Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[RickDeckard]

*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the <closed-source, Ledger-internal> libraries.

But the post says you can see it being used in Ledger Live, which is open source. A search of Ledger's GitHub provides zero matches for "gimme_da_seed".

I also came here to post this, thank you @o_e_l_e_o. The original user who reported this update still confirms that this function exists in a recent post (16 hours ago)[1]:

Yeah, Ledger put a method in their firmware like gimme_da_keys then allowed software (ledger live) to call gimme_da_keys. I can confirm that current Trezor firmware has no gimme_da_keys methods, or anything like that. So even if some software were to try to ask firmware for the keys, firmware isn't listening for any key requests, so won't respond.

I've taken a look at his profile and he doesn't seem to be a user that promotes other wallets or has any shady behaviour, so these claims are somewhat interesting to see. I'm sure we'll have more updates regarding this in the next hours.
[1]https://safereddit.com/r/TREZOR/comments/14b6cfx/about_trezor_updates/joef8tz/

[1714204473]

1714204473

[1714204473]

1714204473

[1714204473]

1714204473

[1714204473]

1714204473

[1714204473]

1714204473

[1714204473]

1714204473

[RickDeckard]

It seems that Christ is about to land on Earth. Ledger has just released the whitepaper for their Ledger Recovery procedure. You can find it in their GitHub page[1][2]. I didn't had the time to read it (probably will do it later) but just letting this out for users to be aware. Looking forward for more discussion within the community regarding it.
[1]https://github.com/LedgerHQ/recover-whitepaper/blob/main/Ledger%20Recover%20Technical%20White%20Paper.pdf
[2]https://github.com/LedgerHQ/recover-whitepaper

[rohanagarwal7]

I think the main issue is the fact that this API exists now is what concerns most people.

[Cricktor]

A quick read over the whitepaper, by no means detailed inspection:

• initial entropy is what's backed up (not sure if other possibly vital details are included, from first look I'd say no)
• entropy is encrypted before it is split and encoded in shards (encryption key is common to Ledger hardware devices; let's see how long it takes that this key gets disclosed or peeled out of firmware)
• sharding with something called Pedersen Verifiable Secret Sharing (sounds and looks better than simple Shamir Secret Sharing; I'm not yet familiar with this "new" scheme)
• KYC with full name, date of birth, location of birth both as in id document (Ledger has some experience with leaks, this is going to be some fun as such identity data needs to be kept safe by three companies involved, good luck with that)
• you have to identify yourself to every backup provider (not bad in terms of security as an attacker might not can fool every provider, but still leaves room to verification issues)

My immediate main concerns are:

• if you have used a mnemonic passphrase for your wallet (multiple for multiple resulting wallets) this seems not to get backed up as a mnemonic passphrase kicks in at a later derivation step; so if you don't want to rely on your own mnemonic words backup and be crazy enough to go for Ledger Recovery, you're still supposed to safely and reliably backup your mnemonic passphrase (the 25th thing), otherwise you're clearly screwed
• what if the owner of a Ledger hardware device dies and didn't leave enough details for the entitled heirs who at most know there's a Ledger Recover backup: I guess they will have a very hard time to prove they are the entitled heirs, and this has to be done with every backup provider (at least two of them of course are required)
• three Ledger employees with Ledger hardware hold vital keys to approve something: I smell a recipe for potential desaster knowing the "reliability" of Ledger hardware

[LoyceV]

• KYC with full name, date of birth, location of birth both as in id document (Ledger has some experience with leaks, this is going to be some fun as such identity data needs to be kept safe by three companies involved, good luck with that)
• you have to identify yourself to every backup provider (not bad in terms of security as an attacker might not can fool every provider, but still leaves room to verification issues)

So identity theft is now enough to steal your Bitcoins? Even easier if the identity theft is an inside job at one of the three seed storage companies, they'll know exactly who to target and can request the other shards from the other two seed storage companies.

[m2017]

• KYC with full name, date of birth, location of birth both as in id document (Ledger has some experience with leaks, this is going to be some fun as such identity data needs to be kept safe by three companies involved, good luck with that)
  
• you have to identify yourself to every backup provider (not bad in terms of security as an attacker might not can fool every provider, but still leaves room to verification issues)

So identity theft is now enough to steal your Bitcoins? Even easier if the identity theft is an inside job at one of the three seed storage companies, they'll know exactly who to target and can request the other shards from the other two seed storage companies.

The more companies that store this data, the more likely it is that one of them will screw up on keeping that data safe.

Be it attackers from outside or inside the three companies. Will enough problems with just one company.

Under what pretext can they request shards from two other companies? Will they have such functions by default (in order to restore access to users) or do you mean after gaining unauthorized access to the personal data of a conditional user and then requesting shards on his behalf?

[Pmalek]

“Backdoor would mean that we control all ledger devices and could run automated updates for example… That’s not the case. Will never be the case. Only you can use functions on your ledger. No one else can enter your pin code and press those buttons…”^[1]

Well, there was no way of accessing sensitive data on the secure element chips either. They have been telling us for years that it's impossible. Turns out, it's quite possible if they integrate the right code. If one day they go real evil, that code would not need your physical button presses at all. No one can verify how the system works, and the trust is gone following their public suicide.

Given that the Recovery feature doesn't make sense in cases where a user has set up a passphrase since a seed phrase alone is insufficient to get access to coins, it would make sense for Ledger developers to include a passphrase into this encrypted transfer scheme, especially considering the fact that it is equally important for a successful recovery and already sitting in a device's memory.

Do you think the target audience who can't store their seed safely and need Ledger Recover to do it for them (or think it's a good idea) use passphrases? I don't.

[LoyceV]

Well, there was no way of accessing sensitive data on the secure element chips either. They have been telling us for years that it's impossible. Turns out, it's quite possible if they integrate the right code.

Hardware wallets, like mixers, are in what I like to call "the trust business". They should never lie, because if they lie once about something you can verify, you should assume they also lie about things you can't verify.
So basically, this should be the end of Ledger. If nobody buys anything from them ever again, that would be the best way to punish them and deter other hardware wallet manufacturers from doing the same.
But we don't live in a perfect world, so they'll probably just get away with it. Again.

[Pmalek]

Hardware wallets, like mixers, are in what I like to call "the trust business". They should never lie, because if they lie once about something you can verify, you should assume they also lie about things you can't verify.
So basically, this should be the end of Ledger.

You are forgetting the bigger picture here. The secure elements in popular hardware wallets aren't 'secure'. This should be the end of all hardware wallets with such secure elements. But it's not going to be. I don't think it's going to be the end of Ledger either. Hardware wallets are not what they were marketed to us to be. That's the takeaway from the Ledger fiasco. Ledger were just the first to shoot themselves in the knee. The bigger problem is that hardware wallets with secure elements don't protect users against remote access as long as there is a possibility of sharing the data stored on them over the internet.   

[o_e_l_e_o]

(encryption key is common to Ledger hardware devices; let's see how long it takes that this key gets disclosed or peeled out of firmware)

This is something I theorized earlier and have obviously now been proven right. Given that you can recover your seed phrase on a brand new device, the key either had to be common to all devices or backed up alongside the shares. Turns out it is common to all devices, meaning the encryption is utterly useless. Any attacker can trivially access your decryption key. Every Ledger owner in the world already knows your decryption key. The encryption adds nothing and the safety of your coins is completely dependent on trusting the third parties.

Even easier if the identity theft is an inside job at one of the three seed storage companies, they'll know exactly who to target and can request the other shards from the other two seed storage companies.

If it's an inside job at one of the three companies, they only need a shard from one other company. That's a very low bar to clear.

[LoyceV]

If it's an inside job at one of the three companies, they only need a shard from one other company. That's a very low bar to clear.

Potential scammers can apply at ledger.com/jobs

[Pmalek]

Every Ledger owner in the world already knows your decryption key.

When you say they know the key, I assume you mean the same key is also used in their hardware device, and not that they actually know and can see the key. How could I (who own a Ledger Nano S) see that decryption key in my device?

[joker_josue]

If it's an inside job at one of the three companies, they only need a shard from one other company. That's a very low bar to clear.

Potential scammers can apply at ledger.com/jobs

There is no offer in my city. I don't want to change cities, I'm fine where I am.
I will pass this opportunity. 

[o_e_l_e_o]

When you say they know the key, I assume you mean the same key is also used in their hardware device, and not that they actually know and can see the key. How could I (who own a Ledger Nano S) see that decryption key in my device?

Yes, I mean the same key is on their device, but the distinction is irrelevant. If someone gains access to 2 of your shares, then it is trivial for them to access the decryption key even if they don't actually know what it is (by simply using any Ledger device).

Although given that Ledger have said it will be possible for users to replace Ledger and perform the entire process manually so as to not rely on any third parties, I presume the decryption key will have to be made public knowledge at some point (if someone doesn't extract and publish it before then).

[Pmalek]

Yes, I mean the same key is on their device, but the distinction is irrelevant. If someone gains access to 2 of your shares, then it is trivial for them to access the decryption key even if they don't actually know what it is (by simply using any Ledger device).

I don't think the decryption key is that important in a recovery scenario because it's the same one for everyone. What's important are the shards and the KYC tied to them. If they go ahead with this craziness, the KYC process most be set up in a way that there can't be any doubt if it's the lawful person that is trying to recover their crypto or someone else. With the way AI and audio & video technology is developing, that's becoming a difficult task. I am not going to get into how dangerous it is for such data to be stored online anywhere because that's already been covered extensively.

[Cricktor]

<snip>

You name it. The security of your Ledger wallet, more accurately your Ledger seed, for a user who is crazy enough to buy this recovery service is now tied to a KYC process. It will likely be some sort of remote check or do you earn some public transport ticket to Ledger, Paris with your monthly subscription fees to show up in person? I have my doubts... And yes, with AI video and audio tools they're gonna have a hard time in a remote check. I have no idea how they want to play this safely and reliably.

The more details emerge, the more this recovery service by f***in' Ledger is an abomination and insult. What kind of drugs do they consume at Ledger, Paris, seriously?! This recovery service is so wrong in every aspect.

[Synchronice]

That has happened in 2019, do they still suffer from the same problem? Btw they removed the support of AOPP but yeah, what you say about them is true.
It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use.

As I said, the vulnerability is unfixable. It still exists and will always exist on these devices. Coldcard is certainly airgapped, but it is not open source as Pmalek points out and the company behind it spread lies about competitors for their own gain. I personally wouldn't use it.

If I had to buy a hardware wallet right now, I would buy a Passport. But I'd much rather continue to use a separate airgapped, encrypted device, running a FOSS OS and wallet.

Coldcard changed their license from GPL to MIT+CC because The passport foundation forked a FOSS firmware base from Coldcard and this made them very upset. The fact is, Coldcard is the true creator of the most secure firmware model. Coldcard is not FOSS but it's still open source, anyone can view the code. While Passport did everything legally, I totally understand the anger from Coldcard's side but for justice, it should be said: Coldcard copied Trezor too when they appeared on the market.

By the way, I would stick with Coldcard. For people that want more user-friendly device, PP can be an option.

[o_e_l_e_o]

The fact is, Coldcard is the true creator of the most secure firmware model.

Coldcard also built on many open source libraries (not just Trezor's) when they designed their product. For them to start whining about people building up their open source library is just pure hypocrisy.

Coldcard is not FOSS but it's still open source, anyone can view the code.

The code is verifiable, not open source. Open source code is freely available to be used, built upon, modified, etc. Coldcard code is no longer open source.

Here's a post from the CEO of Passport about this: https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/

[RickDeckard]

Here's a post from the CEO of Passport about this: https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/

A bit off-topic but to add to this story, I recently tried to summarize in a post[1] some background that led to that discussion:

There was a clash between the two some time ago. Zach (Foundation CEO and Co-founder) even made a post in his own blog about it[1]. It mostly started when Matt Odell (seen as an influencer within the crypto community I assume) posted a tweet[2] claiming that all what Foundation did was to clone NVK source code into their product. Besides Matt, even the co-founder and CEO of CoinKite (@nvk[3]) - the producers of Coldcard - was spreading that same information on their Discord channel - that not only did Foundation copied their code but that they were also closed source (you can read more about it on Zack open letter).

I don't know how the situation ended between the two, but I wouldn't be surprised if Foundation (and Zach team) ended up a bit frustrated against this "attack" by nvk and would keep communication on strictly what was needed. You can feel that on Zach closing remarks on his letter:

Our team would appreciate if you lay off the character attacks and untrue statements. Let us know if we’ve done something wrong. But in an open source world, we need to build on each other’s work in order to bring Bitcoin to the masses.

[1]https://www.zherbert.com/an-open-letter-to-nvk-and-coldcard/
[2]https://nitter.it/ODELL/status/1651220101721358336
[3]https://nitter.it/nvk

I think it is always good to understand both sides of the story in every scenario and this is also an example of that. Sadly, on Ledger case, there isn't anything that they could do to salvage the current implementation of their new feature. I'm really considering creating an account for Twitter (since I'm not able to use nitter[2] ever since Twitter blocked people from browsing unless they are signed in[3]) just to be able to follow the discussion regarding Ledger in that particular social network and see how people continue to react to the deployment of Ledger Roadmap...
[1]https://bitcointalk.org/index.php?topic=5441422.msg62445559#msg62445559
[2]https://github.com/zedeus/nitter/issues/919
[3]https://www.bloomberg.com/news/articles/2023-06-30/twitter-blocks-people-from-seeing-tweets-unless-registered

[Synchronice]

The fact is, Coldcard is the true creator of the most secure firmware model.

Coldcard also built on many open source libraries (not just Trezor's) when they designed their product. For them to start whining about people building up their open source library is just pure hypocrisy.

That's right, they took an advantage of someone else's work, then built a better one but now they don't want others to take an advantage of their work. Definitely, that's not an ethical way to act.

The code is verifiable, not open source.

I think that's what matters the most, well, at least for me.
By the way, I am slightly out of smerits, so can't reward you but I want to say that you truly are one of the best user on this forum. Thank you for all the effort you put on this forum!

I'm really considering creating an account for Twitter (since I'm not able to use nitter[2] ever since Twitter blocked people from browsing unless they are signed in[3]) just to be able to follow the discussion regarding Ledger in that particular social network and see how people continue to react to the deployment of Ledger Roadmap...

That's the reason why I have never look at Pinterest but I have twitter account
Idk if I am late there but you can view Twitter tweets without registration if you see them through google cache.