Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[o_e_l_e_o]

I am saying Ledger tries to make passphrases less secure and more user-friendly

I also disliked the "Attach to PIN" feature, and I've spoken before about why I don't think people should use it. As you say it reduces the security of your passphrase to a simple PIN, and it also means that your passphrase is stored on the device rather than wiped after use when using a temporary passphrase. However, it does serve one useful purpose in specific niche cases and that's plausible deniability. You can have your main wallet with no passphrase holding a small amount of coins, and then you can also have a wallet with a passphrase attached to a secondary PIN holding a little more funds, which you can also hand over to an attacker. Meanwhile, you can have the bulk of your funds stored behind one or more other passphrases which you don't reveal.

It's up to the user to consider whether such a feature would actually deter an attacker, though. And since I keep my funds spread out across multiple wallets on multiple different mediums, then I never used this feature even when I did use Ledger devices.

I'd say it's worse than a hot wallet: I use several different hot wallets (for small amounts), and I'd never use Ledger's "pay us to give us your seed phrase" scheme.

Agreed. Hot wallets are only as secure as the device you keep them on. Ledger Recover is only as secure as a bunch of devices that you are trusting complete strangers to keep secure. Does anyone want to sit and add up all the times that centralized exchanges or other centralized crypto services have been hacked or sold/shared/leaked data?

[1714207529]

1714207529

[1714207529]

1714207529

[1714207529]

1714207529

[tenant48]

Wrote the following questions to Ledger support:
How will the seed recovery process take place on a new wallet?
Where will the decryption keys be stored and how will they be transferred to the new Ledger?
My request is accepted, it has been assigned id 1138638
If they send an answer, I undertake to publish it here without any changes.

Got this response from Ledger:

I’m not an expert, we have tons of educational materials in the pipeline including a white-paper detailing the multiple layers of encryption employed. Ultimately I don’t want to give you incorrect information, so I encourage you to keep an eye on Ledger academy for more information.

Our CTO also outlines some technical details here.

But personally I'd recommend waiting for the whitepaper, as it will break all of this down clearly, and should be able to answer any questions regarding the encryption, and the nuances of how it operates!

Here is everything related to Ledger Recover from the sent link:

This number can be put into human readable form (24 words) using BIP-39 standard.
That is your Secret Recovery Phrase.
This is what you write down and should NEVER share with ANYONE, including Ledger.
Ledger does not have access to it, including if you use Ledger Recover.


- If you want to use Ledger Recover, you’ll have to consent on your device for the backup or the recovery process
- It’s the same for staking, interacting with smart contracts, and encrypting data with the OpenPGP app…


You want to use Ledger Recover, your seed will be splitted into 3 shards and encrypted before being stored in shards backup providers.

Of course this doesn't explain much, we'll have to wait for them to prepare more detailed explanations.

[RickDeckard]

Of course this doesn't explain much, we'll have to wait for them to prepare more detailed explanations.

So they are employing the well know tactic of "It will be released when it's ready". I fully expected that behaviour from them, considering the kind of company that they are. No surprises here.
BTW @o_e_l_e_o you'll find this amusing - I've just found this[1] video circulating on Twitter and Reddit where Pascal Gauthier, Ledger CEO's, talks about privacy in their products:

If, for you, your privacy is of the utmost importance, please do not use our product, for sure.
At least they are being honest. What is shocking is that, despite these declarations, they keep attracting clients to their platform and still have other users defending them to the bone...
[1]https://www.youtube.com/watch?v=M3VjQUcyZSY&t

[LoyceV]

Got this response from Ledger:

I’m not an expert, we have tons of educational materials in the pipeline including a white-paper detailing the multiple layers of encryption employed. Ultimately I don’t want to give you incorrect information, so I encourage you to keep an eye on Ledger academy for more information.

Our CTO also outlines some technical details here.

This is pathetic! So the "Support" guy says he's not an expert and doesn't bother to ask someone else, then tells you to wait, and forwards you to a collection of 30 posts that are each shorter than a SMS instead of a clear article on their own website? They can't seriously expect people to read Twitter for technical information on their product, right?

This also means they released their new "product" before they had the details sorted out. Does that mean they were hoping to hype it, and truely didn't expect the massive backlash they got instead? Lol.

[joker_josue]

BTW @o_e_l_e_o you'll find this amusing - I've just found this[1] video circulating on Twitter and Reddit where Pascal Gauthier, Ledger CEO's, talks about privacy in their products:

If, for you, your privacy is of the utmost importance, please do not use our product, for sure.
At least they are being honest. What is shocking is that, despite these declarations, they keep attracting clients to their platform and still have other users defending them to the bone...
[1]https://www.youtube.com/watch?v=M3VjQUcyZSY&t

I am always suspicious of these alleged videos that appear.

And that normally in this moment of alert, it is. That these videos appear, but the fundamental thing is always missing: When was it made? Is the context complete or am I taken out of context? If he said that, before this mess, why is it only now being revealed/talked about? It was said and no one believed it, why?

Either way, it's often said that where there's smoke, there's fire. So we have to remain very attentive to all the information that comes out, and evaluate in detail.

[tenant48]

Here's what else I found at Ledger Academy.

Encryption
When you subscribe to Ledger Recover, the secure element encrypts and splits the Secret Recovery Phrase into three fragments. These encrypted fragments will be sent through 3 independent secure channels to these fragments backup provider. The secure channel allows mutual authentication and avoids man in the middle attack. During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments. Each fragment is then secured by a separate and independent company in different countries: Coincover, Ledger and Escrowtech.

No single company has access to the entire backup, and each single fragment is completely useless by itself. This ensures the highest level of security and removes a single point of failure. Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.



The decryption process is also described there, but exactly how the keys for decrypting the seed will be transferred to the new wallet is not described there.

[o_e_l_e_o]

I've just found this[1] video

Some interesting snippets:

https://youtu.be/M3VjQUcyZSY?t=1285 - Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves, making it even easier than thought to compromise the set up.

https://youtu.be/M3VjQUcyZSY?t=2342 - The quote you shared regarding privacy.

https://youtu.be/M3VjQUcyZSY?t=2700 - "So basically we're off-boarding loss of key risk, and on-boarding state actor risk." "Correct."

[LoyceV]

These encrypted fragments will be sent through 3 independent secure channels

I find it hard to believe 3 channels that start from the same USB cable on the same computer and go through the same Ledger Live software can truely be independent.

The secure channel allows mutual authentication and avoids man in the middle attack.

What if the man in the middle attack starts at your own laptop? What if Ledger Live gets compromised?

Each fragment is then secured by a separate and independent company in different countries

Wait, they previously announced a government could subpoeana them. I'm guessing all of them will cooperate when the government of one country subphoeanas them, so the different countries don't matter.

No single company has access to the entire backup, and each single fragment is completely useless by itself.

Great! We knew that already of course.
But here's the kicker:

This ensures the highest level of security

(source)

So they're literally saying you can't have better security than sharing your encrypted seed phrase online. How about not sharing it? That is by definition more secure, so they're obviously lying.

and removes a single point of failure.

Great. Now there are multiple points of failure. How about A+B? Or B+C? Or A+C? Or one of them gets completely compromised, and some employees at the other storage locations start cherry picking lambos?

Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.

I remember the days the secure element inside the hardware wallet was supposed to be the tamper-resistant part.

[o_e_l_e_o]

Wait, they previously announced a government could subpoeana them. I'm guessing all of them will cooperate when the government of one country subphoeanas them, so the different countries don't matter.

In the video above, Harry Sudock makes the point that if Ledger are subpoenaed for a particular user's seed phrase/private keys, there is nothing stopping Ledger turning to these two partners and asking them to hand over their shards as well. They may in fact be legally forced to do exactly this. Gauthier replies that the other companies wouldn't have to comply, and that Ledger would be happy to open source their legal contracts with these companies to prove as such.

I won't hold my breath for that actually happening though.

Link with timestamp: https://youtu.be/M3VjQUcyZSY?t=2360

[LoyceV]

there is nothing stopping Ledger turning to these two partners and asking them to hand over their shards as well.

That sounds a lot like a single point of failure. And it makes me wonder: how would a real seed phrase recovery work? Would your private data be sent to the seed storage partners who all have to make their own judgement, or would Ledger just say: "this guy needs to recover his Ledger, send the seed"?

Gauthier replies that the other companies wouldn't have to comply, and that Ledger would be happy to open source their legal contracts with these companies to prove as such.

Let me guess: they haven't shared the contracts yet?

[o_e_l_e_o]

Would your private data be sent to the seed storage partners who all have to make their own judgement, or would Ledger just say: "this guy needs to recover his Ledger, send the seed"?

The former, it seems:

When you want to restore your wallet, you initiate the Recovery from Ledger Live. You’ll have to login to your account and then go through 2 independent Identity verification processes.

Let me guess: they haven't shared the contracts yet?

Not that I can find. Although in my digging I did find Ledger's privacy policy states they will store your seed phrase shard for a full year and your other personal data for 7 years after you terminate your Ledger Recover subscription. Although Coincover and Escrowtech both have privacy policies you can find and read, neither make any mention of Ledger Recover or seed shards, so who knows what they are doing with your data.

[Lucius]

@RickDeckard, regarding the video that caught your attention, I posted it on page 9 and had a little discussion with @Synchronice about it. I don't want to repeat myself, but I'll just say that Pascal's performance in that video reflects quite well the way Ledger as a company treats its users.

[A S M]

https://youtu.be/M3VjQUcyZSY?t=1285 - Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves, making it even easier than thought to compromise the set up.

I want to clarify a little.
Shards aren't encrypted, but as tenant48 pointed out in the post above are transmitted over an encrypted channel using ephimeral symmetric key.

During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.

Ephemeral keys are negotiated by both parties using asymmetric cryptography:

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message.

For asymmetric crypto to work, each Ledger wallet must have a unique private/public key pair, which was also mentioned earlier in this thread. Ledger does not need to store databases with these keys or do intermediate re-encryptions.
Thus, it is absolutely safe to transfer the seed to a completely new wallet.

[dkbit98]

Or did they just a slap some random bullshit timeline together with no intention of sticking even to the bare minimum?

They probably did just that, and they are hoping that everything will calm down and people will gradually forget about this issue.
It could be possible they are working on open sourcing partially, but I think now it's to late for that and it wont be genuine.
I don't trust ledger and their ''car'' is going down the hill.

I also disliked the "Attach to PIN" feature, and I've spoken before about why I don't think people should use it. As you say it reduces the security of your passphrase to a simple PIN, and it also means that your passphrase is stored on the device rather than wiped after use when using a temporary passphrase.

I was thinking the same thing like you when I was considering of using ledger few years ago.
Attaching PIN also adds extra complexity since it is totally different from all other solutions used in different manufacturers of hardware wallets.

Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves

This guy is totally lost in space... only ledger character that is worse than him, is probably ledger co-founder aka reddit moderator clown called btchip.
It's very important thing that he put a bunch of flashy rings on his fingers... 

During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.

Sounds like a bunch of BS that can't be verified at all by regular users.

[m2017]

Or did they just a slap some random bullshit timeline together with no intention of sticking even to the bare minimum?

They probably did just that, and they are hoping that everything will calm down and people will gradually forget about this issue.
It could be possible they are working on open sourcing partially, but I think now it's to late for that and it wont be genuine.
I don't trust ledger and their ''car'' is going down the hill.

~snip

For me, including this story, it looks like an attempt to prolong the time so that the entire shitstorm of discontent subsides and doesn't spur the public to a new wave of discontent by repeated random and unnecessary actions.

If all the Ledger talk about the open source and the rest began before the incident with the ledger recovery, I could believe (I guess many others too). But now all their actions look fake and insincere. Whatever they do now, I will only have additional questions and doubts about them.

Confidence in this "car" is undermined not only with you.

[NotATether]

Apparently, Ledger has not finished trolling us  

It has been revealed that the new ledger firmware has a method to extract the seed (old news) named gimme_da_seed (!!)

Just the opposite.  In order to enable the "Ledger Recover" feature, Ledger, did, indeed, write a gimme_da_seed function directly into firmware.  It is clear because you can see Ledger Live, which is open sources, using the seed and sending off to the Ledger Recover servers.

Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device.  The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.

What's more, I don't think Ledger supports downgrades.  You MUST upgrade to the gimme_da_seed firmware, and once upgraded, I don't think you can downgrade.  But like I said, they promise it is encrypted.

Trezor prone to physical hack since we basically cannot verify of the Trezor we receive is genuine

EVERYTHING shipped by a third party is prone to physical attacks.  Ledger wrote the book on supply chain attacks.  There was a huge rash of compromised Ledgers sold on Amazon about 4 years ago.  Made a huge stink.  Lots of users were duped.

Ledger and Trezor are equally hardened and equally vulnerable via supply chain.  I'd put more trust in Trezor since you can upgrade, downgrade and independently flash the firmware and bootloader.  Very hard to sustain a "fake" firmware if you have to emulate all those actions without detection.

(Source)

I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

[LoyceV]

Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device.  The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.

(Source)

If this is true, Ledger's "hardware" wallet is now - once attached to a computer - literally less secure than a hot Electrum wallet on the same computer.

[RickDeckard]

I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

I'll take this update with a bit of caution. Ledger blantly lies to their customers, but I don't think they would enable the permission to push this kind naming in their software update, especially considering the backlash that they got. If there's one thing that they repeatedly told us is that they have a chain of command and deciders that have all to agree to the code before being released, meaning that it is hard for me to believe that this would pass those "quality" checks.

I've seen a user on Reddit[1] that is also looking into the code of the program but so far it hasn't found anything related to such naming. I could be wrong, but I'll wait for more updates on this one.
On other news regarding Ledger Recover, their CEO continues to spread the basis that this is a great innovation in the crypto field. In a recent conversation[2] (just yesterday!!) he makes another set of bold claims:

(...)When you think about it (Ledger Recover) there's nothing wrong with it. It doesn't change the security.

(...)It's our rule to have convictions and to push the industry forward.

If this is pushing the industry forward, then I'm looking forward for the next batch of features from Ledger side that will keep bringing down fire at their products. I'll just leave this here from Ledger Live Terms of Use[3] for reference:

4.6 No retrieval of Private Keys. The only existing backup is with you. Ledger operates non-custodial services, which means that we do not store, nor do we have access to your Crypto Assets nor your Private Keys. Ledger does not have access to or store passwords, 24-word Recovery Phrase, Private Keys, passphrases, transaction history, PIN, or other credentials associated with your use of the Services. We are not in a position to help you retrieve your credentials. You are solely responsible for remembering, storing, and keeping your credentials in a secure location, away from prying eyes. Any third party with knowledge of one or more of your 24-word Recovery Phrase or PIN can gain control of the Private Keys associated with your Ledger Device or of the 24-word Recovery Phrase, and therefore steal your Crypto Assets, without any possibility for you or Ledger to retrieve them.

[1]https://safereddit.com/r/CryptoCurrency/comments/14bdcw2/ledger_live_has_a_method_called_gimme_da_seed/jofevpq/
[2]https://nitter.it/TheBigWhale_/status/1669651433136832513
[3]https://shop.ledger.com/pages/ledger-live-terms-of-use

[Lucius]

If this is true, Ledger's "hardware" wallet is now - once attached to a computer - literally less secure than a hot Electrum wallet on the same computer.

I would agree that your statement is correct, because I think that Ledger as a company has long lost credibility, and after this latest "achievement" anyone who still uses any of their models should ask themselves how much risk they are actually exposed to. On the other hand, Electrum is open source, and if it is properly verified and installed, and if we have a computer that is not exposed to the risks of malicious downloads, then there is no doubt that Electrum is a better option.

[o_e_l_e_o]

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

But the post says you can see it being used in Ledger Live, which is open source. A search of Ledger's GitHub provides zero matches for "gimme_da_seed".