Ledger Stax (Ledger's latest hardware wallet)

[Meuserna]

Is the Ledger Recover option truly optional or can it be triggered?

Beware of anyone who tells you it's optional.  Ask them to prove it.  They can't, which means you can't trust it.

In the imaginary scenario of me being a target of the United States or European Governments and Ledger or Coincover secretly working with them to take me down, can this become a problem for me and the Security of my Coins?

I'd say yes.  The keys in a Ledger wallet can be accessed remotely thanks to their key extraction firmware.  Ledger fanboys will say that's possible with any hardware wallet, not just Ledger, but that's not true.  Only Ledger wrote code to add key extraction capability and built it into their firmware.  Ledger firmware can't be trusted.

No firmware with key extraction capability can be trusted.

Because many things are in my opinion very contradictory or lack sense on their 'What is Ledger Recover?' article (https://www.ledger.com/academy/what-is-ledger-recover).  For example,

Firstly, your seed phrase will never leave the Secure Element chip. Only encrypted fragments of it leave the device only if you choose to subscribe to Ledger Recover, and these fragments are useless alone.

This makes no sense.  If Coincover only has a fragment of my Seed Phrase, then I am pretty sure they can not recover my full Seed Phrase in the event I lose it.  So while fragments alone are useless, do they not hold ALL fragments necessary to recover my Wallet?  Who other than Coincover stores the rest of the fragments?  Air?

In theory, three companies have the shards.  But again, as I always say...  Prove it.

Oh, and by the way, Ledger holds the master key for ALL USERS:

"The bombshell here is the explicit confirmation that Ledger themselves hold the master decryption key for all Ledger Recover users."

-- @sethforprivacy

And let's not forget Ledger was hacked when an EX-employee got phished:

How a Single Phishing Link Unleashed Chaos on Crypto:  "Ledger has confirmed the attack began because “a former Ledger employee fell victim to a phishing attack.”

-- Decrypt

Why did an ex-employee still have access to the codebase?  Ledger won't say.

Ledger can't be trusted.

Only trust fully open source code, because open source code can be verified.

[Stalker22]

Is the Ledger Recover option truly optional or can it be triggered?  In the imaginary scenario of me being a target of the United States or European Governments and Ledger or Coincover secretly working with them to take me down, can this become a problem for me and the Security of my Coins?  Because many things are in my opinion very contradictory or lack sense on their 'What is Ledger Recover?' article (https://www.ledger.com/academy/what-is-ledger-recover). 

Exactly. Even though the service is optional, its very existence implies it can be triggered by an event.  So if they can initiate it with our consent, then why couldnt it be triggered without it?  As you mentioned, there is no physical barrier like a hardware switch, so everything relies on the software. And software, as we know, can be modified with each update.

[PrivacyG]

Exactly. Even though the service is optional, its very existence implies it can be triggered by an event.  So if they can initiate it with our consent, then why couldnt it be triggered without it?  As you mentioned, there is no physical barrier like a hardware switch, so everything relies on the software. And software, as we know, can be modified with each update.

I thought more about it and the only answer to this that I could think of is that, as far as I know, Ledger says the Software of their Products will be incapable of doing anything unless the physical buttons are touched.  This is why they kept advertising their Product as extremely safe against any virtual attempt of hacking or theft.  But I have not seen any proof of this being a fact.  The last instruction for activating the Ledger Recover Subscription is,

Check your details and press both buttons on your device to confirm them.

Source (https://support.ledger.com/hc/en-us/articles/9568313619997-How-to-activate-your-Ledger-Recover-subscription?docs=true)

So I presume this is how we are thought to be ensured it will not trigger on its own?

[Cricktor]

I thought more about it and the only answer to this that I could think of is that, as far as I know, Ledger says the Software of their Products will be incapable of doing anything unless the physical buttons are touched.  This is why they kept advertising their Product as extremely safe against any virtual attempt of hacking or theft.  But I have not seen any proof of this being a fact.

I forgot where I've seen and read it, I remember vaguely an old vulnerability analysis for Ledger Nano S, I believe, by some researcher who did some extensive reverse engineering, but Ledger's buttons are controlled by the MCU and its firmware, ie. entirely by software. The MCU communicates button presses by software to the secure element which runs the more important firmware and apps of Ledger crap.

As far as I understand it, you can't emulate button presses by anything coming from outside (we have to believe the Ledger morons here, because black-box firmware) but I don't see any obstacle to push a firmware update for those devices which signals "extract seed and phone home" without user's consent and button presses.

The buttons are software controlled, not more, not less.

[Meuserna]

As far as I understand it, you can't emulate button presses by anything coming from outside (we have to believe the Ledger morons here, because black-box firmware)

That means everything else you said is irrelevant.  No offense, but everything else you said relies on believing Ledger regarding how their hardware wallets work, which they've already lied about many times.

I don't see any obstacle to push a firmware update for those devices which signals "extract seed and phone home" without user's consent and button presses.

Exactly.

How do we know the current firmware can't do this already?  We don't.  That's why I stopped using Ledger hardware last year and moved my Bitcoin to a seed that never touched Ledger hardware.

To anyone who says Ledger hardware wallets can't already extract your seed without you pressing a button to confirm it, I say: Prove it.  Even Ledger admits they can't prove their firmware doesn't have any backdoors (they can't prove it without making the code open source).

That's like somebody saying "Your name isn't on this list!"  OK, show me the list.  "I, uh, can't do that."

Don't trust your Bitcoin to closed source code, especially not after the authors of that code lied about their code.  Why does this even need to be said?

The buttons are software controlled, not more, not less.

The device uses closed source firmware with key extraction capability.

The device cannot be trusted because:
The firmware cannot be trusted.
And the company cannot be trusted.