Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[Lucius]

Considering the documents on the FAQ page of Ledger Recovery and how Ledger is replying on Twitter, I would say that o_e_l_e_o is exactly right regarding how the process will be deployed. What amazes me is the fact that Ledger is totally silent when faced with the fact[1][2][3] - or flaw - that is being able to restore your encrypted shards on any device. Do they consider their clients that ignorant regarding how seed phrases work? I should also note that Ledger Nano S will eventually[4] receive this "awesome" feature, per reply on their Reddit page.

Considering the way Mr. Pascal performed in the video that was linked in one of my previous posts, he obviously considers his clients ignorant and incapable of making an adequate backup, in other words, he positions himself in the same position as the famous CZ who claims that 99% of users in the crypto world are not intelligent enough to be their own bank.

As a side note, I am still amazed by the fact that they imploded their company and lost the loyalty of their clients for $9.99 per month...

Ledger (Pascal) also claims in the video that given the situation, they did not notice any drop in sales of their devices, and that this did not even happen after the famous Ledger leak of hundreds of thousands of user data, which he personally considers a trivial event.

Ledger claims it now stores more than 20% of the world's cryptocurrencies and 30% of the world's NFTs.

Not sure about the statement, how do you come to conclusion like that with hardware wallet?

Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online. I would say that it is the latter, and considering the company's reputation, I would not be surprised if they share (sell) this data to anyone who is interested in it.

[1714221058]

1714221058

[1714221058]

1714221058

[Synchronice]

Oh, don't get me wrong. I am under no illusion that a new device makes zero technical difference to existing devices. Even without this firmware being deployed to existing devices, it is now abundantly clear that Ledger have been lying for years about the capabilities of their secure elements. I was simply pointing out that if I was a Ledger employee/board member, then I would have done the tiniest bit of research first, realized that 99% of existing customers hate this idea, and suggested launching it on a new device only and saying nothing about our existing devices.

It's good that they weren't this smart, though, since it's served as a big wake up call for people to stop trusting these shady third parties. Unfortunately it seems many people are simply jumping from one shady third party (Ledger) to another shady third party (Trezor).

No, no. Definitely I know what's in your mind regarding Ledger accident, it's just that I remembered your question and then saw it in their FAQ, that's why I replied and quoted it.
By the way, I still think that it's early to talk whether Ledger buried itself by that decision or not. You know, barking dogs seldom bite. This good old saying means a lot and can be applied in your life. People say X but do Y. Despite the fact that there is a big wave of negative comments on twitter, I keep in mind that people are bad at judgement, bad at learning on mistakes and they easily forget, so, I think that Ledger will see increase in revenue despite everything that happened.

All their devices suffer from unfixable seed extraction vulnerabilities, which they deliberately sweep under the rug and do not tell their users how to mitigate against. They also have a very pro-government, pro-censorship, pro-surveillance, and anti-fungibility ethos, as shown by their support of AOPP and their partnership with Wasabi and blockchain analysis.

That has happened in 2019, do they still suffer from the same problem? Btw they removed the support of AOPP but yeah, what you say about them is true.
It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

[Pmalek]

Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online.

It wouldn't be surprising that they did. After all, they want to know how much money their customers trust them with. I am not justifying the action, simply explaining what I believe is happening. If Electrum servers can find out loads of information about connected wallets, there is no reason not to think that Ledger's servers can't as well.

That has happened in 2019, do they still suffer from the same problem?

Yes, because it's an unfixable hardware defect that can't be ironed out with software patches. It was always there and will always be there for the models One and T in their current forms. 

Btw they removed the support of AOPP but yeah, what you say about them is true.

They removed support following the negative comments surrounding it, but didn't mind signaling support for it.

It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

ColdCard is an airgapped wallet. You can work with PSBTs and import/export them with the help of an SD card for example. The device is not open-source but has public and verifiable code. It's better than standard USBconnected hardware wallets.

[dragonvslinux]

Ledger claims it now stores more than 20% of the world's cryptocurrencies and 30% of the world's NFTs.

Not sure about the statement, how do you come to conclusion like that with hardware wallet?

I think it's because Ledger integrates different coins overtime, and if I had to guess about 20% of all coins (tokens) are on Ethereum or Binance chain. So naturally all these ERC20 and BEP20 tokens are integrated. Likewise with NFTS, most are also on Ethereum, so merely the Ethereum integration is what accomplishes this goal. The likes of Solana and other L1 projects increases the % slightly I guess.

[Cricktor]

It won't if it works the same way transaction broadcasting works. You need physical confirmation to broadcast a transaction, and Ledger has said you will also have to physically allow the sharing of the shards. Whether or not that is true is another topic of discussion. 

But it's black box firmware software of Ledger for the MCU that controls user interaction with the hardware buttons. It's Ledger's software, the MCU proxies the button presses to the firmware software that runs on the Secure Element and which does most of "Ledger's magic".

Trezor's open-source code means very little to me because I can't go through it and I don't understand what it does. I still have to trust Trezor and everyone that has verified the code that it's bulletproof and can't be abused. That's the trust part.   

If it's public there likely will be experts who have more knowledge to inspect and judge the code. And security concerns are probably a good motivation to look closer. Yes, if you can't do it yourself, you have to trust others. But still I prefer the code to be public, otherwise there's no chance to look closer.

Let's say that Ledger has two options: A. Their profit will increase slightly if they keep their current crypto enthusiast customers happy and B. Their profit will dramatically increase if they lose some of their customers but attract a lot of new customers who will pay them $9 every month.
Ledger is a business, a corporative company, right? And it's clear to see that this company wasn't founded by a crypto enthusiast but by a person who is a businessman and wants money. They go with option B.

Einstein once said: Two things are infinite: the universe and human stupidity.

However, reading the comments of some people under the video I linked, it is incredible how many people believe in the nonsense that people from Ledger are talking about. Einstein was definitely right.

Yes, and it's said that Einstein added: "... and I'm not so sure about the universe."

In my opinion Ledger Paris can basically only do one thing right and that's marketing bs. They suck at everything else, including value their customers. Strangely, it seems to me that Ledger appears kind of synonym to hardware wallet. Look at the topic Show off your hardware wallet, yes I know it's not representative, only 4 of 19 don't show Ledger hardware crap.

You decide if you want to switch the feature on or off, but Ledger brings it to you no matter what. Imagine a self destruct button in your car, where, if you press it, the car explodes. I am not going to press it, but I am not comfortable having it there at all. Ledger has already decided to add that button.

And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code...

For Ledger's shard, yes. But your KYC data will also be stored with the other two third party companies as well, in order for them to release their shard if needed:

Ledger Recover uses your ID and a selfie to verify who you are, via its Identity Verification provider, Onfido. Then, it links your identity to encrypted fragments of your Secret Recovery phrase. The identity providers store this ID data in an encrypted form.

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

Your data is safu, they say. They'll surely send you through support desk hell, if you need to request your shards. What if you loose your ID (hey, your new ID has a different S/N...)? What if your face changed after years or some illness? What about live video deep fakes? All is fine, they say.

Bullshit, I say!

Seems Ledger users are going from one very insecure device to a slightly less insecure device.

Remember what Einstein said?!

[o_e_l_e_o]

Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online.

If you use Ledger Live, then this is a given, since it connects to Ledger servers. And remember they are offering insurance with Ledger Recover, so they are 100% keeping track of your balances.

That has happened in 2019, do they still suffer from the same problem? Btw they removed the support of AOPP but yeah, what you say about them is true.
It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

As I said, the vulnerability is unfixable. It still exists and will always exist on these devices. Coldcard is certainly airgapped, but it is not open source as Pmalek points out and the company behind it spread lies about competitors for their own gain. I personally wouldn't use it.

If I had to buy a hardware wallet right now, I would buy a Passport. But I'd much rather continue to use a separate airgapped, encrypted device, running a FOSS OS and wallet.

And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code...

This is the exact point I've been making:

Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

[Lucius]

~snip~
In my opinion Ledger Paris can basically only do one thing right and that's marketing bs. They suck at everything else, including value their customers. Strangely, it seems to me that Ledger appears kind of synonym to hardware wallet. Look at the topic Show off your hardware wallet, yes I know it's not representative, only 4 of 19 don't show Ledger hardware crap.

Realistically, at the time when HW started to become a serious competitor to desktop wallets, there were not too many choices, and Ledger mainly imposed itself as the main player on the market due to its design. To me, that design was always more attractive than Trezor, and that's why I bought those devices, and I assume that many others did it for similar reasons.

What you call "crap" today, we couldn't define it like that in the past because there was no reason for it. However, when I get a new HW, maybe I'll start a new topic called "Show your destroyed Ledgers", because really trash belongs in trash, right?

If you use Ledger Live, then this is a given, since it connects to Ledger servers. And remember they are offering insurance with Ledger Recover, so they are 100% keeping track of your balances.
~snip~

This means that everyone who has ever upgraded firmware and installed coin apps in some way shared the content of their HW, together with the IP address, and it is not unrealistic that each HW can be identified by a unique digital fingerprint, which is then very nicely connected to the KYC database. I am surprised that until now not a single authority in France or the EU has dealt with the problem of Ledger as a company that has been behaving completely amateurishly for years when it comes to the protection of its clients' data.

A few days ago, a bookmaker in my country was fined EUR 380 000 for storing bank card data in an unauthorized manner, without causing harm to its clients.

[Cricktor]

Realistically, at the time when HW started to become a serious competitor to desktop wallets, there were not too many choices, and Ledger mainly imposed itself as the main player on the market due to its design.

I don't know much about the history of HWs, only cloudy memories that there was a time when there were basically only Trezor and Ledger as serious products. But then again you had Ledger with its black box model and Trezor with much more transparency, albeit with possibly an inferior security design.

I can't tell what I would've chosen back then. After all this Ledger circus and drama in the past few years for me there's one irrefutable paradigm when it comes to manage safely higher values (low four-digit and up in $/€): the wallet (software or hardware) has to be transparent and open-source. Ledger is then by default not a choice and I wonder why so many users don't care, especially when there are more choices today then ever.

[Z_MBFM]

Realistically, at the time when HW started to become a serious competitor to desktop wallets, there were not too many choices, and Ledger mainly imposed itself as the main player on the market due to its design.

I don't know much about the history of HWs, only cloudy memories that there was a time when there were basically only Trezor and Ledger as serious products. But then again you had Ledger with its black box model and Trezor with much more transparency, albeit with possibly an inferior security design.

I can't tell what I would've chosen back then. After all this Ledger circus and drama in the past few years for me there's one irrefutable paradigm when it comes to manage safely higher values (low four-digit and up in $/€): the wallet (software or hardware) has to be transparent and open-source. Ledger is then by default not a choice and I wonder why so many users don't care, especially when there are more choices today then ever.

Ledger and Trezor were the only two products that were publicly available through public interest.  But the laser's black box model created an identity, which is not supposed to be somewhat transparent.  Still it seems that transparent and open source wallets should be chosen for high-quality predictors without neglecting security, which is very important.  Considering this paradigm is now almost non-selective, it's natural not to wait, which I assure you is a paradigm worth thinking about.

[Pmalek]

And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code...

This is the exact point I've been making:

Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works? You have no code to back that up, the same way Ledger hasn't made any available to show that they can't. Can the user's confirmation really be worked around that easily, and if they have malicious intentions, why would they simply not do it instead of telling us that they will?

[o_e_l_e_o]

I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works?

They certainly wouldn't. I suppose I couldn't prove it without engineering firmware which does exactly that, but have a look at the hardware architecture here: https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/

The buttons feed in to the MCU, not to the secure element. The MCU is where the firmware is installed. If Ledger can write firmware which says "Perform action x if confirmed by a button press", then I see no reason they can't write firmware which simply says "Perform action x".

[Pmalek]

It would be really interesting to get the opinion of an expert in this field. I might send an email to Joe Grand to see what his thoughts on the matter are.

The buttons feed in to the MCU, not to the secure element. The MCU is where the firmware is installed.

According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.

Furthermore, the Secure Element is also split into two parts: the firmware which is under NDA and is therefore closed-source, and the SDK & application-loaded code which is open source friendly.

 

If Ledger can write firmware which says "Perform action x if confirmed by a button press", then I see no reason they can't write firmware which simply says "Perform action x".

Wouldn't the same be true for all other events, like broadcasting/sending transactions? Then we are back to trust where we have to "hope" they won't do it. Is Ledger the only company with such an architecture and how is it handled elsewhere?

Based on the info below, the MCU is instrumental for all actions, which makes sense because it's the brains of the whole product. The SE is the safety deposit box.

The MCU sends an Event (button press, ticker, USB transfer, …).
The SE responds with a list of zero or more Commands in response to the Event.
The SE sends a Status indicating that the Event is fully processed and waits for another Event.

If I understand it correctly, the MCU has to ask for the keys, and the SE has to confirm it. The question now is can the optional access by the user be circumvented with the correct code, where their cooperation isn't required? 

[witcher_sense]

They certainly wouldn't. I suppose I couldn't prove it without engineering firmware which does exactly that, but have a look at the hardware architecture here: https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/https://developers.ledger.com/docs/embedded-app/bolos-hardware-architecture/

Am I getting it right? The moment you transfer shards of your seed to third-party companies, Ledger transforms to Trezor and starts using an insecure MCU chip to store sensitive information and send it to a USB host. It should work perfectly if your goal is a system vulnerable to remote software attacks.

[vapourminer]

It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

ColdCard is an airgapped wallet. You can work with PSBTs and import/export them with the help of an SD card for example. The device is not open-source but has public and verifiable code. It's better than standard USBconnected hardware wallets.

ive had trezors since 2014 (? i think thats when they came out, i got one of the 1st). no issues in usability. but the seed extraction thing.. oops. i get around it by erasing the trezor after use and when needed i put the seeds in the hard way (using the trezor not the computer kb), do the tx and then reset again.

but trezor is not the company i was when i started. so. heres my question.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

[o_e_l_e_o]

According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.

There is firmware on both, but the firmware updates you install via Ledger Live predominantly target the MCU. The errors you get with an outdated device are either "MCU firmware is outdated" or "MCU firmware is not genuine".

Wouldn't the same be true for all other events, like broadcasting/sending transactions? Then we are back to trust where we have to "hope" they won't do it.

Yes, I don't see why not. In Ledger's own words, from a now deleted tweet:

Technically speaking it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not.

Is Ledger the only company with such an architecture and how is it handled elsewhere?

I don't see why it would be any different elsewhere. Any company can deploy any code they like to their own products. Your only real protection against this is a permanently airgapped device which has no way of broadcasting transactions without your involvement.

Am I getting it right? The moment you transfer shards of your seed to third-party companies, Ledger transforms to Trezor and starts using an insecure MCU chip to store sensitive information and send it to a USB host.

I think it's worse than that. Your shards, alongside their decryption key, have to go from secure element, to MCU, to Ledger Live on your internet connected computer, then across the internet to a variety of third parties. That's the same security (or lack thereof) as a hot wallet.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

Open source, entirely airgapped, and statements from their devs on Twitter publicly calling out nonsense such as Ledger Recover and Trezor's blockchain analysis support. I would still prefer to use an airgapped and encrypted device to make my own cold storage, but Passport is the only hardware wallet I would recommend at the moment.

[dkbit98]

ive had trezors since 2014 (? i think thats when they came out, i got one of the 1st). no issues in usability. but the seed extraction thing.. oops. i get around it by erasing the trezor after use and when needed i put the seeds in the hard way (using the trezor not the computer kb), do the tx and then reset again.

That is best thing if you are using Trezor for long term storage and if you are not making many transactions all the time.
Perfect example of quick importing seed phrase would be with scanning QR code, but Trezor don't have camera like Passport, Jade or other DIY open source hardware wallet devices.
Maybe next generation Trezor will include camera or some other way of quick seed phrase importing.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

I think member n0once owns a Passphrase wallet, he even made detailed review in forum, so you can search for that.
In my opinion this is one of the best Bitcoin hardware wallets available today, but it's certainly much better than ledger.
Passport Review topic:
https://bitcointalk.org/index.php?topic=5421713.0

[RickDeckard]

It would be really interesting to get the opinion of an expert in this field. I might send an email to Joe Grand to see what his thoughts on the matter are.

I haven't seen activity on his twitter page regarding Ledger Recovery, but I did find this[1] Discord message posted on Reddit (from Joe Grand Discord Server):

It looks like they're having the on-board SE encrypt the private key and split it into 3rds for offline storage in different HSMs. Given how many people contact me asking for help with a lost key, I can see something like this being beneficial for folks who aren't technically-inclined enough or don't have the capability to keep their hardware wallet physically secure and/or want to have a back-up solution of the key being stored elsewhere (which IMO negates the benefits of having a cold wallet). It seems like a move to mitigate the risk of losing all your funds in a cold wallet and a way to attract more people into the cryptocurrency space by giving the peace of mind. Even if the split encrypted key was recombined, AFAIK it would need to still be bruteforced before getting to the private key (or the encryption key extracted from the SE). I wouldn't call this a backdoor by any stretch, but given the paranoia in the cryptocurrency space, I don't think they did a good job explaining what it is and how it works.

This statement is dated 05/17/2023, just one day after the fiasco started. This was just one day after the whole fiasco started and considering that two weeks have passed, I am unsure if his opinion still stands considering the (limited) information that we currently have available for Ledger Recovery.

ive read good things on foundations passport.. anyone here want to chime in? might be off topic?

I think member n0once owns a Passphrase wallet, he even made detailed review in forum, so you can search for that.
In my opinion this is one of the best Bitcoin hardware wallets available today, but it's certainly much better than ledger.
Passport Review topic:
https://bitcointalk.org/index.php?topic=5421713.0

Indeed a bit off topic, but I would just like to add two more links - For historical purposes and to compare how the product has advanced, n0nce also made a great review of Foundation Founders Edition[2] and you can also check Foundation Passport Official thread[3] for discussion regarding the device as well.
[1]https://safereddit.com/r/CryptoCurrency/comments/13okszr/this_is_what_joe_grand_the_guy_who_hacked_a/
[2]https://bitcointalk.org/index.php?topic=5382675.0
[3]https://bitcointalk.org/index.php?topic=5441422.0

[Cricktor]

And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code...

...
I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works? You have no code to back that up, the same way Ledger hasn't made any available to show that they can't. Can the user's confirmation really be worked around that easily, and if they have malicious intentions, why would they simply not do it instead of telling us that they will?

My sources is the following blog article by Saleem Rashid, who discovered a severe security flaw in the Ledger NoNo S firmware. There's a diagram showing basically the same wiring what @o_e_l_e_o cited from Ledger's developer sources. Saleem doesn't go into too much details but I assume he partly or to greater extend reverse-engineered MCU firmware code to craft his exploit. I have my doubts that the base architecture of Ledger NoNo S+ and NoNo X is much different, but frankly I can't prove it. I haven't enough interest in Ledger crap to spend a lot of time in research around their products. This company, their products, their philosophy and their executives are a no-go for me.

It's funny a shame how the executive morons, cry-baby Éric e.g., at Ledger Paris tried to downplay his findings and treated him. (Not that I can say to know all the story, but as a hardware wallet company you definitelly shouldn't treat white hat security analysts who can prove your product has a severe flaw like Ledger did with him. Not to mention how long it took them to deal with this flaw.)

[n0nce]

According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.

There is firmware on both, but the firmware updates you install via Ledger Live predominantly target the MCU. The errors you get with an outdated device are either "MCU firmware is outdated" or "MCU firmware is not genuine".

According to [1], Ledger uses ST MCUs with flash memory in the 16-32 Kilobyte range. So I highly doubt that much of the firmware is stored directly on the chip.
The secure element actually has much more storage, 320KB to be exact; so it's likely that much of the firmware is in the secure chip.

This all doesn't really matter, though. The fact of the matter is that as soon as you install firmware with seed extraction capability, it's game over for your privacy and security.


[1] https://blog.gridplus.io/hardware-wallet-vulnerabilities-f20688361b88?gi=205af29b0222

[satscraper]

According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.

There is firmware on both, but the firmware updates you install via Ledger Live predominantly target the MCU. The errors you get with an outdated device are either "MCU firmware is outdated" or "MCU firmware is not genuine".

According to [1], Ledger uses ST MCUs with flash memory in the 16-32 Kilobyte range. So I highly doubt that much of the firmware is stored directly on the chip.
The secure element actually has much more storage, 320KB to be exact; so it's likely that much of the firmware is in the secure chip.

This all doesn't really matter, though. The fact of the matter is that as soon as you install firmware with seed extraction capability, it's game over for your privacy and security.


[1] https://blog.gridplus.io/hardware-wallet-vulnerabilities-f20688361b88?gi=205af29b0222

Judging to this official  doc  their firmware consists of two parts,  each running on its own hardware i.e MCU and SE. "The SE firmware is composed of: BOLOS OS & BOLOS UX Dashboard Device App".  On top of MCU is the firmware part which is called SEPROXYHAL.


Some details on BOLOS and SEPROXYHAL can be found on their official page describing hardware architecture  of Ledger devices.