Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[RickDeckard]

Is it possible that if a user has enabled the recovery feature, and has his/her data held by a third party, then it's probable that a government entity could issue a written order telling the third party to give them access to then user's coins/savings?

Yes, absolutely.

The question is now which government will get to your coins first But that's not even my biggest concern: what are the odds 2 out of 3 "seed storage facilities" will get hacked, leak data, or have an inside job rob users? If this takes off, there are billions of dollars worth of crypto to steal.

And I mean, since we all know who the three companies are (one of them being Ledger), it wouldn't take much to have some high level employee going rogue from company A and another from company B and have free access to Ledger client funds. This is just another breach waiting to happen for Ledger, I'm surprised they still haven't learned after their previous breaches.

[1714199257]

1714199257

[1714199257]

1714199257

[1714199257]

1714199257

[1714199257]

1714199257

[Cricktor]

This is just another breach waiting to happen for Ledger, I'm surprised they still haven't learned after their previous breaches.

Lol, maybe this is their new rogue business plan, I wouldn't be too surprised. How did Mark Karpeles kind of got away with his "Mt.Gox got hacked" story? It was shady beyond comprehension! Will we see a Mt. Ledger NoNo, oops we were hacked, sorry, your wallets are gone, bye bye, no time, private jet is waiting, salu, au revoir.     

[Wind_FURY]

Shower thought. Is it possible that if a user has enabled the recovery feature, and has his/her data held by a third party, then it's probable that a government entity could issue a written order telling the third party to give them access to then user's coins/savings?

Because I believe the user has given up some of his/her rights upon upload of his/her own data. Don't third parties always have Terms of Agreement that users never read?

 

Yes, that's unlikely to happen for an average user but definitely possible and that's another reason why someone should avoid Ledger Recover service.
By the way, ToS is a joke. If you read ToS of companies you frequently use or if you read the list of side effects of every meds, you are not going to use them ever in your life but the problem is that you need to use that particular service or product and because of that 99% of people just agree and move on.

There was a discussion about Ledger Recover and subpoena in podcast with the CEO of Ledger.
Have a look at these moments:
https://youtu.be/M3VjQUcyZSY?t=929
https://youtu.be/M3VjQUcyZSY?t=2610

The actual point isn't if it's possible or not. It's if your Bitcoins are still your Bitcoins while you're storing it in a Ledger. To which, if a government entity could coerce a third party to give up "your" keys/seed phrase, then it's most definitely NOT your Bitcoins.

[o_e_l_e_o]

With the discussion of 2 out of 3 custodians being compromised, don't forget that this set up has a single point of a failure, and the breach of this single point of failure is enough to steal your coins.

Just like every other Shamir's Secret Sharing set up, there is a single point of failure in the device which is used to create and communicate the secret shares. For Ledger Recover, even if we assume that the Nano S/X hardware device itself is secure, the only way for those shares and the associated decryption key to leave the Nano device and reach the third party custodians is via your computer. Therefore, your computer must receive, store, process, and transmit all the information necessary to empty your wallets. If your computer is compromised while you do this, or if the data is stored in memory and recoverable, then your coins can be stolen by compromise of your computer alone. This is the exact same situation as any hot wallet.

Just as a cold wallet which has connected to the internet once or twice is no longer a cold wallet, a hardware wallet which has exposed your seed phase to the internet once or twice is no longer a hardware wallet.

[satscraper]

                           ^
                           II
Fully agree with this  as no one  can envisage when  backdoor  will worm oneself into   his/her machine(it it is not  already there).

Just fresh  (as of May 31, 2023)  case:  millions of motherboard sold by well known maker such as  Gigabyte have  backdoor in firmware . It is not hard to  imagine  what would happen if those who wanna opt that Ledger Recover connect their  devices to   compromised motherboards like those from Gigabyte.

[tenant48]

Theoretically, hackers can make a patch for Ledger Live to intercept the encrypted Seed, which is divided into 3 parts. Of course, without the decryption key stored on the Ledger, they can't do anything.

How can the encryption key be stored on your Ledger device, if you can recover your crypto on any other Ledger HW of your choosing? The other devices can't hold your encryption key. The original hardware device maybe, but it looks like Ledger gets a copy of it. How else do you explain recovering crypto on Ledger #2 if Ledger #1 that encrypted the shards is no longer working/in your possession? Either Ledger has the keys or the encryption key is also somehow shared among all custodians.

Each Ledger has a security chip that can have a unique private and public key. All Ledger needs is to get your seed from two sources, decrypt it at home, then read the unique public key from your new Ledger and re-encrypt the seed individually for your instance. I don't see any difficulties here.

[dkbit98]

The question is now which government will get to your coins first But that's not even my biggest concern: what are the odds 2 out of 3 "seed storage facilities" will get hacked, leak data, or have an inside job rob users? If this takes off, there are billions of dollars worth of crypto to steal.

If you are like DeKwon than you can try his tactics of swallowing hardware wallet (or seed phrase) when police comes for you... than you can play the bail game with government 

The one good thing in all this is that Ledger has proven that secure elements are not to be trusted and aren't safe. Not in a Ledger or any other hardware wallet.

That was my point all along since I am following that subject for a while.
Secure element is almost worthless if it is closed source, since they have signed NDA with manufacturer they can do whatever they want and they must cooperate with government parasites.

With the discussion of 2 out of 3 custodians being compromised, don't forget that this set up has a single point of a failure, and the breach of this single point of failure is enough to steal your coins.

I think this is also a flaw of Shamir Secret Sharing scheme (that ledger is planning to use), that is trying to mimic multisig setup as a poor man choice.
If they used proper Multisig setup maybe single point of failure could be avoided, even with this stupid Recover feature.

[FatFork]

Theoretically, hackers can make a patch for Ledger Live to intercept the encrypted Seed, which is divided into 3 parts. Of course, without the decryption key stored on the Ledger, they can't do anything.

How can the encryption key be stored on your Ledger device, if you can recover your crypto on any other Ledger HW of your choosing? The other devices can't hold your encryption key. The original hardware device maybe, but it looks like Ledger gets a copy of it. How else do you explain recovering crypto on Ledger #2 if Ledger #1 that encrypted the shards is no longer working/in your possession? Either Ledger has the keys or the encryption key is also somehow shared among all custodians.

Each Ledger has a security chip that can have a unique private and public key. All Ledger needs is to get your seed from two sources, decrypt it at home, then read the unique public key from your new Ledger and re-encrypt the seed individually for your instance. I don't see any difficulties here.

But that's not how it's supposed to work, according to Ledger. They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery. Additionally, the process you described would imply that Ledger stores all private encryption keys from every device they have ever produced on their servers, which would create a single point of failure. It wouldn't make sense to keep such a system in place, and the entire process of splitting the recovery seed into shreds and distributing them to three different custodians wouldn't make sense in that case.

[Pmalek]

For Ledger Recover, even if we assume that the Nano S/X hardware device itself is secure, the only way for those shares and the associated decryption key to leave the Nano device and reach the third party custodians is via your computer. Therefore, your computer must receive, store, process, and transmit all the information necessary to empty your wallets. If your computer is compromised while you do this, or if the data is stored in memory and recoverable, then your coins can be stolen by compromise of your computer alone. This is the exact same situation as any hot wallet.

I have no reason to doubt your words, but maybe we should wait for Ledger to release how exactly they envision this system of theirs is supposed to work. More importantly, how and when the encryption will take place. Does the Secure Element have the capacity to encrypt everything on the chip before taking any further actions? Or does the encryption take place in Ledger Live where it could become vulnerable to various attack models?

[LoyceV]

They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery.

This means all shreds pass through your computer, and through Ledger Live. If Ledger Live gets compromised, your seed can get compromised. The whole point of a hardware wallet used to be that your security doesn't depend on the security of the computer you're using.

[FatFork]

They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery.

This means all shreds pass through your computer, and through Ledger Live. If Ledger Live gets compromised, your seed can get compromised.

I agree. I was trying to explain to tenant48 that his idea about each Ledger device having a unique key pair doesn't hold up because it would render the decryption of shreds on a new device impossible. It just doesn't make logical sense in that context.

The whole point of a hardware wallet used to be that your security doesn't depend on the security of the computer you're using.

Absolutely! The whole idea behind a hardware wallet is to eliminate as many potential attack points as you can, not to introduce new ones, no matter how insignificant they might seem. Safety first, no compromises!

[tenant48]

But that's not how it's supposed to work, according to Ledger. They state that the seed phrase undergoes encryption and is divided into three shreds. These shreds are then directly sent to the three custodians from the Ledger device itself. When a recovery is requested, these encrypted parts are sent back to the new or old hardware device and decrypted back in the recovery seed. Nowhere does it mention that the shreds must pass through any Ledger server for encryption or decryption during recovery. Additionally, the process you described would imply that Ledger stores all private encryption keys from every device they have ever produced on their servers, which would create a single point of failure. It wouldn't make sense to keep such a system in place, and the entire process of splitting the recovery seed into shreds and distributing them to three different custodians wouldn't make sense in that case.

I just described an example of how this can be implemented. All Ledger nano X wallets have unique bluetooth identifiers, so what's stopping them from adding something like that to security chips? It would also be a great stupidity on their part to transfer the seeds in an unprotected form. When they launch this service will be more clear, now one can only guess.

[o_e_l_e_o]

I have no reason to doubt your words, but maybe we should wait for Ledger to release how exactly they envision this system of theirs is supposed to work. More importantly, how and when the encryption will take place. Does the Secure Element have the capacity to encrypt everything on the chip before taking any further actions? Or does the encryption take place in Ledger Live where it could become vulnerable to various attack models?

My point is we do not need to wait on any further information from Ledger.

We already know the following pieces of information:

Once approved, your Ledger Nano X will duplicate, encrypt and fragment your private key into three parts within the Secure Element chip.

These encrypted fragments are securely sent to three independent providers – Ledger, Coincover, and EscrowTech that will store them in Hardware Security Modules (HSMs).

What if I lose my Ledger device that is associated with my Ledger Recover subscription?

Simply get another Ledger device and follow the process to recover access to your wallet.

So in summary:
1 - Your Ledger Nano device creates three encrypted shards
2 - These shards are transmitted to three third parties for storage
3 - The decryption key must also be stored by at least one of these third parties, since you can recover everything using a brand new device.*

Therefore, we can deduce that at some point, all the information necessary to recover your seed phrase (shards + decryption key) must be transmitted from your Ledger Nano device to these third parties. The only way for this to happen is via your internet connected computer. It does not matter if the encryption takes place solely within the Nano device, nor does it matter what decryption algorithm is used. All the information must pass through your computer. Therefore, if your computer is compromised, your funds can be stolen.


*The only alternative to this is that the decryption key is identical for every Ledger Nano device and so is simply stored on the device itself and not transmitted at all, but in this case any attacker can just buy a Ledger Nano and have access to the decryption key, so it makes no difference to the final conclusion that if your computer is compromised your funds can be stolen.

[RickDeckard]

Surely some users are aware that the SEC has pressed charges against Binance[1] this week. I have taken a look at the document[2] and had a laugh when I saw this particular entry on it:

REPATRIATION
IT IS HEREBY ORDERED, ADJUDGED, AND DECREED that on or before 10 days from the date the Court issues this Restraining Order, each Defendant shall repatriate to the United States all fiat currency and crypto assets that are deposited, held, traded, and/or accrued by investors (referred to herein as “customers”) on the Binance.US Platform, including for BAM’s staking-as-a-service program, or otherwise held for the benefit of BAM and Binance.US Platform customers, including, but not limited to, any hardware crypto asset wallets, all private keys in any form (or portions thereof), and any device, hardware, or software holding such private key or portion thereof (hereinafter referred to as “Customer Fiat Assets” or “Customer Crypto Assets” and, collectively, “Customer Assets”)

Granted we already know the dangers of using the wallets provided by CEX's , but I do wonder what would happen if a similar process happens within any company holding the shards? Why can't people realize how enormous is the risk associated with having their funds in someone else's hands? It is even worse when they are paying $9.99 for it...
[1]https://www.sec.gov/news/press-release/2023-101
[2]https://storage.courtlistener.com/recap/gov.uscourts.dcd.256060/gov.uscourts.dcd.256060.4.1.pdf

[tenant48]

Wrote the following questions to Ledger support:
How will the seed recovery process take place on a new wallet?
Where will the decryption keys be stored and how will they be transferred to the new Ledger?
My request is accepted, it has been assigned id 1138638
If they send an answer, I undertake to publish it here without any changes.

[The Sceptical Chymist]

       
Just fresh [/url]  (as of May 31, 2023)  example:  millions of motherboard sold by well known maker such as  Gigabyte have  backdoor in firmware . It is not hard to  imagine  what would happen if those who wanna opt that Ledger Recover connect their  devices to   compromised motherboards like those from Gigabyte.

Jesus Christ, with all of this scammy shit going on I'm now really regretting that I didn't major in computer science.  Not that it would have helped me discover that Gigabyte mobo backdoor or anything of the sort, but I think I'd feel more secure with just a bit more knowledge about how tech works.  Ah well, it's too late now.

I'm still following the Ledger subreddit and it's amazing that they still have so many supporters, presumably people who ought to know better than to keep trusting them.  As I said previously, many of them just don't get the points being made in this thread, i.e., that as long as that backdoor exists it doesn't matter if you subscribe to their recovery service or not; Ledger can access your keys whenever they want.

[Pmalek]

*The only alternative to this is that the decryption key is identical for every Ledger Nano device and so is simply stored on the device itself and not transmitted at all, but in this case any attacker can just buy a Ledger Nano and have access to the decryption key, so it makes no difference to the final conclusion that if your computer is compromised your funds can be stolen.

If it's a universal decryption key, don't forget about the requirement of undergoing KYC. Sure, that data could also be stolen from a compromised computer. We can only hope that those who opt-in for Ledger Recover will be asked for an extensive KYC verification during seed recovery. I am talking about live video verification, and not simple selfies. Another worrisome piece of the puzzle is that AI software progresses at a rapid pace and it's scary what it can do.

Wrote the following questions to Ledger support:
How will the seed recovery process take place on a new wallet?
Where will the decryption keys be stored and how will they be transferred to the new Ledger?
My request is accepted, it has been assigned id 1138638
If they send an answer, I undertake to publish it here without any changes.

I doubt those poor bastards can be of much help. All they can do is tell you what they have been told from up above or copy/paste some nonsense making them look unknowledgeable.

[RickDeckard]

I'm still following the Ledger subreddit and it's amazing that they still have so many supporters, presumably people who ought to know better than to keep trusting them.  As I said previously, many of them just don't get the points being made in this thread, i.e., that as long as that backdoor exists it doesn't matter if you subscribe to their recovery service or not; Ledger can access your keys whenever they want.

"Fool Me Once, Shame on You; Fool Me Twice, Shame on Me"[1]. I am always available to help people to reach their own Sovereignty, either in the forum or other similar setting, publicly or privately. What I can't have pity on is people that, despise all the red flags and warnings regarding the services or the wallets that they use, still decide to keep their funds / trust on those same services (or, even worse, transferring their funds to a similar service).

It's a shame that Ledger brainwashed some of their userbase in thinking that this service actually is more of a help to them than a risk (and how it goes against with everything they stand for). I can't wait to see the release of the Whitepaper of the process so that we can finally have even more arguments to spread awareness about the service.
[1]https://knowyourphrase.com/fool-me-once

[o_e_l_e_o]

-snip-

Lol. Good find. SEC literally ordering Binance to hand over all customer funds and private keys.

Ledger: "We would only hand over your seed to the government in the case of a subpoena for terrorism or similar, which is never going to happen, so there is nothing to worry about."
US Government: "Hold my beer."

I doubt those poor bastards can be of much help. All they can do is tell you what they have been told from up above or copy/paste some nonsense making them look unknowledgeable.

Their support team are limited to guesswork and regurgitating information from elsewhere. They apparently have been told absolutely nothing about Ledger Recover, and all they know is what the rest of us know from reading the Ledger website and Twitter:

I will do my best to answer with a combination of intuition and what I picked up from our AMA

[Lucius]

~snip~
It's a shame that Ledger brainwashed some of their userbase in thinking that this service actually is more of a help to them than a risk (and how it goes against with everything they stand for).

I think that this process (brainwashing) would not be suitable for the user base you mention, because you cannot brainwash someone who does not understand the basics, and I will dare to say that at least 80% of all those who own Bitcoin or some altcoins are not even aware of what Bitcoin is (in a slightly more detailed sense), let alone what it means to be your own bank.

Consequently, if someone offers a service that is diametrically opposed to what they primarily offered, only a person without a bit of common sense will accept it.