Exactly. Even though the service is optional, its very existence implies it can be triggered by an event.  So if they can initiate it with our consent, then why couldnt it be triggered without it?  As you mentioned, there is no physical barrier like a hardware switch, so everything relies on the software. And software, as we know, can be modified with each update.

I forgot where I've seen and read it, I remember vaguely an old vulnerability analysis for Ledger Nano S, I believe, by some researcher who did some extensive reverse engineering, but Ledger's buttons are controlled by the MCU and its firmware, ie. entirely by software. The MCU communicates button presses by software to the secure element which runs the more important firmware and apps of Ledger crap.

As far as I understand it, you can't emulate button presses by anything coming from outside (we have to believe the Ledger morons here, because black-box firmware) but I don't see any obstacle to push a firmware update for those devices which signals "extract seed and phone home" without user's consent and button presses.

The buttons are software controlled, not more, not less.

As I'm for years not interested in Ledger hardware because it's closed-source, I likely didn't keep the source of the interesting article of this vulnerability researcher who in my opinion did quite a good job to reverse engineer parts of Ledger Nano's firmware. It was a good read as far as I remember it, out of curiosity and because I'm generally interested in security stuff.

I found it particularly interesting, and so different to other hardware wallets, that for a Nano the MCU seems to do more the housekeeping, display, buttons, interface, signaling to the secure element and way less of the crypto stuff. If I don't mix it up, the Ledger coin/token apps are code running in the secure element where Ledger uses in parts special firmware extensively offloading coin stuff in their secure element.

I'd happily provide a source but couldn't find the bookmark for it so far, sorry. It's a pretty old source but I don't expect Ledger to have changed a lot of their internal design logic. Why Ledger does it the way they do it, I've no clear idea and I don't care about their security talk bullshit

Anyway, you're correct, because the firmware is a black box, it's all speculation what could be or not. And I don't believe the Ledger Paris freaks a single word anymore. I don't need Ledger crap and I won't recommend to use it for obvious reasons. If Ledger still fan boys don't understand this, that's on them, probably lost cases, sad if they're going to learn by pain when Ledger srews it up again.


No offense taken, but I disagree in parts. I hope I didn't regurgitate Ledger's marketing bullshit. I rather believe more what this researcher published about Nano's internals and what somewhat stuck in my memory than what Ledger fantasizes in words, videos and marketing propaganda.

We're on the same page. I'd add based on constand complains of users: Ledger Live is painfully crappy software for crypto masochists.

A Ledger rant a day, keeps the doctor away...