, addressing the most significant barrier to mainstream adoption: trust. If wallet access is lost, Coincover offers encrypted and military-grade storage for retrieving the key.

And still they ignore the most pressing question that everyone is asking: Why is this even possible in the first place?

Seriously, do the management teams behind both wallets understand nothing about bitcoin?

The device is not an offline device then?
Someone please answer it.

The device sends encrypted shards of your seed to different companies if you decide to use the service. You can of course still choose to backup it yourself.

It would be fool to think that they don't understand the basic. Question is why they are pretending that the don't have the basic understanding. Who is behind all these?
Let me guess, it's those who are printing notes and doing everything from the tax payers money.

You can't fix stupid.

Stupidity is a chronic disorder.  This strikes me as Ledger attempting to cater to the least common denominator, i.e. the really stupid!  The trouble is that whenever you try to make something fool-proof, someone goes out and builds a better idiot.  Maybe they're trying to compete with Jack Dorsey's (Block Inc) policy of "Shared-Self-Custody."

I'm worried, since I have a Ledger Nano S  :(

I wonder what they're thinking about when they're doing this?

I wonder why the Nano S Plus isn't mentioned? Maybe we can expect that in the release notes for the new S Plus firmware.

Wait.... Just bought a Ledger wallet a week ago. I have some ETh inside. Should i take them off? Is it unsafe ?

It would be fool to think that they don't understand the basic. Question is why they are pretending that the don't have the basic understanding. Who is behind all these?
Let me guess, it's those who are printing notes and doing everything from the tax payers money.

Question remains.
The device is not an offline device then?
Someone please answer it.

I'm still pretty skeptical about all this. Has Ledger put out any official statement or something that says the seed phrase won't be sent anywhere unless we subscribe to their monthly plan? However, even if such confirmation exists, we should still question whether we have any means of independently verifying this claim or if we're simply relying on their word. The mere possibility of the seed phrase leaving the hardware device and potentially being accessible online, in any form, undermines the fundamental purpose of a hardware wallet, which is to serve as the sole custodian of our private keys.

No matter how stupid it all sounds, this is still a positive thing. At least now we all know how unsafe it is and that there is a possibility of a backdoor, and this is a serious reason to completely abandon this product.

The only upside is that it requires device-based confirmation, similar to signing signatures, or at least so they claim.

Personally, I'm moving over to Trezor.

If they can enable such a feature with the user's consent, what stops them from enabling it without the user's consent if the user doesn't want to use it? All they have now is a promise they can't do it, but their words and guarantees are worth very little at this stage.

What would happen to my Ledger Recover subscription and related data if one of the companies goes out of business?

If one of the companies holding a fragment of the Secret Recovery Phrase shuts down, the other two will maintain the service and eventually replace it with a new company.

Can someone explain to me how the following is possible:

What prevents them from collaborating to steal customer funds and pretending that the user himself fucked up with recovery keys?

Why the customer paying for service is not included in this recovery quorum?

Why the customer paying for service is not included in this recovery quorum?

The trust is currently broken. Ledger says anyone can opt-out of the service, but how can we verify that the backdoor wasn't there the whole time?
~snip~

The user could be included, but you are already supposed to have copies of your entire recovery phrase anyway. If you can't keep track of that and lose it, why keep a copy of one additional 1/3 shard?

Not that it makes this any better, but will they require that you generate a new seed to participate in their paid seed-share service or does it also apply to seeds generated before this was rolled out?

Remember when Trezor and Ledger were the two best hardware wallets out there, and every thread had people (me included!) recommending either/both of them. How the mighty have fallen! Both are complete and utter trash now, completely ruined by awful decisions such as this one. Seriously, do the management teams behind both wallets understand nothing about bitcoin?

Ledger have just admitted that their entire design is deeply flawed.

what i also wonder is what happens to the Legder sticks that don't go through this update - can they continue to be used without problems?

What happened with Trezor? I remember a seed extraction hack from a couple years back, but that one still required physical access which makes it not even nearly as bad as what Ledger is doing.

Probably. But you can't ever be sure that this backdoor hasn't been there all along, as pointed out by others upthread.

"We are security and self-custody maxis. These are things we won't make compromise on." - @iancr

"Ledger Recover allows people to back up their seed phrase. If you aren't concerned with your seed phrase security, then this won't be for you. It's 100% optional." - @iancr

"When I think of my mom using our product - there are two main hurdles. One is unreadable addresses, and two is managing your private key. If you know how to back up your 24 words securely, Ledger Recover isn't for you. But for people like my mother, those 24 words can be really complicated." - @P3b7_

"Technically, as soon as you opt in for the service, you'll be asked if you are happy to opt-in for Ledger Recover. If you are - then you sign a transaction on your Ledger to shard your private keys into 3 shards, then it's encrypted in the device, then a secure channel is created within the device for the 3rd party providers which allows the encrypted shards, which are encrypted again and then stored with the providers." - @P3b7_

"When you need to recover your seed, you will go through a ID Verification process (which is very comprehensive) to confirm your identity. After you are verified, the providers will send the encrypted shards to your Ledger Nano device directly. The device decrypts the shards in your device and you're set." - @P3b7_

"Here, the point which is important to remember is that you stay in control…there’s no backdoor, nothing will happen without your consent on the device…in the future, the whole protocol will be open, so you’ll be able to verify how the whole protocol works." - @BTChip

"There are three parties (in 3 different jurisdictions) storing the shards - one is @Coincoverglobal, which already works with several B2B offerings, that keeps one shard of and provides the $50k insurance plan; the other escrowtech, which backs up the 3rd shard. And there are two ID verification providers." - @P3b7_

"If you understand self-custody very well and can fully self-sovereign, you don't need Ledger Recover; if you are someone like my mother, then this product will be for you. At the end, you choose." - @P3b7_

"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." - @_pgauthier

Q: Is my seed phrase safe - is there a backdoor?
A: There are no backdoors in any Ledger. Your seed is secured in the Secure Element chip and on your paper. If you opt in for Ledger Recover, there’s an additional back up in the form of 3 encrypted shards stored with 3 different parties.

"In another word, every time you access your private key, the Ledger device requires your consent. Ledger Recover is simply another application that is built on the Secure Element chip that is never compromised, just like when you need to sign a transaction with a Ledger." - @BTChip

"The Secure Element is a small computer that operates cryptographic features exclusively, including generating and securing the private key. What we did was to include a new feature in the Operating System, which encrypts and shards the private key which enables Ledger Recover." - @P3b7_

"We keep only what is legally required, nothing more. We don't want to take up the responsibility of being a custodian. Our opinion of KYC is that Ledger doesn't do it. We provide you access to services that might require KYC. It's completely up to you." - @iancr

"If you are not comfortable with ID Verification - then you can either choose a different service or you can build your own recover services." - @BTChip

The user could be included, but you are already supposed to have copies of your entire recovery phrase anyway. If you can't keep track of that and lose it, why keep a copy of one additional 1/3 shard?

Absolutely nothing.

Allegedly, and the fact that they have made it very clear everywhere, the Nano S model will be the only one that will not have that back door.
But how now are we to know? Doubts were left in the air, there is not much way to remedy it.

That, and their partnership with Wasabi and blockchain analysis firms, resulting in government sanctioned surveillance and censorship.

"When I think of my mom using our product - there are two main hurdles. One is unreadable addresses, and two is managing your private key. If you know how to back up your 24 words securely, Ledger Recover isn't for you. But for people like my mother, those 24 words can be really complicated." - @P3b7_
---
"If you understand self-custody very well and can fully self-sovereign, you don't need Ledger Recover; if you are someone like my mother, then this product will be for you. At the end, you choose." - @P3b7_
--
"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." - @_pgauthier

but honestly, some of their explanations were all over the place, not really addressing the tough questions head-on.
...
I'm left feeling like there's a whole lot of smoke and mirrors going on.

In general, signaling theory says that if you have a good way of proving something and a noisy way of proving something, and you choose the noisy way, that means chances are it’s because you couldn’t do the good way in the first place.

Does it mean we can't verify that they have no access to the decryption key used to reconstruct the initial seed? It is still unclear how the whole decryption process works and how a hardware wallet knows that you underwent a KYC procedure to start recovering. Who sends it a decryption key because it may be a different device from that you created your setup?

How not to run a company, 101.

This is a paid feature so it's not sending your seed phrase anywhere unless you pay $9.99 per month for it (which is a dumb subscription).

~snip

~snip

This is so bad that i might give them negative feedback if they have account on this forum. And considering this "feature" require ID verification where Ledger already leak user data in past, it feels like disaster waiting to happen. By disaster, i mean your legal document will be leaked and misused by criminal to perform identity theft.

We are also discussing the Ledger issue in the German board and found a tweet claiming that the Nano Ledger S may not be affected because the device is too old for the the current Ledger Recover firmware update?

If anyone is wondering how can an entity destroy the concept of their own products - in this case by exporting the seed phrase to outside entities, even if it is encrypted - then wait no more because Ledger will launch their new service, Ledger Recover[1]:

We are also discussing the Ledger issue in the German board and found a tweet claiming that the Nano Ledger S may not be affected because the device is too old for the the current Ledger Recover firmware update?

and then, for those who don't feel comfortable with their wallet, change their money to another one.

We are also discussing the Ledger issue in the German board and found a tweet claiming that the Nano Ledger S may not be affected because the device is too old for the the current Ledger Recover firmware update?

Regardless of the fact that you should still look for another hardware wallet company, can anyone with a more technical background comment on whether this information is correct?

I'm not a technical fan, but is this thought true?
If the Nano S can "dodge" the 2.2.1 update. then it may be able to dodge another update later, then it will eventually be devices with outdated systems that are increasingly vulnerable while at any later higher update it won't exclude all the new features of 2.2.1.

To answer to your second question, if you had to type your recovery phrases to use this service, it would be even worse than the current solution that they are proposing as you were violating one of the core rules of your funds safety - never share/type your recovery phrases anywhere, not even with your device manufacturer or the Pope.

Hi - your private keys never leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards. A firmware update cannot extract the private keys from the Secure Element.

Say that even if we've got the old nano s but they can still try to do something and update and force an update for its firmware, is that right?

"Here, the point which is important to remember is that you stay in control…there’s no backdoor, nothing will happen without your consent on the device…in the future, the whole protocol will be open, so you’ll be able to verify how the whole protocol works." - @BTChip

Does it mean we can't verify that they have no access to the decryption key used to reconstruct the initial seed?

An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.

An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.

That statement is still true today. The keys can't leave the secure element unless you pay $9.99 a month for the pleasure of sharing your keys. It's not a time to joke around, but this is as silly as it gets.

If you choose to pay for a subscription, you're still the only one with access to your Secret Recovery Phrase, and you will also have a backup that will be created and accessible only to you. You remain the only one able to pass the identity verification check that is required to fetch back the encrypted fragments and rebuild your Secret Recovery Phrase into another Ledger device—should you need to do so in the future.

~~

I still haven't been able to figure out one aspect (and maybe no one has figured it out yet):
Is the key automatically collected by Ledger for the person paying for this service, or does the user need to provide the key?

According to their statement

An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.

According to their statement

Right. But approve what?
Does the person have to repeat the passphrase in order to be registered in this "recovery program"? Or is it just a mere question, which person answers "yes"?

If a user decides to subscribe to Ledger Recover, then his/her SRP will be encrypted, fragmented into three parts, and each part will be sent end-to-end encrypted between your Ledger product and the backup providers' secure Hardware Security Models (HSMs – not in the cloud).

Ledger acts as backup provider for only one encrypted fragment, and a single fragment doesn't allow the SRP to be recovered.
Ledger cannot access any user’s SRPs, nor will it be able to do so at any point in the future.

If anyone is wondering how can an entity destroy the concept of their own products - in this case by exporting the seed phrase to outside entities, even if it is encrypted - then wait no more because Ledger will launch their new service, Ledger Recover[1]:
I've tried to look upon any more news regarding this paid service, but so far I'm not able to find anything on Ledger website (release notes are currently on OS version 2.1.0). The only reference that I found was this[2] Reddit post where the concept appears in Ledger Nano X newest firmware update (2.2.1):
https://i.vgy.me/pmqQ26.png
I believe most Ledger customers will see this as a service to subscribe to since this will be seen as a "safe heaven" in order to avoid the loss of their funds, or even an alternative that holds their hand and makes them feel safe regarding their funds. Sadly they aren't aware of what is actually happening in the background, but I don't think most people will care as long as they have another option to access their funds...

---

[1]https://www.wired.co.uk/article/ftx-crypto-investors-hardware-wallets (https://www.wired.co.uk/article/ftx-crypto-investors-hardware-wallets)
[2]https://safereddit.com/r/CryptoCurrency/comments/13im3bc/wtf_ledger_this_is_a_disaster_waiting_to_happen/ (https://safereddit.com/r/CryptoCurrency/comments/13im3bc/wtf_ledger_this_is_a_disaster_waiting_to_happen/)

An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.

Right. But approve what?
Does the person have to repeat the passphrase in order to be registered in this "recovery program"? Or is it just a mere question, which person answers "yes"?

~~

I have a few bitcoin savings in Ledger Nano s which I never open since 2 years ago, and I never connect with Live applications except only connect with Electrum. So, does my ledger have an impact or effect? I don't want to try it and don't intend to open it now, because I save it for the next 10-15 years, now, I have doubts if is it really safe to continue it or if I must move my balance to another hardware wallet, Please give me instruction what the best, I'm still young and only have bitcoin as my current investment for future.

I think Ledger want to be the first oficial """"""aproved hardware wallet"""""" by the goverments/stablishment, i cant find another idea about what are they doing.

Because this seem very very similar at how it works the payment system on shops online when you paid with credit/debit card. You never give to the local where you are buying you credit card info, you send that information to a third party who say its OK or not and make the payment in conection with the bank and the commerce.

So i think this its very similar, they are making some lobby and making some new units of business with someone to be the first and only """"LEGAL"""" hardware wallet.
Trusted by some XXX third party companie who the goverment aproves and they are all friend between them.

And yes before you say, they sell their soul to the devil.

Here is the problem. Ledger is one of many hardware wallet brands that use a secure element chip whose sole job was to keep your seed and private keys offline. Meaning, it was supposed to be impossible that sensitive information leaves the chip and gets transmitted online. Turns out, that's not the case at all. The Ledger Nano X secure element can change its behavior after a software update, allowing you to "voluntarily" share your keys online with 3rd-parties. Soon, the same thing will be possible for the Nano S Plus. Apparently, only the old Nano S can't implement this feature.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work. That's just the theory. It's again a matter of trust. We have trusted Ledger to protect our keys and we trusted them when they said nothing can ever leave the safe enclosure of the secure element. That trust is now gone because the most valuable data can, in fact, leave the SE.

Now you have to make up your own mind. Are you going to trust that what they have said about Ledger Recover is accurate, and that they need your approval to share your seed? Or, can they just do it with or without your consent? They have already told us that data was always obtainable from secure element chips, they just didn't activate that feature before.   

But at this point with Ledger's statement, all devices (even coldcards for example) that have the same secure element chip are vulnerable or am I wrong?

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work.

[...]

Does it in fact matter for those ones who will never approve that shit?

Or you are bothering of those pinks who are going to fall for the bait?

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen. The only hardware wallet I would even think about touching right now is a Passport - permanently airgapped and completely open source - but as I said before, airgapped, encrypted, cold storage on an old laptop or similar is far preferable.

You are correct. All Ledger devices use the same internal framework, and we know that it has been possible all along for the secure elements to export private keys, which is completely contradictory to all the claims Ledger have previously made.

Which is completely irrelevant. Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen. The only hardware wallet I would even think about touching right now is a Passport - permanently airgapped and completely open source - but as I said before, airgapped, encrypted, cold storage on an old laptop or similar is far preferable.

This is so bad that i might give them negative feedback if they have account on this forum.

And considering this "feature" require ID verification where Ledger already leak user data in past, it feels like disaster waiting to happen. By disaster, i mean your legal document will be leaked and misused by criminal to perform identity theft.

So the very fact that this exists, even if you don't sign up for it, means that the next firmware update for Ledger devices will create a process by which your seed phrase is extracted from your hardware device, downloaded on to your computer, and then sent across the internet. That is a massive attack vector. It negates literally the entire point of a hardware wallet to keep your seed phrase and private keys isolated from computers and the internet. Not to mention this gives governments a very easy path to seizing all your assets, if they want, and allows all your coins to be stolen with some very basic social engineering. If you have completed KYC anywhere ever, then you've given away all an attacker needs to recover your seed phrase and empty your wallets.

Remember when Trezor and Ledger were the two best hardware wallets out there, and every thread had people (me included!) recommending either/both of them. How the mighty have fallen! Both are complete and utter trash now, completely ruined by awful decisions such as this one. Seriously, do the management teams behind both wallets understand nothing about bitcoin?

More and more I am glad that I have moved pretty much exclusively to airgapped, encrypted, cold storage for the bulk of my bitcoin. I know that my wallets will never suddenly pose a massive security and/or privacy risk out of the blue because of some absolutely moronic decision by a third party trying to squeeze more and more profits out of their customers.

To become part of their revolutionary seed sharing solution, you have to subscribe to it somewhere, give your consent, and agree to pay those $9.99 per month. So, you don't have to use it.

Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

From my understanding of Trezor's architecture the private key never leaves the chip -- the firmware is only able to send messages in and getting signed messages out.

Seriously, this decision wouldn't be made without a lot of discussion and some research/statistics. Ledger is a company, business and aim is to increase profit. Me and you analyze that by implementing this subscription service, one thing is clear, we have to pay money for worsened security. I'm laughing so much, just thinking, what a stupid person you should be to pay money for a service that absolutely abandons the idea of owning a hardware wallet. I mean, you buy a hardware wallet for improved security and then subscribe their service for decreased security, this is such a crazy thing. But Ledger packs all of these positively, in order to generate money, you need to conquer the heart of majority, not minority, majority of people are not smart, minority are, they simply take an advantage of the situation.

I bet their sales will increase, we will see. It offers people an option that they want. Do people lose their keys? Yes. Do they want a recovery option? Yes. Do people think that hardware wallet is safer than any other type of wallet? Yes but do they know why? No, they have just heard that. Do people think that they are confiscating their security by subscribing ledger's service? No. I know it sounds crazy but don't expect people to think and analyze things the way you do.

"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." -@_pgauthier

"Ask yourself... Where do users keep their private keys... On an exchange 🙈 @cz_binance In the cloud 🙈 On a password manager 🙈 In a software wallet 🙈Ledger Recover fixes this. It will also help the next 100M users to onboard self custody 😎 And... (1) You dont have to use it if you don't want to (2) it changes nothing to your ledger. Only you are in charge of your private keys and what you do with them..."-@_pgauthier

One thing that came to my mind is also their market research. Surely they should have done it right?


I think it seems clear that regardless of any market research outcome of their current customers, and any potential future customer outlook, they have chosen another path.

Ledger has proven didn't protect its customer data. Twice, due to the hacks incident. And now they are moving this way to implement such a system. Those who need it, notwithstanding any consequences, are free to utilize it, on the other hand, anyone who at least bothers to have some "standard" should refrain from using any of Ledger devices and educates other about its risks. Even the key extraction is possible in the first place, it is not worth advocating for them to stop it.

You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen.

But can you ever be sure? I wouldn't want my seed phrases to be 1 tick box away from being send to them, and risk they take it anyway.

Serious question: can you upgrade the firmware without unlocking the device?

Which is exactly what Ledger said about their secure element. At the end of the day, the hardware, software, and all the architecture is designed and built by a single entity, and if they wanted to extract your private keys, they could. If Trezor's microcontroller was actually impervious to such attacks, then why are they trying to build their own secure element?

<Snip>

You have to enter your unlocking PIN the moment you connect your Ledger to your computer to get it to communicate with Ledger Live. I think the firmware gets updated through the Ledger Device Manager, so you have to open that app as well.

I never used Ledger Live, only when it was initial setup for Bitcoin. Otherwise I only work with Electrum. That way, I don't even know if it has updates or not pending in the past.

That isn't good either. Not because you aren't using Ledger Live, but because you are using an outdated Bitcoin application on your Ledger HW. It might have bugs or vulnerabilities that you aren't protected from. The newer versions could have stability and speed improvements you can't benefit from. You will also not be able to take advantage of things like Taproot in the future unless you update your Ledger bitcoin app.

Let's also not forget that it took a famous hardware hacker three months to discover a vulnerability in a Trezor he had physical access to. And the only reason it worked was because the device used an outdated firmware version that made such a vulnerability possible. That has been patched a long time ago. Trezors remain vulnerable to physical manipulation, but you must know what you are doing. A random thief doesn't. Even if the required hardware for a successful attack isn't expensive, it's not something most people keep in their garage or know how to use. 

You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.

another proof of the whole thing is that Ledger has now deleted this tweet, which RickDeckard has already posted earlier

~snip~
The best thing they could do now is to open source their firmware right away, this will at least delay the inevitable collapse and allow them to exit the market with some dignity and fewer lawsuits.

My personal view on the PR disaster, from a Ledger co-founder and ex CEO

 I'm Éric Larchevêque, Ledger co-founder an CEO of the company from 2014 to 2019. My flair here says "Ledger CEO" but I'm not anymore. I'm only a shareholder of the company, not an executive, and all views are personal. My views are not representative at all of Ledger, its management or its board.

What an horrible mess.

I'm devastated to come on this subreddit, that I created nine years ago, to see images of Ledger devices burning, insults and lot and lot of anger. I'm honestly to the verge of tears.

I've given so much to this company, that it's impossible for me not to be highly emotional in this moment.

So much anger, so much hate, and also so much insanity.

My first step is to apologize as a co-founder about how this launch have been handled. I can't help but to wish this had been done differently. I don't have all details, but for sure something went wrong and the Ledger Recover service was put in your face in the worst way possible.

This is obviously a sensitive subject and would have needed a much more prepared communication.

To me, all this meltdown is a total PR failure, but absolutely not a technical one.

Please read this post which is a very good factual take on he (sic) situation : (https://www.reddit.com/r/CryptoCurrency/comments/13kdusd/hardware_wallets_here_are_the_facts/)

Since 2014 I have been explaining the security model of Ledger and the implications of using a Secure Element (good : very secure, bad : closed source). The security model of any Ledger device relies on the fact that you need to trust Ledger to provide with a firmware doing exactly what it is supposed to be doing.

In the early days, people just had to trust us. The more the company grew, raised money, got customers, the more the incentive to make sure the firmware is sound grew. Hence audits, governance control on the firmware release, the Donjon, etc. The more Ledger had something to lose by doing a mistake, the more things were put in place to prevent this.

Trying to explain the security model to customers with a less and less knowledgable user base became more and more difficult, and it looks like in 2022 a marketing executive tweeted "A firmware update cannot extract the seed from the Secure Element". It's not a lie, but it's missing "as long as you are trusting Ledger".

So people started to think Ledger was a trustless solution, which is not the case. Some amount of trust must be placed into Ledger to use their product. If you don't trust Ledger, meaning you treat your HW manufacturer as an adversary, that can't work at all.

When Recover was abruptly launched, this false sense of trustlessness went into pieces and people started to actually understand how a HW works. At least, that's a positive note.

My mistake as a CEO during my tenure was probably not be relentless enough about explaining the security model, but at some point you just give up as people don't care at all. Until they care again, like now.

The mistake of some of the "power user" community (reddit, twitter...) is to become batshit crazy and start writing stuff like "there is a backdoor from day one" or "the governement has taken over Ledger".

The hard truth, which has been confirmed by many experts who took the time to actually deep dive on the subject, is that nothing changed. Absolutely nothing happened. The security model is the same than before you knew Ledger Recover existed.

What changed is the perspective some of you had on the trustlessness, which appeared to be much more nuanced than you thought, and as this is a very sensible subject, many became extremely angered because they felt lied to.

I understand this point of view, but it's important also to be reasonable, take a deep breath and actually think about the facts.

If you think that Ledger did a terrible thing by not being relentless enough on the security model, and took shortcut when expressing it, if you think that at the time you bought the device, you would never have bought it if you had known this wasn't a fully trustless solution, then yes I get your point of view.

But if your only take is to jump on the hate bandwagon and yell "there is a backdoor" when you don't have any understanding of what you are saying, then it's a free country, but at the end the real victims will be the noobs who in panic will try to offload their crypto from Ledger, make stupid mistakes and lose it all.

Ledger is still safe, there is no backdoor, the Ledger Recover is not a conspiracy, no one will ever force anyone to use Recover.

The Recover code in the firmware is not a malicious code nor does it open a way to arbitrary extract the seed.

If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button.

I'll now answer questions to the best of my abilities.

(I have posted the same thing in the Ledger subreddit and already answered a lot of questions there

https://www.reddit.com/r/ledgerwallet/comments/13layt7/my_personal_view_on_the_pr_disaster_from_a_ledger/ )

Thank you.

Éric

PS : again, this is a personal post, personal views, and I'm not representing the views of Ledger or its management.

Even the co-founder and former CEO of ledger says this is a disaster (but but *everything will be fine, as long as you trust Ledger   ::))

https://www.reddit.com/r/CryptoCurrency/comments/13ldgcl/my_personal_view_on_the_pr_disaster_from_a_ledger/

I think there is less than a 1% chance of that, because all these years they have not shown their intention to be completely transparent, so I don't see why they would do it now. In addition, they believe that the future 100 million users will support them in what they do, and in addition, they will have the gratitude of all the mothers of the world (read previous posts for reference), so I believe that they are not worried about their business, and even less about possible lawsuits. Nothing major happened after the database leak, right?

There are concerns that the recovery feature in the latest firmware has a backdoor. If there is a backdoor, it's already a problem, what if Ledger instead adds this feature to all of its hardware wallet products.

I don't have the details, but I think it's related to the SE chip not enough memory to store the new firmware (this will require a confirmation as I'm not sure).

The firmware is the OS, so you need to be using one (same thing on your computer). We just won't port the Recover functionality to the SE because there isn't enough space to put it there.

(...)
This was a willful lie, and one which Ledger were quite happy to not correct because it made them profit.

If you are a Recover user and have your shard into safeguarded by third parties, then yes, a government could subpoeana them and get access to your funds.

Using Recover gives you an easy recovery option and mitigates backup loss, but your assets could get frozen by the government (in theory, I'm not a lawyer and I didn't see any legal opinon on the subject).

The latest firmware received a certification from ANSSI as you mentioned.

In order to accomplish this, we attached an additional STM32 microcontroller (the MCU) to the Secure Element (the SE) which acts as a “dumb router” between the Secure Element and the peripherals. The microcontroller doesn’t perform any application logic and it doesn’t store any of the cryptographic secrets used by BOLOS, it simply manages the peripherals and notifies the Secure Element whenever new data is ready to be received. BOLOS applications are executed entirely on the Secure Element. In this section, we’ll take a look at the hardware architecture to better embrace the hardware related constraints before analyzing their software implications.

Trying to explain the security model to customers with a less and less knowledgable user base became more and more difficult, and it looks like in 2022 a marketing executive tweeted "A firmware update cannot extract the seed from the Secure Element". It's not a lie, but it's missing "as long as you are trusting Ledger".

Within the sea of comments in the Reddit post shared by NotATether, both the co-founders (/u/murzika[1] and /u/btchip[2]) say that the reason this feature won't reach Nano S is due to memory limits:

It seems like the MCU does nothing but connect the screen/buttons to the secure elements, and the applications are actually installed ON the secure element itself where the firmware resids.

This means the claim that " you will have to physically press a button to sign a transaction" which they have always promoted is also a lie.

It's also mentioned on their website (https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/)


So this means, funds were always "movable" without having to physically initiate an order from buttons that control only the MCU, so not only the firmware had access to the private keys, even the various applications including all of those shitcoins applications that were available to download from Ledger had access to your funds, so for all we know, you could install a shitcoin application on the secure element, which could have access to your BTC private keys or the whole seed phrase.

I'm not quite sure I can agree with this conclusion. Having the firmware and applications reside on the same chip as the seed does by itself not necessarily mean that the firmware or applications can access it. You can still have an architecture where part of the flash storage is accessible (ie. for firmware updates and installing apps) and some isn't (ie. for securely storing the seed). Additionally it should also be possible to have some parts of memory be accessible by the firmware, but not by applications.

So it's highly speculative whether the other applications can in theory access the whole seed phrase as well.

However, given what we now know and the closed source nature of the code... it's also highly speculative whether the apps can't.

(but we do know that at least the firmware can access the seed phrase, if only due to them admitting to it)

The best thing they could do now is to open source their firmware right away, this will at least delay the inevitable collapse and allow them to exit the market with some dignity and fewer lawsuits.

With that said it's very important to stress the fact that what's worse than keeping your BTC on Ledger is panicking to move them elsewhere less secured, or even end up sending them to the wrong address, please folks, don't panic, move your funds out of leger (not to Trezor) without panicking.

The function to explicitly export the seed phrase from the monero ledger application has been around (https://github.com/LedgerHQ/app-monero/tree/master/tools/python#seed-recovery) for a long time. This means that there are no fundamental restrictions for any ledger application to be able to read the seed phrase.

def send_dict_chunk(dongle, p2, chunk,start,cnt):
    header = pack('>4B', 0x00, 0x28, 0x01, p2)
    data = pack('>BII', 0,start,cnt) + chunk
    apdu = header+pack('>B',len(data))+data
    print('.', end='')
    dongle.exchange(apdu)
    print('.', end='')

def get_online_seed(lang):
    if lang['english_language_name'] not in ("English", "Esperanto", "French", "Italian", "Lobjan", "Portuguese"):
        error("%s not supported online"%lang['english_language_name'])

    print("Open device...")
    dongle = getDongle(False)
 
    print("Erase old key words...")
    dongle.exchange(pack('>6B', 0x00, 0x28, 0x02, 0x00, 0x01, 0x00))

    print("Load dictionnary", end='')
    start = 0
    cnt = 0
    chunk = b''
    for w in lang['words']:
        w = w.encode('ascii')
        if 1+8+len(chunk)+1+len(w) > 254:

            send_dict_chunk(dongle, 0, chunk, start, cnt)
            start += cnt
            cnt = 0;
            chunk = b''        
        chunk += pack('>b', len(w))+w
        cnt += 1;
    send_dict_chunk(dongle,lang['prefix_length'], chunk, start, cnt)
    print()
    print("Done.")
    print("Your key words are avalaible on your device under 'Settings/Show 25 words' menu.")
    print("You can delete it at the end of keyword list.")

It is reasonable in my opinion to consider any activated ledger hardware wallet already compromised (and any security model based on a "black box" is inherently weak), in order to avoid unnecessary frustration.

Ledger co-founder admits that with if you use "Ledger Recover" a government could submit a subpoena and get access to your funds

Éric Larchevêque, a Ledger co-founder, posted in two subs (including here https://np.reddit.com/r/CryptoCurrency/comments/13ldgcl/my_personal_view_on_the_pr_disaster_from_a_ledger/?sort=confidence) trying to do damage control around the Ledger fiasco. In his post he said that he no longer works at Ledger, but in his Linkedin, he lists that he is a board member of Ledger. Apparently, he forgot to disclose that or update his Linkedin.

........

**If Ledger or 2/3 of the companies that handle the data receive a government subpoena, could they get access to your funds?**

https://preview.redd.it/8fqer2tpxo0b1.png?width=1402&format=png&auto=webp&v=enabled&s=0b3ccb702accbed66114b82e86dac13dbb1a442c

https://preview.redd.it/8uhxd16sxo0b1.png?width=1400&format=png&auto=webp&v=enabled&s=380688a7b04d3640e2f5d224cecf457fcf83f3d6

Even if you trust Ledger not to change the firmware or add any backdoors to gain access to your private keys, **if you are a Ledger Recover Service user, then your private keys/funds would be accessible by a subpoena.** In the current firmware state, if you are not a Ledger Recover Service user then your private keys would not be accessible with a subpoena.

An update that allows governments to subpoena your private keys and gain access to your crypto is a big deal and likely Ledger is no longer valued at $1.41 billion after this update.

I suggest sweeping your Ledger HW coins as soon as possible.

<Snip>

If you thought the bombshell by the Ledger co-founder wasn't bad enough, wait until you see what he said now!
~snip

I have already did it. Moved the whole of my stash to Passport2 developed by Foundation devices.

After doing that punched both SE and MSU on Ledger board by two strokes of hummer. The final result is simple as that ;)

Haven't seen this point posted in the thread so thought I'd share...

In case there was any doubt about whether third parties could get legal access to your seed phrase:

https://pbs.twimg.com/media/FwisJMXWYAA9vJ-?format=jpg&name=medium

Source: https://twitter.com/0xfoobar/status/1659765939225735169 (Can't find reddit source though)

Maybe this was an obvious one, given that companies are required to hand over data when legally requested...

Is the next step simply pushing firmware to extract seed phrase to specific users after a government request maybe?

This story get's worse day by day.

But then I came to the conclusion that this was indispensable in order to express protest against the actions of this company's management and warn new buyers of the Ledger. This is a kind of drawing public attention to this problem.

Is this the beginning for "#SmashTheLedgerWallet"?

Is this the beginning for "#SmashTheLedgerWallet"?

Man man, what a window have you/them open here.

Im not a lawyer but i have some really good foundations and knowledge on that nad also i can say nobody neither a lawyer can know the answer to that. Because we are going to end in a more philosophical and constitutional discuss.

Because this requires a one more "positive" action made by the goverment and the law, lets me explain, freeze your assets its a "passive" action. For example i can freeze your assets in a bank account but i cant touch them until a full statement its made.

And in this case, what are the seeds? are data and a private thing? or they are an asset? can the IRS make a movement or they gonna need a full judgment?

Because nobody know how much you have in that, its very diferent to a exchange where the exchanges can share the balance info of you account, here its very difficult.....

After doing that punched both SE and MSU on Ledger board by two strokes of hummer. The final result is simple as that ;)

Don't update newer firmware because you could enable access to your keys, and some government could potentially seize coins from you in future, especially if you live in US, UK and France.

Ledger is a failure and I think no one should rely on their words anymore, at least since things are clear. Are you sure that your keys weren't even revealed before this latest firmware update and it wasn't backdoored the whole time you were using it?

That is correct. To the best of my knowledge, their firmware is fully closed source, so there is no way to know whether they had code in it in the past, which extracts seed phrases from secure storage and uploads them somewhere.

Someone already mentioned that with their track record, if they had done such thing en masse, they would already have lost those seed phrases in a hack or data leak. But it's definitely possible that they had a backdoor to selectively extract some wallets' seeds and / or addresses (e.g. for tracking / surveillance purposes).

Their firmware is completely closed source but as the CEO of Ledger said in that podcast, over time, they'll open more source of their code until they reach a level similar to Raspberry Pi.

I think it's okay if Hardware Wallet firmware remains closed source, at some point I even agree with that approach because on another hand, even if certain company has an open-source firmware, how can you be sure that they are actually using the open-source code? Is it possible to verify in case of hardware wallets? Maybe I lack technical knowledge here.

"Opening more source" "over time" can mean anything and is something I'll believe when I see it. And even if they start opening more of their source code -- as long as parts of their code stays closed source there will always be insecurity.

I think it's okay if Hardware Wallet firmware remains closed source, at some point I even agree with that approach because on another hand, even if certain company has an open-source firmware, how can you be sure that they are actually using the open-source code? Is it possible to verify in case of hardware wallets? Maybe I lack technical knowledge here.

Yes, you can and should.
A good hardware wallet manufacturer will actually advise and instruct its customers how to download the firmware, verify its integrity and flash it. It should also make sure to have reproducible builds; this means being able to easily check that the firmware download matches the code.
It should also be easily possible to compile it yourself, alternatively.

The CTO just shared this on Twitter. Ledger's open source roadmap:

https://pbs.twimg.com/media/Fw0X4lpaAAYj_Bp?format=jpg&name=large

Your thoughts?

The CTO just shared this on Twitter. Ledger's open source roadmap:

https://pbs.twimg.com/media/Fw0X4lpaAAYj_Bp?format=jpg&name=large

Your thoughts?

To be honest, here 'open source' is thrown around wildly (blog posts and whitepapers are no 'source' of anything).. ;D

They are taking credit for their '+150 applications' being open source, meanwhile are not writing those themselves, right? The individual coins' developers make them, don't they?

The SDK pretty much has to be open-source if they want altcoin developers to make the accompanying Ledger app for them (for free?); so nothing to take much credit for there, either.

A whitepaper cannot be 'open / closed source' since (1) it's not a source of anything (neither software, nor hardware), (2) you don't write a whitepaper if you don't intend to publish it.

All these blogposts, little tools and whatever they want to provide are just fillers for the big void on the infographic: the firmware remains closed.
As long as that doesn't change, their ability to include backdoors doesn't change. No matter how many blogposts they publish, whether they open-source some dashboard or individual apps. We need the firmware source code; anything else is pointless.

Well said. Lots of fluff, nothing that actually changes anything. Just a continuation of bullshittery, and not a good one at that.

I mean let's look at that step for step.
(...)

"Opening more source" "over time" can mean anything and is something I'll believe when I see it. And even if they start opening more of their source code -- as long as parts of their code stays closed source there will always be insecurity.

Case in point, Ledger's software is already mostly open source, except for the firmware. And that's where the bodies were buried. So even if part of it gets open sourced, as long as some parts stay hidden, they will always have room for burying bodies. "Welcome to my basement officers, feel free to look around, just don't open the freezer, that one's off-limit."

With Trezor you can download the source code and compile it yourself. Heck, if you feel especially nifty you can just go ahead and make your own Trezor clone [1]. Can't get much more trustless than that.

It also doesn't fix past 'mistakes'. For instance, they could have spied on users for the last few years, patch it out and then open-source the firmware.
It is easy to see that if you used the firmware before it was fully open, there will always be a risk that some of your information has been compromised (by Ledger or others).

Your thoughts?

I agree. To me it looks like they are just throwing sand into people's eyes and aren't addressing the issue directly

With Trezor you can download the source code and compile it yourself. Heck, if you feel especially nifty you can just go ahead and make your own Trezor clone [1]. Can't get much more trustless than that.

[1] https://www.instructables.com/Making-My-Own-Trezor-Crypto-Hardware-Wallet/

Yes, you can and should.
A good hardware wallet manufacturer will actually advise and instruct its customers how to download the firmware, verify its integrity and flash it. It should also make sure to have reproducible builds; this means being able to easily check that the firmware download matches the code.
It should also be easily possible to compile it yourself, alternatively.

The guys over at WalletScrutiny (https://walletscrutiny.com/?verdict=reproducible&platform=hardware) check popular wallets from time to time to see whether their builds (firmware blobs / binaries) match the open-source code. In case someone cannot / doesn't want to do it themselves, and they trust them, that's a good resource.

Honestly I find it downright malicious that Ledger's defensive message control boils down to lying about the current state of the hardware wallet ecosystem (ie. claiming that consumers always have to trust hardware wallet manufacturers while that's decidedly not the case). They are trying to normalize bad practices in terms of both security and privacy, making them the very antithesis of what one should expect from a hardware wallet company.

~snip~
Basically, he says that people in crypto world have accepted KYC and it's a normal here.

There is some truth in the fact that the majority have accepted KYC as a standard procedure, but still mostly when it comes to CEX, but this was never the case with hardware wallets

Especially since this is a USB-connected hardware wallet, you could easily get a virus on your PC which asks the wallet for the seed phrase 'shards', just the same way Ledger Live will do it when you initiate the Ledger Recover setup. And the wallet will just hand them out.

Honestly I find it downright malicious that Ledger's defensive message control boils down to lying about the current state of the hardware wallet ecosystem (ie. claiming that consumers always have to trust hardware wallet manufacturers while that's decidedly not the case).

There is some truth in the fact that the majority have accepted KYC as a standard procedure, but still mostly when it comes to CEX

but this was never the case with hardware wallets

This is just a continuation of everything that happened, because if we read between the lines, then the message that Ledger sends is something along the lines of "you are not ready to be your own bank anyway, your backup is safer in our hands", which is very similar to what said comrade CZ (https://decrypt.co/117214/99-people-will-lose-crypto-storing-self-custody-binance-ceo-changpeng-zhao), when he called practically 99% of his users "stupid" and asserted that they are not capable of being their own bank.

If you look at the bigger picture and all the regulations, especially in the US and the EU, then it is much clearer in which direction all this is going. Let no one be surprised if in the future any HW will be impossible to use without detailed KYC, and the so-called "recovery" will also be mandatory, which will mean that most of the bad-informed will keep their BTC in a custodial service.

This x1000. I do not believe that the Ledger team do not understand the difference between KYC on a centralized exchange where you already have zero privacy and zero security and are well aware the centralized exchange has complete control of your coins and is monitoring everything you do, versus KYC on a hardware wallet where the vast majority of people are going to want complete security and a reasonable amount of privacy. The vast majority of people do not want their hardware wallet addresses KYCed or their wallets linked to their real identity and that information shared with blockchain analysis companies, governments, and whoever else pays for the data.

I'm sure Ledger know this, but are being deliberately misleading in the defense of their new vulnerability feature.

Putting aside the open-source vs closed-source war, I think the trust lies in the fact that the developers and security experts did their job properly to not mess up the code or introduce vulnerabilities that someone can exploit. That's what most people have to trust because most of us don't know how safe a code is whether we can view it publicly or not.

Trezor's open-source code means very little to me because I can't go through it and I don't understand what it does. I still have to trust Trezor and everyone that has verified the code that it's bulletproof and can't be abused. That's the trust part.    

He said that a lot of people write him and tell him that they can't carry the responsibility of keeping 24 word seed phrase safely and ask them for recovery options. Basically, what he says is 100% true for majority of users. I have even stated earlier that Ledger wouldn't do such a risky move without research and confidence. At the moment a lot of people are angry about their decision but it's a business, Ledger aims to satisfy upcoming millions of users instead of a current tiny userbase.

~snip~
The vast majority of people do not want their hardware wallet addresses KYCed or their wallets linked to their real identity and that information shared with blockchain analysis companies, governments, and whoever else pays for the data.

In recent posts, the "geniuses" from Ledger refer to their mothers and some future 100 million clients (https://bitcointalk.org/index.php?topic=5452900.msg62256791#msg62256791)

All those supposed users who are looking for such a risky feature actually have no idea what kind of nonsense they are looking for, and Ledger as a company turns out to be an even bigger fool if they enable this feature. In my opinion, the intention (although I think it is not true that a large number of users asked for it) of enabling such a service only shows that Ledger does not care that they try to present risk as a benefit, as long as their additional profit is behind it.

I also wouldn't call the millions of current users "tiny userbase", nor would I agree that some new users will rush to buy their devices in the future, although I may be living in the illusion that the average Bitcoin user will wise up with time and realize that Ledger has become bad product.

I'm sure Ledger know this, but are being deliberately misleading in the defense of their new vulnerability feature.

Yes and no. Ledger is deliberately setting up a false equivalence of trust.

But it's only $9.99 per month, plus lifetime access to your keys, and you are safu up to $50k.  
Sounds like a ''great'' deal, right 8)

The main concerns that you expressed are around transparency, censorship resistance, and security. I think we’ve done a good job to address all of your concerns, but again, it’s for you to tell us, so please don’t hesitate to like, comment, share our clarified service

In recent posts, the "geniuses" from Ledger refer to their mothers and some future 100 million clients (https://bitcointalk.org/index.php?topic=5452900.msg62256791#msg62256791)

Ledger is a business, a corporative company, right? And it's clear to see that this company wasn't founded by a crypto enthusiast but by a person who is a businessman and wants money. They go with option B.

Or, the incredibly simple solution which would have avoided literally all of this drama - create a new product called Ledger Nano R, which is the only product in their range which provides this Recovery nonsense. People who want third parties to store their seed phrase can buy the R, and everyone else with a shred of sense can stay away from it.

Or, the incredibly simple solution which would have avoided literally all of this drama - create a new product called Ledger Nano R, which is the only product in their range which provides this Recovery nonsense. People who want third parties to store their seed phrase can buy the R, and everyone else with a shred of sense can stay away from it.

they may have already created a backup of our seed

This is why I never fully trusted hardware wallets. I can't possibly know for sure what happens inside the black box.

This is why I only trust old equipment but sadly in near future I'll won't be able to use them. I personally believe that when computers, mobiles and softwares were at an early stage of development, real aim and priority was to improve the technology and make things better but once there is a lit of potential to earn billions, then this takes over every positive thinking and real aim becomes to improve technology in order to gain more control and influence.

Haha, I laughed a lot :D You made my day

In podcast, the CEO of Ledger said that they have 6 million customers. That's a tiny number if they have calculated that up to 100 million users are in queue in near future and are exactly looking for this service.

I want to ask you, how many people use Facebook? Google search? Keep in mind that these companies don't give a shit to users personal information and it has been proven for many times and still their profit and userbase increases every day. Millions of facebook users post what and where they eat, where they work, what movie they watch, send sensitive information in messenger, etc.
Don't you think that these people aren't going to somehow step in a crypto world? And don't you think that they can be that 100 million users and will willingly use Ledger Recover service?

Let's say that Ledger has two options: A. Their profit will increase slightly if they keep their current crypto enthusiast customers happy and B. Their profit will dramatically increase if they lose some of their customers but attract a lot of new customers who will pay them $9 every month.
Ledger is a business, a corporative company, right? And it's clear to see that this company wasn't founded by a crypto enthusiast but by a person who is a businessman and wants money. They go with option B.

It is an interesting talking point because it is exactly the same talking point that Square/Block have been using to promote their hardware wallet which has no seed phrases and shares custody of your back up with third parties.

For example, here is their business lead Lindsey Grossman using the 100 million figure, and then talking about her "friends and family": https://youtu.be/WbjzZQwDozw?t=355

Contrary to what Ledger is trying to sell, trusting a single company to "do the right thing" is not even remotely the same as having thousands of developers and hackers -- independent and contracted alike -- making sure that there's nothing fishy going on. It simply isn't.

In my opinion, the intention (although I think it is not true that a large number of users asked for it) of enabling such a service only shows that Ledger does not care that they try to present risk as a benefit, as long as their additional profit is behind it.

If Ledger Recover was a mandatory service, then that would make sense but since its optional, there is no logical reason to produce another series of hardware wallets. You can either subscribe it and pay $9 monthly or just ignore it and use Ledger in a traditional way.

Are you referring to this YT video? (https://www.youtube.com/watch?v=M3VjQUcyZSY&t=1s) I watched it yesterday and I have to admit that I was even more disappointed with how Ledger looked at the whole situation, and that he actually called everyone who raised their voice people who spread FUD for no reason. The part in which Pascal talks about the Ledger leak scandal is especially incredible, because he claims that almost no one knew that it happened, and that the event had no impact on the company, suggesting that the dust around seed sharing will soon settle. That part is available at 56:20.

I'm somehow more convinced that this company will fail much sooner, and that it will probably be destroyed by this same service that they are trying to sell now. The three companies that will keep the seeds will sooner or later be part of some data leak, hundreds or thousands will be hacked that way and then there will be no going back.

You are forgetting one thing. The code for Ledger Recover will become available on your device if you upgrade the firmware. For now, that's true only for the Nano X. You decide if you want to switch the feature on or off, but Ledger brings it to you no matter what. Imagine a self destruct button in your car, where, if you press it, the car explodes. I am not going to press it, but I am not comfortable having it there at all. Ledger has already decided to add that button.

I agree with you to some extent. However, I want to mention all those Dapps, decentralized liquidity providers, DEXs for ETH tokens and the likes that have been hacked or exit scammed numerous times in the past. Their open-source nature didn't prevent it. Nobody noticed the vulnerabilities until the money was gone. "Security experts" provided them with their seals of guarantee which proved to be useless after hackers found ways to breech the platforms. Just because there is a way to inspect a code doesn't mean those doing it put that much effort into it.

~snip~
Look at where the companies that will be storing the shards are located. The USA and the UK + the last shard is held by Ledger. Don't you think they couldn't have found partner companies elsewhere? Of course, they could have. The way they did it now, the right document from the right 3-letter agency in the US gets US authorities one shard, with Ledger gladly supplying the second one. 

Yes, I'm referring to that video. It made me moody and angry how Pascal (he doesn't deserve this surname) looks at Bitcoin users. You could see an ironical and humiliating attitude towards bitcoin users in his speech. I bet he even laughs and thinks how stupid people are when they buy/order his hardware wallet.

At some point I think that there is a bigger overall plan and FTX, Ledger and other companies are part of this plan, yes, I know it sounds like a conspiracy theory but everything can happen. Look, top exchanges fail/scam/go-bankrupt, now hardware wallets are probably going to get hacked/leaked. Isn't this a reason to ban bitcoin usage/trading/mining/etc? Probably this is a real plan or probably they think that people are dumb and want to take an advantage of that.

Nothing happens by chance, everything is well thought out, and apart from profit, the point is to put as many users of this HW as possible in a position where they can be controlled. Of course, not everyone will accept the new service, some because of the price and KYC, others because they understand how absurd and dangerous it is, but let it not surprise anyone if Ledger turns that service into something mandatory in the future, because their "mothers" and maybe even 200 millions of users are super satisfied and they will ask the company to protect those of us who don't understand it.

Btw, who stores the KYC data?
Ledger, because it worked perfectly with other data in the past?

Ledger + the two other companies for triple the risk?

I checked for you, it's done via KYC provider Onfido. (https://www.ledger.com/academy/what-is-ledger-recover#:~:text=Ledger%20Recover%20uses%20your%20ID,data%20in%20an%20encrypted%20form.) Make of that what you will.

Ledger Recover uses your ID and a selfie to verify who you are, via its Identity Verification provider, Onfido. Then, it links your identity to encrypted fragments of your Secret Recovery phrase. The identity providers store this ID data in an encrypted form.

They do claim the seed can only be decrypted with the same Ledger that created it, but I imagine with any Ledger there would be a simple workaround for this, such as spoofing the device's log number in order for the encrypted shard to think it's the same one.

What if I lose my Ledger device that is associated with my Ledger Recover subscription?

Simply get another Ledger device and follow the process to recover access to your wallet.

Despite all the risks, I wouldn't say having your seed phrase sharded to three companies is higher risk than simply having Ledger "look after it" for you.

They do claim the seed can only be decrypted with the same Ledger that created it, but I imagine with any Ledger there would be a simple workaround for this, such as spoofing the device's log number in order for the encrypted shard to think it's the same one.

For Ledger's shard, yes. But your KYC data will also be stored with the other two third party companies as well, in order for them to release their shard if needed:

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

It's the exact opposite, in fact. They say that you can use Ledger Recover with a brand new device:

I have heard the opposite. You don't need the original device you used for Ledger Recover and seed sharding. Since the shards are connected to your identity (the ID and selfie you provide), the hardware wallet device is of secondary importance here.  

~snip~
Seems Ledger users are going from one very insecure device to a slightly less insecure device.

They never answered this: https://www.reddit.com/r/ledgerwallet/comments/13lo5rv/decrypt_key_and_ledger_recover/

It's not clear yet, but we know they must have the means to decrypt it themselves. You can lose your hardware wallet and your seed phrase, and still recover your wallets on a new device. This means that everything needed to recover your seed phrase (i.e. the shares and their decryption keys) are stored by one or more third parties, since you need to provide absolutely nothing yourself, not even the original device.

To me, this looks very suspicious because you need a communication channel between hardware wallets to transfer a decryption key, which basically means you have to rely on a third-party provider (most likely the entity asking you for documents) to store and send it to you after a successful KYC procedure.

They never answered this: https://www.reddit.com/r/ledgerwallet/comments/13lo5rv/decrypt_key_and_ledger_recover/

Not in that particular reddit discussion, but that topic is partially covered in the Ledger Recover FAQs (https://support.ledger.com/hc/en-us/articles/9579368109597-Ledger-Recover-FAQs?docs=true). I say partially because they don't go into details how the recovery is supposed to work if the original device is lost. Check the answer to the question "What if I lose my Ledger device that is associated with my Ledger Recover subscription?" o_e_l_e_o is surely on the right track here.

---

In other news: Trezor sales soar 900% amid Ledger’s seed recovery controversy
https://cryptoslate.com/trezor-sales-soar-900-amid-ledgers-seed-recovery-controversy/

Seems Ledger users are going from one very insecure device to a slightly less insecure device.

What amazes me is the fact that Ledger is totally silent when faced with the fact[1][2][3] - or flaw - that is being able to restore your encrypted shards on any device. Do they consider their clients that ignorant regarding how seed phrases work?

I should also note that Ledger Nano S will eventually[4] receive this "awesome" feature, per reply on their Reddit page.

Ledger claims it now stores more than 20% of the world's cryptocurrencies and 30% of the world's NFTs.

Or, the incredibly simple solution which would have avoided literally all of this drama - create a new product called Ledger Nano R, which is the only product in their range which provides this Recovery nonsense. People who want third parties to store their seed phrase can buy the R, and everyone else with a shred of sense can stay away from it.

Why don't you build a second operating system without Ledger Recover?
In terms of security, there is no difference in having this part of the code in the operating system or not. In reality, it is up to the user to choose if they want to activate the feature or not. We have no doubt that implementing this feature in our firmware does not increase the threat model or the attack surface area. 

Our OS implements plenty of cryptographic primitives. These primitives manipulate secrets. They all must be properly implemented and this is Ledger’s job. Finally, our contract with users is that whenever the OS touches any secret, the user is prompted to give his consent.

Running two operating systems is costly, and since there is no technical advantage to having a second operating system we would prefer to spend our funds developing and improving security and ease of use for our products for our current and future customers.

As we have also committed to make the code open source, meaning that people will soon be able to verify this code themselves.

I wouldn't even say that there is a plan in the sense that someone devised it, but that the plan is actually to let people do what they know best, which is to destroy themselves. Everything that is happening is just an indication of how wrong we were when we trusted companies like Ledger or Trezor, or that most Bitcoin trading is conducted through CEX. For the first time in history, we got a decentralized currency, and in fact we centralized it to such an extent that it is mostly stored in a centralized way.

Still, it's not too late to change, everyone can use DEX and store their coins in airgapped storage, and if the majority did that, people like Pascal, CZ or Brian Armstrong would become completely irrelevant.

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

Yesterday I was reading Ledger Recover FAQ and there is a similar question (but about second operating system) in their FAQ, it may be interesting for you

Is there something wrong with Trezor at the moment? Just asking. It's an open-source and you can verify whether the code of bought hardware matches the publicly available open-source code.

Considering the documents on the FAQ page of Ledger Recovery and how Ledger is replying on Twitter, I would say that o_e_l_e_o is exactly right regarding how the process will be deployed. What amazes me is the fact that Ledger is totally silent when faced with the fact[1][2][3] - or flaw - that is being able to restore your encrypted shards on any device. Do they consider their clients that ignorant regarding how seed phrases work? I should also note that Ledger Nano S will eventually[4] receive this "awesome" feature, per reply on their Reddit page.

As a side note, I am still amazed by the fact that they imploded their company and lost the loyalty of their clients for $9.99 per month...

Not sure about the statement, how do you come to conclusion like that with hardware wallet?

Oh, don't get me wrong. I am under no illusion that a new device makes zero technical difference to existing devices. Even without this firmware being deployed to existing devices, it is now abundantly clear that Ledger have been lying for years about the capabilities of their secure elements. I was simply pointing out that if I was a Ledger employee/board member, then I would have done the tiniest bit of research first, realized that 99% of existing customers hate this idea, and suggested launching it on a new device only and saying nothing about our existing devices.

It's good that they weren't this smart, though, since it's served as a big wake up call for people to stop trusting these shady third parties. Unfortunately it seems many people are simply jumping from one shady third party (Ledger) to another shady third party (Trezor).

All their devices suffer from unfixable seed extraction vulnerabilities, which they deliberately sweep under the rug and do not tell their users how to mitigate against. They also have a very pro-government, pro-censorship, pro-surveillance, and anti-fungibility ethos, as shown by their support of AOPP and their partnership with Wasabi and blockchain analysis.

Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online.

That has happened in 2019, do they still suffer from the same problem?

Btw they removed the support of AOPP but yeah, what you say about them is true.

It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

Not sure about the statement, how do you come to conclusion like that with hardware wallet?

It won't if it works the same way transaction broadcasting works. You need physical confirmation to broadcast a transaction, and Ledger has said you will also have to physically allow the sharing of the shards. Whether or not that is true is another topic of discussion. 

Trezor's open-source code means very little to me because I can't go through it and I don't understand what it does. I still have to trust Trezor and everyone that has verified the code that it's bulletproof and can't be abused. That's the trust part.   

Let's say that Ledger has two options: A. Their profit will increase slightly if they keep their current crypto enthusiast customers happy and B. Their profit will dramatically increase if they lose some of their customers but attract a lot of new customers who will pay them $9 every month.
Ledger is a business, a corporative company, right? And it's clear to see that this company wasn't founded by a crypto enthusiast but by a person who is a businessman and wants money. They go with option B.

Einstein once said: Two things are infinite: the universe and human stupidity.

However, reading the comments of some people under the video I linked, it is incredible how many people believe in the nonsense that people from Ledger are talking about. Einstein was definitely right.

You decide if you want to switch the feature on or off, but Ledger brings it to you no matter what. Imagine a self destruct button in your car, where, if you press it, the car explodes. I am not going to press it, but I am not comfortable having it there at all. Ledger has already decided to add that button.

For Ledger's shard, yes. But your KYC data will also be stored with the other two third party companies as well, in order for them to release their shard if needed:

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

Seems Ledger users are going from one very insecure device to a slightly less insecure device.

Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online.

That has happened in 2019, do they still suffer from the same problem? Btw they removed the support of AOPP but yeah, what you say about them is true.
It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code...

Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

~snip~
In my opinion Ledger Paris can basically only do one thing right and that's marketing bs. They suck at everything else, including value their customers. Strangely, it seems to me that Ledger appears kind of synonym to hardware wallet. Look at the topic Show off your hardware wallet (https://bitcointalk.org/index.php?topic=5375482.0), yes I know it's not representative, only 4 of 19 don't show Ledger hardware crap.

If you use Ledger Live, then this is a given, since it connects to Ledger servers. And remember they are offering insurance with Ledger Recover, so they are 100% keeping track of your balances.
~snip~

Realistically, at the time when HW started to become a serious competitor to desktop wallets, there were not too many choices, and Ledger mainly imposed itself as the main player on the market due to its design.

I don't know much about the history of HWs, only cloudy memories that there was a time when there were basically only Trezor and Ledger as serious products. But then again you had Ledger with its black box model and Trezor with much more transparency, albeit with possibly an inferior security design.

I can't tell what I would've chosen back then. After all this Ledger circus and drama in the past few years for me there's one irrefutable paradigm when it comes to manage safely higher values (low four-digit and up in $/€): the wallet (software or hardware) has to be transparent and open-source. Ledger is then by default not a choice and I wonder why so many users don't care, especially when there are more choices today then ever.

This is the exact point I've been making:

I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works?

The buttons feed in to the MCU, not to the secure element. The MCU is where the firmware is installed.

Furthermore, the Secure Element is also split into two parts: the firmware which is under NDA and is therefore closed-source, and the SDK & application-loaded code which is open source friendly.

If Ledger can write firmware which says "Perform action x if confirmed by a button press", then I see no reason they can't write firmware which simply says "Perform action x".

The MCU sends an Event (button press, ticker, USB transfer, …).
The SE responds with a list of zero or more Commands in response to the Event.
The SE sends a Status indicating that the Event is fully processed and waits for another Event.

They certainly wouldn't. I suppose I couldn't prove it without engineering firmware which does exactly that, but have a look at the hardware architecture here: https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/

ColdCard is an airgapped wallet. You can work with PSBTs and import/export them with the help of an SD card for example. The device is not open-source but has public and verifiable code. It's better than standard USBconnected hardware wallets.

According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.

Wouldn't the same be true for all other events, like broadcasting/sending transactions? Then we are back to trust where we have to "hope" they won't do it.

Technically speaking it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not.

Is Ledger the only company with such an architecture and how is it handled elsewhere?

Am I getting it right? The moment you transfer shards of your seed to third-party companies, Ledger transforms to Trezor and starts using an insecure MCU chip to store sensitive information and send it to a USB host.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

ive had trezors since 2014 (? i think thats when they came out, i got one of the 1st). no issues in usability. but the seed extraction thing.. oops. i get around it by erasing the trezor after use and when needed i put the seeds in the hard way (using the trezor not the computer kb), do the tx and then reset again.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

It would be really interesting to get the opinion of an expert in this field. I might send an email to Joe Grand to see what his thoughts on the matter are.

It looks like they're having the on-board SE encrypt the private key and split it into 3rds for offline storage in different HSMs. Given how many people contact me asking for help with a lost key, I can see something like this being beneficial for folks who aren't technically-inclined enough or don't have the capability to keep their hardware wallet physically secure and/or want to have a back-up solution of the key being stored elsewhere (which IMO negates the benefits of having a cold wallet). It seems like a move to mitigate the risk of losing all your funds in a cold wallet and a way to attract more people into the cryptocurrency space by giving the peace of mind. Even if the split encrypted key was recombined, AFAIK it would need to still be bruteforced before getting to the private key (or the encryption key extracted from the SE). I wouldn't call this a backdoor by any stretch, but given the paranoia in the cryptocurrency space, I don't think they did a good job explaining what it is and how it works.

I think member n0once owns a Passphrase wallet, he even made detailed review in forum, so you can search for that.
In my opinion this is one of the best Bitcoin hardware wallets available today, but it's certainly much better than ledger.
Passport Review topic:
https://bitcointalk.org/index.php?topic=5421713.0

...
I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works? You have no code to back that up, the same way Ledger hasn't made any available to show that they can't. Can the user's confirmation really be worked around that easily, and if they have malicious intentions, why would they simply not do it instead of telling us that they will?

There is firmware on both, but the firmware updates you install via Ledger Live predominantly target the MCU. The errors you get with an outdated device are either "MCU firmware is outdated" or "MCU firmware is not genuine".

According to [1], Ledger uses ST MCUs with flash memory in the 16-32 Kilobyte range. So I highly doubt that much of the firmware is stored directly on the chip.
The secure element actually has much more storage, 320KB to be exact; so it's likely that much of the firmware is in the secure chip.

This all doesn't really matter, though. The fact of the matter is that as soon as you install firmware with seed extraction capability, it's game over for your privacy and security.


[1] https://blog.gridplus.io/hardware-wallet-vulnerabilities-f20688361b88?gi=205af29b0222

The fact that Ledger won't even tell you who that entity is or what security is being used to store your decryption key is highly suspect.

My sources is the following blog article by Saleem Rashid (https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/), who discovered a severe security flaw in the Ledger NoNo S firmware. There's a diagram showing basically the same wiring what @o_e_l_e_o cited from Ledger's developer sources. Saleem doesn't go into too much details but I assume he partly or to greater extend reverse-engineered MCU firmware code to craft his exploit. I have my doubts that the base architecture of Ledger NoNo S+ and NoNo X is much different, but frankly I can't prove it. I haven't enough interest in Ledger crap to spend a lot of time in research around their products. This company, their products, their philosophy and their executives are a no-go for me.

It's funny a shame how the executive morons, cry-baby Éric e.g., at Ledger Paris tried to downplay his findings and treated him. (Not that I can say to know all the story, but as a hardware wallet company you definitelly shouldn't treat white hat security analysts who can prove your product has a severe flaw like Ledger did with him. Not to mention how long it took them to deal with this flaw.)

Someone somewhere holds the power to decrypt your seed phrase and steal all your coins. The fact that Ledger won't even tell you who that entity is or what security is being used to store your decryption key is highly suspect.

This all doesn't really matter, though. The fact of the matter is that as soon as you install firmware with seed extraction capability, it's game over for your privacy and security.

The fact that Ledger won't even tell you who that entity is or what security is being used to store your decryption key is highly suspect.

Does anyone knows if it's possible to downgrade ledger firmware?
Maybe it would help a little to keep ledger always offline and connect it only with offline computer or smartphone when making transactions.
This can be temporary solution until ledger is replaced with some other device.

We now know this to be incorrect, though. As Ledger have said (and as I've linked to earlier in this thread), you can still recover your seed phrase via Ledger Recover even if you lose your hardware wallet and buy a brand new one. This means the decryption key does not need to be extract from the SE, or is even stored on the SE in the first place. It must be stored by a third party for them to be able to give it to you when you activate a brand new device. Someone somewhere holds the power to decrypt your seed phrase and steal all your coins. The fact that Ledger won't even tell you who that entity is or what security is being used to store your decryption key is highly suspect.

How to downgrade to an older version of Ledger Live
https://support.ledger.com/hc/en-us/articles/7446430773149-Downgrading-to-an-older-version-of-Ledger-Live?support=true
Better buy an old ledger nano s wallet.

I am not defending ledger but I think they said this will be shared between three companies with different geo locations, France, United Kingdom and United States.
For encryption they are using Shamir Secret Sharing, that is a bit strange for me since they never supported that scheme in ledger before (unlike Keystone or Trezor).

To anyone that is still using Ledger: I've seen a couple of reports floating on Reddit[1][2][3] regarding users that aren't able to sign transactions unless they update to the latest firmware. Considering that I haven't seen such reports here, I would say whatever happened with these users has nothing to do with forced updates?

If two of the three companies return their shares to your new Ledger and you combine them, then all you can do is recover your encrypted seed phrase. Without the decryption key, you cannot restore your wallet. Where does the decryption key come from? Who is providing it? We simply do not know.

I also thought about it. Theoretically, hackers can make a patch for Ledger Live to intercept the encrypted Seed, which is divided into 3 parts. Of course, without the decryption key stored on the Ledger, they can't do anything. But where is the guarantee that this key will not leak in the future? So I think such a step on the part of Ledger is too presumptuous.

To anyone that is still using Ledger: I've seen a couple of reports floating on Reddit[1][2][3] regarding users that aren't able to sign transactions unless they update to the latest firmware. Considering that I haven't seen such reports here, I would say whatever happened with these users has nothing to do with forced updates?

Note: Eventually you'll have to update your device if you want to use the Ethereum app that Ledger provides[4][5]. I assume that this applies to most apps provided by them.

Better buy an old ledger nano s wallet.

They have said that first your seed phrase is encrypted, and then that encrypted seed phrase is split in to a 2-of-3 Shamir's scheme, with one share given to each of those companies. They have not however, as far as I am aware, said anything about how your seed phrase is actually encrypted, what encryption algorithms are being used, how the encryption key is generated, or who stores it.

Do note that Ledger Nano S will also eventually get this service as well[1] according to Ledger Customer Success agents.

---

[1]https://safereddit.com/r/ledgerwallet/comments/13scxdo/comment/jlp5t5b/?context=3 (https://safereddit.com/r/ledgerwallet/comments/13scxdo/comment/jlp5t5b/?context=3)

~snip~
But I will buy a Trezor T wallet because they promised that the secret phrase would not leave the wallet.

~snip
The Nano S wallet can be bought with old firmware.
But I will buy a Trezor T wallet because they promised that the secret phrase would not leave the wallet.

For Ledger's shard, yes. But your KYC data will also be stored with the other two third party companies as well, in order for them to release their shard if needed:

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

I'm not an anti-KYC, just want to know what are your real fears when it comes to KYC.

It is also a massive security risk. Centralized crypto services have leaked, sold, shared, or been hacked for sensitive data an inordinate number of times. Every big exchange is guilty of this. Ledger themselves are guilty of this. Would you be happy with your real name and address being leaked across the entire internet next to a list of all your crypto addresses and their balances? Not only can anyone in the world monitor exactly what you are doing with your money, you become a target for both electronic and physical attacks to have your coins stolen.

KYC can ruin your life. Even without the crypto side of things, KYC documents are sold on black markets constantly. Having your identity stolen can leave you hundreds of thousands of dollars in debt for loans or credit cards you had nothing to do with. The latest studies have shown that identity theft costs US citizens alone over $50 billion a year:

How can one take loan with my identity? I mean, banks don't give away loan so easily, I can't really think that someone can do anything with pictures of my ID card, at least I'm unable to do things with it alone.

Don't be naive, Ledger said the same thing in the past, and today we know that the whole story they told is a simple lie. Trezor has its vulnerabilities, and even cooperation with companies that deal with spying on Bitcoin users and censoring transactions is not something that can position them as reliable producers.

Depends on your bank and your jurisdiction. Some banks will happily let you open accounts, set up credit cards, take out loans, even take out mortgages, all over the internet. Often a picture of your ID is enough, and if they want more such as tax numbers, recent bills, etc., then these can be often be obtained by an attacker with a copy of your ID/passport/whatever and your other personal details.

There is one big distinction to be made. If you own a Trezor Model T, since it's completely free open-source (FOSS (https://en.wikipedia.org/wiki/Free_and_open-source_software)) as in 'freedom', you can refuse to upgrade the firmware, downgrade the firmware, write your own, and patch new firmware versions that have features you don't like.

You also are able to tell whether they try to sneak in some unwanted features and know whether new features are implemented securely, e.g. if any encryption used is secure.

If we just take one company who in a way betrayed its users and extrapolate it to all the companies, there is no wallet you can buy, no Linux distro you can install and no services you can use.

I would still not recommend a Model T right now, but at least if I got one, I knew what I'm getting, since code and hardware are open.

-snip-

Why don't you recommend Model T right now?

All their devices suffer from unfixable seed extraction vulnerabilities, which they deliberately sweep under the rug and do not tell their users how to mitigate against. They also have a very pro-government, pro-censorship, pro-surveillance, and anti-fungibility ethos, as shown by their support of AOPP and their partnership with Wasabi and blockchain analysis.

Depends on your bank and your jurisdiction. Some banks will happily let you open accounts, set up credit cards, take out loans, even take out mortgages, all over the internet. Often a picture of your ID is enough, and if they want more such as tax numbers, recent bills, etc., then these can be often be obtained by an attacker with a copy of your ID/passport/whatever and your other personal details.

Whenever I have to send some personal documents to some company (for setting up a bank account, utility services, amongst others) I always make sure to include a watermark with numerous information (such as which company I'm sending the data to, which data and why). In the event their security is weak and this data is stolen from them, probably no one will be able to open a credit line in my name due to the watermark, and if I ever see those documents floating online I'll know which company was the one responsible for the leak.

Don't be naive, Ledger said the same thing in the past

What is the actual problem in KYC? The fact that your identity is revealed to some 3rd parties or the fact that your bitcoin address is trackable?

your data is never safe, tons of people already have access to it and still you have to reveal it many times in real life.

While it's true that three companies, including Ledger have access to your KYC documents, at some point we can say that revealing your KYC documents can't really affect your quality of life and personally the only threat I can see is that they'll know when and how I spend my crypto, they'll know it for sure. Besides this, is there any other reason to be afraid of KYC?

That's a clever idea but do companies accept watermarked personal documents? Especially ID card or passport?

Also, isn't it easy to remove watermark via photoshop?

without actually validating the person.

That's a clever idea but do companies accept watermarked personal documents? Especially ID card or passport? Also, isn't it easy to remove watermark via photoshop? Especially with some AI properties.

I would still not recommend a Model T right now, but at least if I got one, I knew what I'm getting, since code and hardware are open.

By using a hardware wallet, you're basically trusting them with your money, while the security of "be your own bank" shouldn't rely on third-parties. I really hate this part, and even when using offline software wallets, you have to trust someone. It's impossible to verify all the software you're using, even if it's open source. "Trusting" goes against the basics of Bitcoin, but it's inevitable one way or another.

The main problem I have with KYC is that I have to trust them for doing the right thing, while many companies (and governments) have leaked private data in the past. This will happen again. At least if they don't have my data, they can't leak it. And this scenario is already undesirable even if the company doesn't do bad things with the KYC data on their own.

All the more reason to share this data as little as possible. I've closed bank accounts because they wanted more data than I want them to have.

Probably. A blue pen on a black and white copy shouldn't be that hard to remove digitally.

The solution is simple - avoid any platform which requires KYC.

You are trusting computer hardware (closed source) and software (can be opensource), but we can all agree that old computers/laptops can have much more flaws, bugs, backdoors, security issues and more attack vectors.

Life gets very hard if you do so, especially if you actively travel. But probably that's the price of privacy, just wonder how long can one keep living in such a discomfort.

For instance, Madar highlighted that one of the biggest challenges associated with cryptocurrency is that it’s too complex for many users. “Specifically, keeping track of your physical device and seed phrase for years is far from trivial for the average person. Every user should be able to back up their keys somewhere,” he said.

Echoing this, Marvin Janssen, co-founder of hardware wallet provider Ryder, told Cointelegraph that Ledger Recover might appeal to mainstream customers. “It absolutely happens that people, especially those new to Web3, lose access to their wallet because of a faulty or complete lack of a backup. A feature like Ledger Recover can, therefore, definitely help,” he said.

I know that if someone is really interested in copying my information will eventually find a way to do it, but I find that it works great as a deterrent for most scenarios.

You can't live in this world without revealing your KYC documents. House/hotel/car rentals, you need to reveal your KYC documents to get medical help, visit a doctor, get prescribed meds (if any). You have to reveal it to start work.

So, let's assume our data has been leaked, what's the point of rejecting other services that ask for KYC?

I mean, is your aim to keep this number of your KYC holders as narrow as possible?

An attacker is going to take the path of least resistance. Are they going to spend several hours trying to edit out your watermark and end up with a result which might still be rejected by whichever service or bank they are trying to fool, or are they just going to move on and use someone else's KYC data instead? When KYC data is widely available to be bought on black markets for ten or twenty bucks for hundreds of users' worth of data, then an attacker is simply going to ignore the one user who has a difficult to remove watermark.

Or you can choose to trust this fake messiah[1] (Ledger CEO). ~ 2 weeks have passed from the announcement of Ledger Recover and he's already going out and giving speeches in keynotes, sharing "his outlook for the future, the UX needed to enable mass adoption, and how crypto can protect our online identity. Thank you for the inspiring words!" They keep preaching about "how can crypto protect their online identity" when, at the same time, they are offering services that will link your own identity to the funds that you currently hold (optional, as always  ::)). Isn't this ironical?

What is even worse is that there are actually some providers that agree with Ledger stance on embracing more users by providing easier entry points[2]:



How can anyone agree that, with a simple update, independently or not if I choose to take part of it, my device will have a "dormant" code that could be exploited in the future and thus voiding everything that the product & company stands for? That's madness!

---

[1]https://nitter.it/thecryptovalley/status/1664691045299376138 (https://nitter.it/thecryptovalley/status/1664691045299376138)

[2]https://cointelegraph.com/news/ledger-ceo-says-crypto-key-recovery-service-makes-self-custody-easier (https://cointelegraph.com/news/ledger-ceo-says-crypto-key-recovery-service-makes-self-custody-easier)

Is it possible that if a user has enabled the recovery feature, and has his/her data held by a third party, then it's probable that a government entity could issue a written order telling the third party to give them access to then user's coins/savings?

If you are a Recover user and have your shard into safeguarded by third parties, then yes, a government could subpoeana them and get access to your funds

Coincover will never pass your information to a third-party unless it has a legal obligation to do so. For example, law enforcement agencies often have extensive criminal investigation powers including the ability to obtain production orders requiring information to be produced. It may result in a criminal offense for any entity supporting Ledger Recover to fail to comply with a production order, but Coincover would always take all reasonable steps to verify a production order before complying with it.

Shower thought. Is it possible that if a user has enabled the recovery feature, and has his/her data held by a third party, then it's probable that a government entity could issue a written order telling the third party to give them access to then user's coins/savings?

Because I believe the user has given up some of his/her rights upon upload of his/her own data. Don't third parties always have Terms of Agreement that users never read?

 8)

Yes, absolutely.

The question is now which government will get to your coins first ;) But that's not even my biggest concern: what are the odds 2 out of 3 "seed storage facilities" will get hacked, leak data, or have an inside job rob users? If this takes off, there are billions of dollars worth of crypto to steal.

Theoretically, hackers can make a patch for Ledger Live to intercept the encrypted Seed, which is divided into 3 parts. Of course, without the decryption key stored on the Ledger, they can't do anything.

To name just a few of them like Passport (around $200), Keystone (around $100), and maybe even others that are cheaper and based on Trezor code but with secure element.

The question is now which government will get to your coins first ;) But that's not even my biggest concern: what are the odds 2 out of 3 "seed storage facilities" will get hacked, leak data, or have an inside job rob users? If this takes off, there are billions of dollars worth of crypto to steal.

This is just another breach waiting to happen for Ledger, I'm surprised they still haven't learned after their previous breaches.

Yes, that's unlikely to happen for an average user but definitely possible and that's another reason why someone should avoid Ledger Recover service.
By the way, ToS is a joke. If you read ToS of companies you frequently use or if you read the list of side effects of every meds, you are not going to use them ever in your life but the problem is that you need to use that particular service or product and because of that 99% of people just agree and move on.

There was a discussion about Ledger Recover and subpoena in podcast with the CEO of Ledger.
Have a look at these moments:
https://youtu.be/M3VjQUcyZSY?t=929
https://youtu.be/M3VjQUcyZSY?t=2610

How can the encryption key be stored on your Ledger device, if you can recover your crypto on any other Ledger HW of your choosing? The other devices can't hold your encryption key. The original hardware device maybe, but it looks like Ledger gets a copy of it. How else do you explain recovering crypto on Ledger #2 if Ledger #1 that encrypted the shards is no longer working/in your possession? Either Ledger has the keys or the encryption key is also somehow shared among all custodians.

The question is now which government will get to your coins first ;) But that's not even my biggest concern: what are the odds 2 out of 3 "seed storage facilities" will get hacked, leak data, or have an inside job rob users? If this takes off, there are billions of dollars worth of crypto to steal.

The one good thing in all this is that Ledger has proven that secure elements are not to be trusted and aren't safe. Not in a Ledger or any other hardware wallet.

With the discussion of 2 out of 3 custodians being compromised, don't forget that this set up has a single point of a failure, and the breach of this single point of failure is enough to steal your coins.

Each Ledger has a security chip that can have a unique private and public key. All Ledger needs is to get your seed from two sources, decrypt it at home, then read the unique public key from your new Ledger and re-encrypt the seed individually for your instance. I don't see any difficulties here.

For Ledger Recover, even if we assume that the Nano S/X hardware device itself is secure, the only way for those shares and the associated decryption key to leave the Nano device and reach the third party custodians is via your computer. Therefore, your computer must receive, store, process, and transmit all the information necessary to empty your wallets. If your computer is compromised while you do this, or if the data is stored in memory and recoverable, then your coins can be stolen by compromise of your computer alone. This is the exact same situation as any hot wallet.

They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery.

This means all shreds pass through your computer, and through Ledger Live. If Ledger Live gets compromised, your seed can get compromised.

The whole point of a hardware wallet used to be that your security doesn't depend on the security of the computer you're using.

But that's not how it's supposed to work, according to Ledger. They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery. Additionally, the process you described would imply that Ledger stores all private encryption keys from every device they have ever produced on their servers, which would create a single point of failure. It wouldn't make sense to keep such a system in place, and the entire process of splitting the recovery seed into shreds and distributing them to three different custodians wouldn't make sense in that case.

I have no reason to doubt your words, but maybe we should wait for Ledger to release how exactly they envision this system of theirs is supposed to work. More importantly, how and when the encryption will take place. Does the Secure Element have the capacity to encrypt everything on the chip before taking any further actions? Or does the encryption take place in Ledger Live where it could become vulnerable to various attack models?

Once approved, your Ledger Nano X will duplicate, encrypt and fragment your private key into three parts within the Secure Element chip.

These encrypted fragments are securely sent to three independent providers – Ledger, Coincover, and EscrowTech that will store them in Hardware Security Modules (HSMs).

What if I lose my Ledger device that is associated with my Ledger Recover subscription?

Simply get another Ledger device and follow the process to recover access to your wallet.

REPATRIATION
IT IS HEREBY ORDERED, ADJUDGED, AND DECREED that on or before 10 days from the date the Court issues this Restraining Order, each Defendant shall repatriate to the United States all fiat currency and crypto assets that are deposited, held, traded, and/or accrued by investors (referred to herein as “customers”) on the Binance.US Platform, including for BAM’s staking-as-a-service program, or otherwise held for the benefit of BAM and Binance.US Platform customers, including, but not limited to, any hardware crypto asset wallets, all private keys in any form (or portions thereof), and any device, hardware, or software holding such private key or portion thereof (hereinafter referred to as “Customer Fiat Assets” or “Customer Crypto Assets” and, collectively, “Customer Assets”)

       
Just fresh [/url]  (as of May 31, 2023)  example:  millions of motherboard sold by well known maker such as  Gigabyte have  backdoor in firmware . It is not hard to  imagine  what would happen if those who wanna opt that Ledger Recover connect their  devices to   compromised motherboards like those from Gigabyte.

*The only alternative to this is that the decryption key is identical for every Ledger Nano device and so is simply stored on the device itself and not transmitted at all, but in this case any attacker can just buy a Ledger Nano and have access to the decryption key, so it makes no difference to the final conclusion that if your computer is compromised your funds can be stolen.

Wrote the following questions to Ledger support:
How will the seed recovery process take place on a new wallet?
Where will the decryption keys be stored and how will they be transferred to the new Ledger?
My request is accepted, it has been assigned id 1138638
If they send an answer, I undertake to publish it here without any changes.

I'm still following the Ledger subreddit and it's amazing that they still have so many supporters, presumably people who ought to know better than to keep trusting them.  As I said previously, many of them just don't get the points being made in this thread, i.e., that as long as that backdoor exists it doesn't matter if you subscribe to their recovery service or not; Ledger can access your keys whenever they want.

-snip-

I doubt those poor bastards can be of much help. All they can do is tell you what they have been told from up above or copy/paste some nonsense making them look unknowledgeable.

I will do my best to answer with a combination of intuition and what I picked up from our AMA

~snip~
It's a shame that Ledger brainwashed some of their userbase in thinking that this service actually is more of a help to them than a risk (and how it goes against with everything they stand for).

The CTO just shared this on Twitter. Ledger's open source roadmap:

https://pbs.twimg.com/media/Fw0X4lpaAAYj_Bp?format=jpg&name=large

Your thoughts?

Sooo... where are we on this roadmap? I was promised some blog posts.

Did I miss the blog posts?

The roadmap doesn't specify a time frame for each phase. The start of a new phase could happen tomorrow (no, definitely not) or sometime later (until users completely forget about it).

Did I miss the blog posts?

It is even worse when they are paying $9.99 for it...

Security is so boring! Shitcoins are the real important stuff!

Shows you exactly where their priorities lie. Instead of actually addressing this mess, they focus instead on implementing more shitcoins and staking to drive more profits for themselves.

All they want is to make money. They were criticized after the 3rd party seed phrase drama. But does anybody see any comment from them about this matter? The only thing I found is this; Pascal Gauthier, Ledger’s CEO and chairman, pushed back against the critiques on Twitter.

However, CZ criticized them as well :D

Binance chief Changpeng "CZ" Zhao has suggested users are more likely to lose crypto by holding it in a cold wallet than by putting it on a centralized exchange.
“For most people, for 99% of people today, asking them to hold crypto on their own, they will end up losing it,” he said in a Twitter Space discussion held on Wednesday.

Shows you exactly where their priorities lie. Instead of actually addressing this mess, they focus instead on implementing more shitcoins and staking to drive more profits for themselves.

Security is so boring! Shitcoins are the real important stuff!

“Backdoor would mean that we control all ledger devices and could run automated updates for example… That’s not the case. Will never be the case. Only you can use functions on your ledger. No one else can enter your pin code and press those buttons…”

inb4 the introduction of Ledger Autopilot™ -- Keep your hardware wallet automatically updated without any hassle for just $19.99,- a month!*

*subscription fee withdrawn automatically for your convenience

The CTO just shared this on Twitter. Ledger's open source roadmap:

https://pbs.twimg.com/media/Fw0X4lpaAAYj_Bp?format=jpg&name=large

Your thoughts?

Yes, absolutely. The Ledger co-founder stated as much here:


Ledger also admit it here (under Data & Privacy at the bottom of the page):

Would third parties know if I have my real wallet secured behind a passphrase?

The Ledger Recover service, if used, does not backup your passphrase.

Here is what Ledger say on the issue:


So in theory, no, the third parties would not know if you are using one or more passphrases. But this all depends on whether you trust what Ledger are saying, since I'm sure there will be zero way for the user to actually verify this.

When setting up a passphrase for your Ledger hardware wallet, you basically have two options: insert a passphrase every time you want to get access to "hidden" wallets or attach it to a PIN code, meaning that your passphrase will be recorded somewhere in a hardware wallet's memory and may be extracted and used after a PIN code was entered. In other words, Ledger adds a "Remember me" button for passphrases that essentially negates all the benefits of "25th word" and hidden wallets by making them publicly available for anyone knowing a short PIN code. Given that the Recovery feature doesn't make sense in cases where a user has set up a passphrase since a seed phrase alone is insufficient to get access to coins, it would make sense for Ledger developers to include a passphrase into this encrypted transfer scheme, especially considering the fact that it is equally important for a successful recovery and already sitting in a device's memory. Ledger developers could have issued malicious firmware stealing users' seed phrases and passphrases, but finally decided it would be more beneficial to create a service that people subscribe to and share private keys and identity information with absolutely voluntarily.

More information:

https://support.ledger.com/hc/en-us/articles/4983095135261-How-to-recover-your-passphrase-accounts-?support=true
https://support.ledger.com/hc/en-us/articles/115005214529-How-to-set-up-a-passphrase-?docs=true
https://m.youtube.com/watch?v=8jiqFYFi698

Please ELI5. What I have learned is that the added passphrase, or the "25th seed word", is a feature all BIP-39 compliant wallets have that generates a new set of keys. It's doesn't matter if the user owns/uses a Trezor, a Ledger, or any kind of hardware or software wallet. If the user enters his 24 seeds + his passphrase, the output will always be his/her "hidden wallet". Are you saying it's not?

Please ELI5. What I have learned is that the added passphrase, or the "25th seed word", is a feature all BIP-39 compliant wallets have that generates a new set of keys. It's doesn't matter if the user owns/uses a Trezor, a Ledger, or any kind of hardware or software wallet. If the user enters his 24 seeds + his passphrase, the output will always be his/her "hidden wallet". Are you saying it's not?

~ Ledger developers could have issued malicious firmware stealing users' seed phrases and passphrases, but finally decided it would be more beneficial to create a service that people subscribe to and share private keys and identity information with absolutely voluntarily.

I am saying Ledger tries to make passphrases less secure and more user-friendly, which, together with the announced Recovery service, is going to make a hardware wallet no better than a regular hot wallet.

"Could have"? Why not both? We have no way of checking anyway!

I'd say it's worse than a hot wallet: I use several different hot wallets (for small amounts), and I'd never use Ledger's "pay us to give us your seed phrase" scheme.

I am saying Ledger tries to make passphrases less secure and more user-friendly

I'd say it's worse than a hot wallet: I use several different hot wallets (for small amounts), and I'd never use Ledger's "pay us to give us your seed phrase" scheme.

Wrote the following questions to Ledger support:
How will the seed recovery process take place on a new wallet?
Where will the decryption keys be stored and how will they be transferred to the new Ledger?
My request is accepted, it has been assigned id 1138638
If they send an answer, I undertake to publish it here without any changes.

This number can be put into human readable form (24 words) using BIP-39 standard.
That is your Secret Recovery Phrase.
This is what you write down and should NEVER share with ANYONE, including Ledger.
Ledger does not have access to it, including if you use Ledger Recover.


- If you want to use Ledger Recover, you’ll have to consent on your device for the backup or the recovery process
- It’s the same for staking, interacting with smart contracts, and encrypting data with the OpenPGP app…


You want to use Ledger Recover, your seed will be splitted into 3 shards and encrypted before being stored in shards backup providers.

Of course this doesn't explain much, we'll have to wait for them to prepare more detailed explanations.

If, for you, your privacy is of the utmost importance, please do not use our product, for sure.
At least they are being honest. What is shocking is that, despite these declarations, they keep attracting clients to their platform and still have other users defending them to the bone...

---

[1]https://www.youtube.com/watch?v=M3VjQUcyZSY&t (https://www.youtube.com/watch?v=M3VjQUcyZSY&t)

Got this response from Ledger:

I’m not an expert, we have tons of educational materials in the pipeline including a white-paper detailing the multiple layers of encryption employed. Ultimately I don’t want to give you incorrect information, so I encourage you to keep an eye on Ledger academy for more information.

Our CTO also outlines some technical details here (https://twitter.com/P3b7_/status/1659187049331654658?s=20).

BTW @o_e_l_e_o you'll find this amusing - I've just found this[1] video circulating on Twitter and Reddit where Pascal Gauthier, Ledger CEO's, talks about privacy in their products:

I've just found this[1] video

Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.

Wait, they previously announced a government could subpoeana them (https://bitcointalk.org/index.php?topic=5452900.msg62269158#msg62269158). I'm guessing all of them will cooperate when the government of one country subphoeanas them, so the different countries don't matter.

there is nothing stopping Ledger turning to these two partners and asking them to hand over their shards as well.

Gauthier replies that the other companies wouldn't have to comply, and that Ledger would be happy to open source their legal contracts with these companies to prove as such.

Would your private data be sent to the seed storage partners who all have to make their own judgement, or would Ledger just say: "this guy needs to recover his Ledger, send the seed"?

When you want to restore your wallet, you initiate the Recovery from Ledger Live. You’ll have to login to your account and then go through 2 independent Identity verification processes.

Let me guess: they haven't shared the contracts yet?

https://youtu.be/M3VjQUcyZSY?t=1285 - Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves, making it even easier than thought to compromise the set up.

During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message.

Or did they just a slap some random bullshit timeline together with no intention of sticking even to the bare minimum?

I also disliked the "Attach to PIN" feature, and I've spoken before about why I don't think people should use it. As you say it reduces the security of your passphrase to a simple PIN, and it also means that your passphrase is stored on the device rather than wiped after use when using a temporary passphrase.

Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves

During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.

They probably did just that, and they are hoping that everything will calm down and people will gradually forget about this issue.
It could be possible they are working on open sourcing partially, but I think now it's to late for that and it wont be genuine.
I don't trust ledger and their ''car'' is going down the hill.

~snip

Just the opposite.  In order to enable the "Ledger Recover" feature, Ledger, did, indeed, write a gimme_da_seed function directly into firmware.  It is clear because you can see Ledger Live, which is open sources, using the seed and sending off to the Ledger Recover servers.

Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device.  The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.

What's more, I don't think Ledger supports downgrades.  You MUST upgrade to the gimme_da_seed firmware, and once upgraded, I don't think you can downgrade.  But like I said, they promise it is encrypted.

Trezor prone to physical hack since we basically cannot verify of the Trezor we receive is genuine

EVERYTHING shipped by a third party is prone to physical attacks.  Ledger wrote the book on supply chain attacks.  There was a huge rash of compromised Ledgers sold on Amazon about 4 years ago.  Made a huge stink.  Lots of users were duped.

Ledger and Trezor are equally hardened and equally vulnerable via supply chain.  I'd put more trust in Trezor since you can upgrade, downgrade and independently flash the firmware and bootloader.  Very hard to sustain a "fake" firmware if you have to emulate all those actions without detection.

(Source) (https://www.reddit.com/r/TREZOR/comments/1488img/is_using_metamask_to_connect_to_ledgertrezor_is/jo2ju25/?utm_source=share&utm_medium=ios_app&utm_name=iossmf&context=3)

I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

(...)When you think about it (Ledger Recover) there's nothing wrong with it. It doesn't change the security.

(...)It's our rule to have convictions and to push the industry forward.

4.6 No retrieval of Private Keys. The only existing backup is with you. Ledger operates non-custodial services, which means that we do not store, nor do we have access to your Crypto Assets nor your Private Keys. Ledger does not have access to or store passwords, 24-word Recovery Phrase, Private Keys, passphrases, transaction history, PIN, or other credentials associated with your use of the Services. We are not in a position to help you retrieve your credentials. You are solely responsible for remembering, storing, and keeping your credentials in a secure location, away from prying eyes. Any third party with knowledge of one or more of your 24-word Recovery Phrase or PIN can gain control of the Private Keys associated with your Ledger Device or of the 24-word Recovery Phrase, and therefore steal your Crypto Assets, without any possibility for you or Ledger to retrieve them.

If this is true, Ledger's "hardware" wallet is now - once attached to a computer - literally less secure than a hot Electrum wallet on the same computer.

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

But the post says you can see it being used in Ledger Live, which is open source. A search of Ledger's GitHub provides zero matches for "gimme_da_seed".

Yeah, Ledger put a method in their firmware like gimme_da_keys then allowed software (ledger live) to call gimme_da_keys. I can confirm that current Trezor firmware has no gimme_da_keys methods, or anything like that. So even if some software were to try to ask firmware for the keys, firmware isn't listening for any key requests, so won't respond.

So identity theft is now enough to steal your Bitcoins? Even easier if the identity theft is an inside job at one of the three seed storage companies, they'll know exactly who to target and can request the other shards from the other two seed storage companies.

“Backdoor would mean that we control all ledger devices and could run automated updates for example… That’s not the case. Will never be the case. Only you can use functions on your ledger. No one else can enter your pin code and press those buttons…”^[1]

Given that the Recovery feature doesn't make sense in cases where a user has set up a passphrase since a seed phrase alone is insufficient to get access to coins, it would make sense for Ledger developers to include a passphrase into this encrypted transfer scheme, especially considering the fact that it is equally important for a successful recovery and already sitting in a device's memory.

Well, there was no way of accessing sensitive data on the secure element chips either. They have been telling us for years that it's impossible. Turns out, it's quite possible if they integrate the right code.

Hardware wallets, like mixers, are in what I like to call "the trust business". They should never lie, because if they lie once about something you can verify, you should assume they also lie about things you can't verify.
So basically, this should be the end of Ledger.

(encryption key is common to Ledger hardware devices; let's see how long it takes that this key gets disclosed or peeled out of firmware)

Even easier if the identity theft is an inside job at one of the three seed storage companies, they'll know exactly who to target and can request the other shards from the other two seed storage companies.

If it's an inside job at one of the three companies, they only need a shard from one other company. That's a very low bar to clear.

Every Ledger owner in the world already knows your decryption key.

Potential scammers can apply at ledger.com/jobs (https://www.ledger.com/jobs) :P

When you say they know the key, I assume you mean the same key is also used in their hardware device, and not that they actually know and can see the key. How could I (who own a Ledger Nano S) see that decryption key in my device?

Yes, I mean the same key is on their device, but the distinction is irrelevant. If someone gains access to 2 of your shares, then it is trivial for them to access the decryption key even if they don't actually know what it is (by simply using any Ledger device).

<snip>

As I said, the vulnerability is unfixable. It still exists and will always exist on these devices. Coldcard is certainly airgapped, but it is not open source as Pmalek points out and the company behind it spread lies about competitors for their own gain. I personally wouldn't use it.

If I had to buy a hardware wallet right now, I would buy a Passport. But I'd much rather continue to use a separate airgapped, encrypted device, running a FOSS OS and wallet.

The fact is, Coldcard is the true creator of the most secure firmware model.

Coldcard is not FOSS but it's still open source, anyone can view the code (https://github.com/Coldcard).

Here's a post from the CEO of Passport about this: https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/

There was a clash between the two some time ago. Zach (Foundation CEO and Co-founder) even made a post in his own blog about it[1]. It mostly started when Matt Odell (seen as an influencer within the crypto community I assume) posted a tweet[2] claiming that all what Foundation did was to clone NVK source code into their product. Besides Matt, even the co-founder and CEO of CoinKite (@nvk[3]) - the producers of Coldcard - was spreading that same information on their Discord channel - that not only did Foundation copied their code but that they were also closed source (you can read more about it on Zack open letter).

I don't know how the situation ended between the two, but I wouldn't be surprised if Foundation (and Zach team) ended up a bit frustrated against this "attack" by nvk and would keep communication on strictly what was needed. You can feel that on Zach closing remarks on his letter:

---

[1]https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/ (https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/)
[2]https://nitter.it/ODELL/status/1651220101721358336 (https://nitter.it/ODELL/status/1651220101721358336)
[3]https://nitter.it/nvk (https://nitter.it/nvk)

Coldcard also built on many open source libraries (not just Trezor's) when they designed their product. For them to start whining about people building up their open source library is just pure hypocrisy.

The code is verifiable, not open source.

I'm really considering creating an account for Twitter (since I'm not able to use nitter[2] ever since Twitter blocked people from browsing unless they are signed in[3]) just to be able to follow the discussion regarding Ledger in that particular social network and see how people continue to react to the deployment of Ledger Roadmap...

I think that's what matters the most, well, at least for me.

I called it politics in the past, and I am not interested in it.

Coldcard also built on many open source libraries (not just Trezor's) when they designed their product. For them to start whining about people building up their open source library is just pure hypocrisy.

GNU General Public License (GPL): The GPL is one of the most well-known open source licenses. It is considered a restrictive license, as it requires that any changes made to the code must be released under the same GPL license, and any software that uses the code must also be released under the same GPL license. Additionally, if a user distributes the software, they must also provide the source code and any changes they made to it.

Are they even allowed to change from GPL to MIT license?

It is hypocritical and dishonest at best, and dangerous at worst. If no one is allowed to build on your code or use your code for anything, then you are going to have far fewer people looking at it, examining it, testing it, using it. As you say, few people can actually interrogate the code themselves, and most users rely on independent developers or power users examining the code of open source projects on their behalf. If you aren't actually allowed to do anything with the code, then there is far less incentive to spend your time going through it.

Are they even allowed to change from GPL to MIT license?
If they're building on other GPL software, they have to keep the same license for their own software:

I'm no expert on the code, the licensing, or where the code originated, but having included features like (for example,) Bip85 (deterministic seed phrases that are backed up by the primary seed, which is a pretty slick feature,) could justify changing the licensing due to those features.  If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.

If they're building on other GPL software, they have to keep the same license for their own software:

If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.

But it is equally fine for people like me to point out that doing so means fewer eyes on the code therefore less security...
...Coinkite locking down their code so it cannot be used by anyone else.

Why exactly can't you analyze every line of it if it pleases you?

Why would I bother when I can't do anything with it?

That's the point I'm making - not that I can't review the code, only that far fewer people will bother to do so since they can't use that code themselves.

When the latest version of the Ledger Live desktop app is available, it will now be automatically downloaded, same as the current experience on your Ledger Live mobile app, so the update will not interrupt you while using the app. You can revert to the previous setting by using older versions of the Ledger Live desktop app.

(...)
My current Ledger Live version is a few months old, so I checked the release notes of the versions that the company released after the one I currently have installed. I wanted to see if there is anything there that would warrant an update. Turns out that the brainiacs behind Ledger made a change starting with version 2.64.1. They call it an improvement. This "improvement" of theirs automatically downloads (and surely installs) new versions of Ledger Live in the background without asking the user or requiring that the user does it.
(...)

~snip

Too late, they are long gone LOL
The story of Betnomi.com (Exit Scam) (https://bitcointalk.org/index.php?topic=5461815.0) : This is something fresh for you to study.

By the way, don't cry later if the ledger wallet steal your crypto, who knows may be Betnomi created a backdoor in that device and when you will store something they will steal it. Are you not aware of Ledger recent update 😉?

<Snip>

And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?

Despite their recent history, they can still turn things around and advertise this upcoming Recover feature as something extraordinary and worth using for newbies. We will see how that goes. Going down the road that you proposed is sure death to Ledger and I don't think they are that stupid.

Fake Ledger devices do exist, and we even had cases where individuals whose data got leaked had such devices shipped to them to their home addresses. But everything about those HWs was fake. If you opened them up, they had different hardware components compared to the examples Ledger has on its website (https://support.ledger.com/hc/en-us/articles/4404382029329?support=true). They also instructed the users to download and install fake Ledger Live software and not the official versions. Fake firmware was also part of the game.

- A genuine Ledger HW looks as shown on the pictures above.
- Only a genuine Ledger HW works and can connect to the official Ledger Live software.
- Only a genuine Ledger HW can connect to Ledger servers and install official apps or firmware from the LL App Manager.

If Betnomi modified their Ledger devices, you should notice that the things I mentioned above won't work.  

Yes i think in the same way, with the exit scam they surely make good money and this hardware wallets and others promotions they do were only a hook to gain the trust of the community.

Did you maybe link to the wrong sources? Your sources [3] and [4] are exactly the same. Source [5] refers to the old and discontinued Ledger Blue.

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?

I feel the answer is becoming repeated. I already answered it many times but anyway here it is again. It's completely possible to hire an embedded programmer and change the functionality of any device. Leger is close source, you as an end user can not verify anything if anyone do any trick.

It would be interesting if the Betnomi scammers were able to find some experienced blackhat willing to do that for them, but in reality I can't consider that possibility to be an accurate one unless they've spent too long organizing and shipping the hardware wallets from the giveaway (so unfortunately I think it might be credible... in any case just throw it out and don't trust hardware wallets from giveaways).

Nicolas Bacca cio and co-founder of Ledger, will leave the company following the recent recover scandal. he follows former ceo and co-founder Eric Larchevêque, who stepped down in 2019.
ceo Pascal Gauthier blamed an 'unintentional communication mistake' for the Recover melee, but also stressed the importance of key recovery for users who feel overwhelmed by key management.

~snip~
ceo Pascal Gauthier blamed an 'unintentional communication mistake' for the Recover melee, but also stressed the importance of key recovery for users who feel overwhelmed by key management.

Nicolas Bacca cio and co-founder of Ledger, will leave the company following the recent recover scandal. he follows former ceo and co-founder Eric Larchevêque, who stepped down in 2019.
ceo Pascal Gauthier blamed an 'unintentional communication mistake' for the Recover melee, but also stressed the importance of key recovery for users who feel overwhelmed by key management.

https://en.thebigwhale.io/article-en/EXCLUSIVE-Nicolas-Bacca-leaves-Ledger (https://en.thebigwhale.io/article-en/EXCLUSIVE-Nicolas-Bacca-leaves-Ledger)
https://cryptomode.com/co-founder-nicolas-bacca-to-exit-ledger-amidst-recover-feature-controversy/ (https://cryptomode.com/co-founder-nicolas-bacca-to-exit-ledger-amidst-recover-feature-controversy/)

It's really not a good sign when all the founders of a company decide to leave the company, when apparently it is not having any problems.

Are there any other founders left at this point? Or have they all left?

Nicolas Bacca cio and co-founder of Ledger, will leave the company following the recent recover scandal. he follows former ceo and co-founder Eric Larchevêque, who stepped down in 2019.
ceo Pascal Gauthier blamed an 'unintentional communication mistake' for the Recover melee, but also stressed the importance of key recovery for users who feel overwhelmed by key management.

Ledger just launched and started ledger Recover, that is provided by Coincover,and I urge everyone NOT to use this crap!
If you sign up for this you basically agree that your coins can be seized willingly or unwillingly, because ledger partners all have to comply with governments.
Additional danger is sending your personal ID and ledger is well known as leaker wallet.
https: //www.ledger.com/recover/

Ledger just launched and started ledger Recover, that is provided by Coincover,and I urge everyone NOT to use this crap!

What I say is simple: do not have Ledger Wallet installed on your PC; use Electrum or another wallet to access Ledger; and never do this type of configuration.
This is clear for anyone who wants to continue using their HW Ledger.

At least that's what I do with my wallet Ledger.

Your keys are always stored on your device and never leave it

Ledger just launched and started ledger Recover
✂

What I say is simple: do not have Ledger Wallet installed on your PC; use Electrum or another wallet to access Ledger; and never do this type of configuration.
This is clear for anyone who wants to continue using their HW Ledger.

How safe is that against a thief who steals your Ledger and uses "Recover" to extract your seed phrase from the "secure" element?

What I say is simple: do not have Ledger Wallet installed on your PC; use Electrum or another wallet to access Ledger; and never do this type of configuration.
This is clear for anyone who wants to continue using their HW Ledger.

i also read about the 'recover start' yesterday. what i find even more outrageous is that Ledger charges the user €10 for this service (after the first month is free) from the second month on.
will advise everyone in my circle of acquaintances and also here in the form against this service!

How safe is that against a thief who steals your Ledger and uses "Recover" to extract your seed phrase from the "secure" element?

I am not afraid of Ledger stealing the keys.

Stealing will land them in prison, so that's not my biggest worry. But leaking the keys is a real risk.