Is Ledger Nano S REALLY SAFE ?? Best Hardware Wallet ?

[lorya]

What happens if your ledger nano s no longer works etc?  Could you restore your wallet on a computer if you cannot get another nano ledger s?

You have a buy another one. They don't provide their algorithm to derivate their seed into a valid BTC (or another coin) address.

[1715383238]

1715383238

[1715383238]

1715383238

[1715383238]

1715383238

[jerry0]

Well what happens if you cannot buy another one.  Could you restore your wallet on your computer then?

[RGBKey]

A nano s isn't a backup. Its a hardware wallet which can be used for everyday payments.
The 24 word seed phrase is the backup of your private-/public keys. This phrase can be imported into any BIP39/44 compatible wallet to 'restore your coins'.

Aren't there hardware wallets with backup of your keys/seeds?

Yes, like this one: https://www.ledgerwallet.com/products/ledger-cryptosteel

What happens if your ledger nano s no longer works etc?  Could you restore your wallet on a computer if you cannot get another nano ledger s?

You have a buy another one. They don't provide their algorithm to derivate their seed into a valid BTC (or another coin) address.

This is wrong. Ledger uses the BIP 39 standard. You can recover it with a tool like this: https://iancoleman.io/bip39/
Please don't spread misinformation.

[jerry0]

So what program exactly would i need to download to recover btc if the nano ledger s doesn't work anymore and i cannot get anyone?  I assume i cannot use electrum?

[TryNinja]

So what program exactly would i need to download to recover btc if the nano ledger s doesn't work anymore and i cannot get anyone?  I assume i cannot use electrum?

You actually can. If you have your backup seed, you can just import them in Electrum with the BIP39 seed enabled and recover your coins.

[jerry0]

Okay let me just get this confirmed.  If i get a nano ledger s and then transfer my btc from electrum to nano ledger.  Then my nano ledger no longer works or something like that, i would just have to put that 24 word seed from nano ledger and enter that into electrum wallet and it will be recovered?  Thus its like if i needed to restore electrum again on the same computer or new computer?  I want to make sure of this because i know i would not be able to get a nano ledger s again if the initial one has issues and malfunctions etc.

[RGBKey]

Okay let me just get this confirmed.  If i get a nano ledger s and then transfer my btc from electrum to nano ledger.  Then my nano ledger no longer works or something like that, i would just have to put that 24 word seed from nano ledger and enter that into electrum wallet and it will be recovered?  Thus its like if i needed to restore electrum again on the same computer or new computer?  I want to make sure of this because i know i would not be able to get a nano ledger s again if the initial one has issues and malfunctions etc.

Yes, because the Nano S uses the BIP39 standard, it is accepted by other wallets. You will be fine. At the very least you can find a tool online to help you recover your wallet.

[7jaka7]

Anyone knows how is with security if you were using Ledger Nano S on EtherDelta (ED)?
As I heard ED was hacked. Someone replaced their domain with his and he got private keys from users (users typed/generated private key on ED in order to start trading).

So how's that if you were using Ledger Nano S on ED? I understand that he can't confirm transactions since you need to use physical button to approve it.
But did he get your private key/ seed? Could he import that in another Ledger Nano S wallet and send funds from there? Can PIN code prevent that?

Is there something owner of ledger wallet could/should do in this case? Are there any cases in which your private key/mnemoric seed would get exposed and stolen from Ledger Wallet, example: if you are using My Ether Wallet with Nano S and someone would replace their domain?

[blozo]

Yes is the safest, easiest option to store your bitcoin/cryptocurrencies. Your private keys are stored in the ledger and never exposed

Moreover it cannot be tampered since it has 2 different chips

[Lucius]

Anyone knows how is with security if you were using Ledger Nano S on EtherDelta (ED)?
As I heard ED was hacked. Someone replaced their domain with his and he got private keys from users (users typed/generated private key on ED in order to start trading).

So how's that if you were using Ledger Nano S on ED? I understand that he can't confirm transactions since you need to use physical button to approve it.
But did he get your private key/ seed? Could he import that in another Ledger Nano S wallet and send funds from there? Can PIN code prevent that?

Is there something owner of ledger wallet could/should do in this case? Are there any cases in which your private key/mnemoric seed would get exposed and stolen from Ledger Wallet, example: if you are using My Ether Wallet with Nano S and someone would replace their domain?

When you generate your 24 word seed on Ledger Nano S this should be written on a piece of paper,make few copy and store in safe place.This seed is not for share with nobody,but if you give this to someone,then it is easy to use that seed to generate your wallet.

You can not import private key in Ledger Nano S,it will only accept seed created by Ledger or Trezor(as far as I know).If you use Ledger with other wallets like Electrum,your private keys/seed is never leaves device and you always need to confirm sending address on Ledger display before confirm sending.

Hardware wallets are best option for keeping your coins safe for long term and also for daily use.

[bob123]

So how's that if you were using Ledger Nano S on ED? I understand that he can't confirm transactions since you need to use physical button to approve it.

Yes, thats right.
Ether Delta creates the transactions and you have to sign (approve) them via pushing the physical buttons.

But did he get your private key/ seed?

In this case he doesn't have any chance to get the seed (or private keys). They never get exposed to 'outside' of the nano s.

Could he import that in another Ledger Nano S wallet and send funds from there?

No, because look above.
Generally: You dont need a nano s to import the seed and transfering coins. Any BIP39-compatible wallet can do that.

Can PIN code prevent that?

1. This can't happen (look above)
2. The pin code only secures your funds against physical access (thief would have to know your pin code). In a scenario where the attacker has your private key or seed he doesn't need to
access your device since he can easily create transaction by himself (with any other tool/wallet).

Is there something owner of ledger wallet could/should do in this case? Are there any cases in which your private key/mnemoric seed would get exposed and stolen from Ledger Wallet, example: if you are using My Ether Wallet with Nano S and someone would replace their domain?

Your private key / seed never gets exposed.
However, a 'fake' ether delta would steal your money in terms of taking your deposits and not paying out withdrawals.
As long as you confirm/approve transactions consicious only these 'deposits' would be stolen from you (and additionally your master public key would be known to the fake ED, destroying your privacy).

[7jaka7]

So how's that if you were using Ledger Nano S on ED? I understand that he can't confirm transactions since you need to use physical button to approve it.

Yes, thats right.
Ether Delta creates the transactions and you have to sign (approve) them via pushing the physical buttons.

But did he get your private key/ seed?

In this case he doesn't have any chance to get the seed (or private keys). They never get exposed to 'outside' of the nano s.

Could he import that in another Ledger Nano S wallet and send funds from there?

No, because look above.
Generally: You dont need a nano s to import the seed and transfering coins. Any BIP39-compatible wallet can do that.

Can PIN code prevent that?

1. This can't happen (look above)
2. The pin code only secures your funds against physical access (thief would have to know your pin code). In a scenario where the attacker has your private key or seed he doesn't need to
access your device since he can easily create transaction by himself (with any other tool/wallet).

Is there something owner of ledger wallet could/should do in this case? Are there any cases in which your private key/mnemoric seed would get exposed and stolen from Ledger Wallet, example: if you are using My Ether Wallet with Nano S and someone would replace their domain?

Your private key / seed never gets exposed.
However, a 'fake' ether delta would steal your money in terms of taking your deposits and not paying out withdrawals.
As long as you confirm/approve transactions consicious only these 'deposits' would be stolen from you (and additionally your master public key would be known to the fake ED, destroying your privacy).

Thank you very much for this answer!
So if you take good care of private key (mnemoric seed) and PIN there is no way to steal funds from Ledger Nano S. Now I'm even happier that I have it.

[CryptoPadawan]

Hi, guys! I got three Ledger nano s and I got this very interesting question one day when I using it.

What if the manufacturer did something evil? I mean of course you can always wipe the ledger nano as much as you like, and of course, the code of it is open-source online. What if the manufacturer only provides a certain range of words to generate a weak private key, which can be gained by exhaustive attack method? After all, you can only comply with the seed words it provides.

How can we know for sure the ledger nano we have is not provided by evil manufacturers? I mean, you cannot open it and check it thoroughly. I just really curious about this question and it haunted me. Is it possible? And is it possible for some hacker to gain interest with any bug that hides inside this hardware wallet?

Please correct me if wrong. Really appreciated!
 

[lorya]

Hi, guys! I got three Ledger nano s and I got this very interesting question one day when I using it.

What if the manufacturer did something evil? I mean of course you can always wipe the ledger nano as much as you like, and of course, the code of it is open-source online. What if the manufacturer only provides a certain range of words to generate a weak private key, which can be gained by exhaustive attack method? After all, you can only comply with the seed words it provides.

How can we know for sure the ledger nano we have is not provided by evil manufacturers? I mean, you cannot open it and check it thoroughly. I just really curious about this question and it haunted me. Is it possible? And is it possible for some hacker to gain interest with any bug that hides inside this hardware wallet?

Please correct me if wrong. Really appreciated!
 

And what about the official and unofficial wallets?

Of course they can do that, but the real question is why would they do that? Ledger is a serious company and they should have some random quality control to check that everything is ok. You can also send your ledger to a security company to check whether every seems ok.

[HCP]

...What if the manufacturer only provides a certain range of words to generate a weak private key, which can be gained by exhaustive attack method? After all, you can only comply with the seed words it provides.

That isn't strictly true... you don't have to use a seed generated by the device itself.

You can restore any BIP39/BIP44 compatible seed into a Ledger Nano S... so you are free to use another tool to generate a 24 word seed. Theoretically, you could even generate it offline using dice and some maths and then "restore" that seed to the Nano.

[bhadz]

What if the manufacturer did something evil?

Their company is worth billions of dollars so why they have to do something crazy just to destroy their smooth running business. I know you are starting to worry since they are the ones who are manufacturing our nano ledger s'. But to think of it, they have more than our bitcoins so why would they destroy their reputation just for the sake of stealing. I have seen on how they reacted with a reddit complain about a reseller who stole the coins of the complainant and that was a very impressive reply from them, they care for their customers.

[rbt]

Yes, very interested in nano s, waiting for reviews from users. Also, have anyone already bought a ledger blue??

I`m regularly using Ledger Nano S and I recommend it. If you have a few hundred dollars worth of coins/tokens, than it definitely worth spending $100 for one. I bought it from the producer, but you can buy it from the reseller as long you initialize the device. NEVER use a Ledger already initialized because you`ll loose your funds!

...What if the manufacturer only provides a certain range of words to generate a weak private key, which can be gained by exhaustive attack method? After all, you can only comply with the seed words it provides.

In theory I guess everything is possible, but I don`t think we should worry about. Ledger is on the market for some time and their codes were checked and deeply analyzed, they probably offered a bug bounty too in order to incentivize people (I don`t know for sure, but I see almost everybody does this nowadays).

[manchester93]

Everyone says to buy a hardware wallet. Could anybody explain to me how much of a threat this is? Regarding Ledger:

Last I checked they use shared attestation to bootstrap trust for device pairing. (That’s really bad, but not as bad as their first product that used a shared secret on a plastic card, that you would enter in parts over time via the untrustworthy device).

Attestation is proving the device, type using a challenge response pattern. Given the claim is of type, not instance, the proof is based on a common secret retained by each device of the same type. This is what makes attestation distinct from authentication (identity).

I used the qualifier “shared” to emphasize that attestation uses a secret that is shared across devices of the same type (possibly divided into lots). The secure element is not used by credit cards in this manner, instead each card is manufactured with a unique (identity) secret.

So you do not get anything like “bank level” security despite using the same hardware.

Also this:

HW wallets are definitely hacking targets now. Regardless of boot security, they have 2 very high risk attack vectors: - Jailbreak style infection/persistence. - USB hack while connected. Don't trust them more than: - computer you connect it too. - who had physical access.

Should I spread around the risk and not keep most/all of my coins on a hardware wallet? The idea of keeping my private keys plugged into the USB drive does kind of freak me out.

[gentlemand]

Should I spread around the risk and not keep most/all of my coins on a hardware wallet? The idea of keeping my private keys plugged into the USB drive does kind of freak me out.

I think anyone claiming 100% faultlessness is a little deluded. Look at the gaping holes that have been there for years in all of our systems that have only recently been uncovered.

There will be white hat and black hat hackers along with the Ledger developers themselves constantly probing for weaknesses. If they're found then I assume we'll hear about it along with a fix very rapidly.

As of right now the only risks with hardware wallets are from social engineering like people buying from third parties with preinstalled seeds.

[jossiel]

Should I spread around the risk and not keep most/all of my coins on a hardware wallet? The idea of keeping my private keys plugged into the USB drive does kind of freak me out.

This will be the same if you have a laptop connecting it to the web, download wallet --> send funds on that wallet and then stay offline forever for security.

With the given points of Eric Voskuil on his tweet. The only possible risk that we can get through our hardware wallets is through this.

As of right now the only risks with hardware wallets are from social engineering like people buying from third parties with preinstalled seeds.

Base on the points there, it will also depend on the computer you're connecting. If you are not that much techie, just don't click anything unnecessary.