Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[o_e_l_e_o]

The only upside is that it requires device-based confirmation, similar to signing signatures, or at least so they claim.

And yet, if they can implement a function to export your seed phrase from the secure element with a simple software update, then they can also implement a function to remove the need for any physical button presses with a simple software update.

Personally, I'm moving over to Trezor.

There is nothing stopping the same issue from arising on Trezor devices, and indeed, the seed phrase can already be extracted from Trezor devices by an attacker in ~15 minutes. Not to mention Trezor's partnership with blockchain analysis and government surveillance. Trezor is a poor substitute.

If they can enable such a feature with the user's consent, what stops them from enabling it without the user's consent if the user doesn't want to use it? All they have now is a promise they can't do it, but their words and guarantees are worth very little at this stage.

Agreed. The whole "opt in" nonsense they are touting is completely meaningless. They could choose to enable it as mandatory in a future update, or maybe even do it anyway behind the scenes, and you would never know.

And during all this, Ledger devs are completely absent on social media despite their subreddit going in to meltdown, and Ledger haven't even bothered to brief their Customer Support agents on how it actually works, leading to them guessing when answering questions: https://www.reddit.com/r/ledgerwallet/comments/13j5cna/introducing_ledger_recover_answering_your/jkev3or/

How not to run a company, 101.

[1714217961]

1714217961

[1714217961]

1714217961

[1714217961]

1714217961

[witcher_sense]

They created an official page for their new fascinating feature: https://www.ledger.com/recover

Can someone explain to me how the following is possible:

What would happen to my Ledger Recover subscription and related data if one of the companies goes out of business?

If one of the companies holding a fragment of the Secret Recovery Phrase shuts down, the other two will maintain the service and eventually replace it with a new company.

How can they reconstruct a seed phrase after losing access to one of the fragments of an encrypted secret? What algorithm do they use and doesn't it make the whole scheme questionable since they have no plan B for the case when 2 out of 3 companies shut down?

What prevents them from collaborating to steal customer funds and pretending that the user himself fucked up with recovery keys?

Why the customer paying for service is not included in this recovery quorum?

[o_e_l_e_o]

Can someone explain to me how the following is possible:

They've already said that this will use Shamir's Secret Sharing. (Let's not even get in to why SSS is a bad idea: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings.) In a 2-of-3 set up, if one share is lost you can recombine the other two shares to recreate the secret, and then from that secret generate three new shares

It's not clear whether that would require the user to set up everything again from scratch, or whether Ledger would just recreate your seed phrase and then generate three new shares automatically. I'm sure I don't need to point out the massive risk with the second option.

What prevents them from collaborating to steal customer funds and pretending that the user himself fucked up with recovery keys?

Absolutely nothing.

Why the customer paying for service is not included in this recovery quorum?

Because you are too stupid to write down 24 words on a piece of paper, remember? Pay us instead and we'll definitely keep it safe. Wink wink.

[Pmalek]

Why the customer paying for service is not included in this recovery quorum?

The user could be included, but you are already supposed to have copies of your entire recovery phrase anyway. If you can't keep track of that and lose it, why keep a copy of one additional 1/3 shard?
Not that it makes this any better, but will they require that you generate a new seed to participate in their paid seed-share service or does it also apply to seeds generated before this was rolled out?

[Lucius]

The trust is currently broken. Ledger says anyone can opt-out of the service, but how can we verify that the backdoor wasn't there the whole time?
~snip~

You've got to be kidding? The trust was broken from the moment when hundreds of thousands of data of their customers were hacked and made public, which included literally everything from full names, residential addresses, mobile phones and e-mails. Anyone who continued to trust that company after that only exposed themselves to additional risk, because as it turned out with this move, they (Ledger) obviously have a way to extract every generated seed, and now they just publicly admitted it.

As far as I'm concerned, I think that every HW from Ledger is compromised and that you should stop using it as soon as possible.

[tenant48]

In essence, Ledger has confirmed that they will have access to your private keys.
I wonder what is the point now in the embedded chip responsible for security, if it is possible to easily get a secret from it?

[Aikidoka]

The user could be included, but you are already supposed to have copies of your entire recovery phrase anyway. If you can't keep track of that and lose it, why keep a copy of one additional 1/3 shard?

Exactly, and that's why it doesn't make any sense. Implementing SSS method is really bad as it might expose users to a lot of risks. I don't understand why they're putting their clients at such a high risk just to earn more money, it seems like a joke to be honest. The whole company will be destroyed after this and I think they'll lose almost all their clients as a result.

Not that it makes this any better, but will they require that you generate a new seed to participate in their paid seed-share service or does it also apply to seeds generated before this was rolled out?

If they believe that users are incapable or too stupid of keeping their seed phrase secure, implementing a method that requires sharing 1/3 of the seed while risking exposure of private keys is absolutely nonsensical. It implies a lack of trust in users' ability to handle their own security as well as sharing their wallet data to 3rd parties entities. 

[BitcoinGirl.Club]

@TryNinja, I think you have a chance to write another script.

Wherever Ledger was mentioned replace it with a choice of word by the users and update the topic.

I will personally replace it with:

Ledger = Ledger [not recommended anymore, scammers].


I am going to burn my Ledger Nano S today or tomorrow. If I get a chance then I will upload a picture.

May be we need a hashtag in social media, #Notoledger

[Edit]
Examples from some of my old posts were edited now
https://bitcointalk.org/index.php?topic=5446331.msg62009164#msg62009164
https://bitcointalk.org/index.php?topic=5442513.msg61855155#msg61855155

[Re-posted]

[cygan]

me yesterday this news has also blown and i can not really imagine what has driven Ledger to publish this recovery update - apparently Ledger earns on the 'old' customers no longer good enough and now wants to earn by this way also on the 'new' customers, for which then the seed security is a 'child's play' and how everything in their lives is stored on any clouds, because the security/privacy is then completely indifferent

what i also wonder is what happens to the Legder sticks that don't go through this update - can they continue to be used without problems?

[HeRetiK]

This is so wrong on so many levels and I just can't wrap my head around it. I just hope the market will punish Ledger accordingly, but I don't have much faith.

All the more important to keep calling this for what it is: A backdoor. Not an option. A backdoor. Your only option is to pay for the privilege of accessing the backdoor as well.

Remember when Trezor and Ledger were the two best hardware wallets out there, and every thread had people (me included!) recommending either/both of them. How the mighty have fallen! Both are complete and utter trash now, completely ruined by awful decisions such as this one. Seriously, do the management teams behind both wallets understand nothing about bitcoin?

What happened with Trezor? I remember a seed extraction hack from a couple years back, but that one still required physical access which makes it not even nearly as bad as what Ledger is doing.

Ledger have just admitted that their entire design is deeply flawed.

Reminds me a bit of that scene in The Big Short:

"I don't get it. Why are they confessing?"
"They're not confessing. They're bragging."

what i also wonder is what happens to the Legder sticks that don't go through this update - can they continue to be used without problems?

Probably. But you can't ever be sure that this backdoor hasn't been there all along, as pointed out by others upthread.

[o_e_l_e_o]

What happened with Trezor? I remember a seed extraction hack from a couple years back, but that one still required physical access which makes it not even nearly as bad as what Ledger is doing.

That, and their partnership with Wasabi and blockchain analysis firms, resulting in government sanctioned surveillance and censorship.

[joker_josue]

what i also wonder is what happens to the Legder sticks that don't go through this update - can they continue to be used without problems?

Probably. But you can't ever be sure that this backdoor hasn't been there all along, as pointed out by others upthread.

Yes, I don't see the firmware creating the backdoor. The fact that the new firmware has already circulated, even briefly, can now be analyzed by hackers to be able to discover that backdoor.

Allegedly, and the fact that they have made it very clear everywhere, the Nano S model will be the only one that will not have that back door.
But how now are we to know? Doubts were left in the air, there is not much way to remedy it.

[FatFork]

Here are the key points from the live session with CXO Ian C Rogers (@iancr), CTO Charles Guillemet (@P3b7_), and co-founder Nicolas Bacca (@btchip) answering some of the questions.

I gotta be honest, I listened to the whole shebang live and then again on the recording, and if I'm being real, there was a whole lot of mixed signals flying around. I mean, seriously, there's so much conflicting info, half-truths, and straight-up marketing jargon going on, it's hard to know what's real and what's just fluff. They were talking about Ledger Recover and how it's all about security and self-custody, but honestly, some of their explanations were all over the place, not really addressing the tough questions head-on. I get it, they're trying to pitch this as a solution for people who struggle with seed phrases and stuff, like your mom or less tech-savvy folks. But honestly, I think they missed the mark. In the end, after listening to the whole thing, I'm left feeling like there's a whole lot of smoke and mirrors going on. One thing is for sure, once you opt-in for this Ledger Recover service and update the firmware, that Ledger device just can't be considered as a trustworthy self-custody solution for your crypto anymore, no matter how they try to spin it. They're trying to sell us on this idea that we still have full control, but let's be real here, it's not quite the case anymore.

"We are security and self-custody maxis. These are things we won't make compromise on." - @iancr

"Ledger Recover allows people to back up their seed phrase. If you aren't concerned with your seed phrase security, then this won't be for you. It's 100% optional." - @iancr

"When I think of my mom using our product - there are two main hurdles. One is unreadable addresses, and two is managing your private key. If you know how to back up your 24 words securely, Ledger Recover isn't for you. But for people like my mother, those 24 words can be really complicated." - @P3b7_

"Technically, as soon as you opt in for the service, you'll be asked if you are happy to opt-in for Ledger Recover. If you are - then you sign a transaction on your Ledger to shard your private keys into 3 shards, then it's encrypted in the device, then a secure channel is created within the device for the 3rd party providers which allows the encrypted shards, which are encrypted again and then stored with the providers." - @P3b7_

"When you need to recover your seed, you will go through a ID Verification process (which is very comprehensive) to confirm your identity. After you are verified, the providers will send the encrypted shards to your Ledger Nano device directly. The device decrypts the shards in your device and you're set." - @P3b7_

"Here, the point which is important to remember is that you stay in control…there’s no backdoor, nothing will happen without your consent on the device…in the future, the whole protocol will be open, so you’ll be able to verify how the whole protocol works." - @BTChip

"There are three parties (in 3 different jurisdictions) storing the shards - one is @Coincoverglobal, which already works with several B2B offerings, that keeps one shard of and provides the $50k insurance plan; the other escrowtech, which backs up the 3rd shard. And there are two ID verification providers." - @P3b7_

"If you understand self-custody very well and can fully self-sovereign, you don't need Ledger Recover; if you are someone like my mother, then this product will be for you. At the end, you choose." - @P3b7_

"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." - @_pgauthier

Q: Is my seed phrase safe - is there a backdoor?
A: There are no backdoors in any Ledger. Your seed is secured in the Secure Element chip and on your paper. If you opt in for Ledger Recover, there’s an additional back up in the form of 3 encrypted shards stored with 3 different parties.

"In another word, every time you access your private key, the Ledger device requires your consent. Ledger Recover is simply another application that is built on the Secure Element chip that is never compromised, just like when you need to sign a transaction with a Ledger." - @BTChip

"The Secure Element is a small computer that operates cryptographic features exclusively, including generating and securing the private key. What we did was to include a new feature in the Operating System, which encrypts and shards the private key which enables Ledger Recover." - @P3b7_

"We keep only what is legally required, nothing more. We don't want to take up the responsibility of being a custodian. Our opinion of KYC is that Ledger doesn't do it. We provide you access to services that might require KYC. It's completely up to you." - @iancr

"If you are not comfortable with ID Verification - then you can either choose a different service or you can build your own recover services." - @BTChip

source: https://twitter.com/Ledger/status/1658463730676518920

[witcher_sense]

The user could be included, but you are already supposed to have copies of your entire recovery phrase anyway. If you can't keep track of that and lose it, why keep a copy of one additional 1/3 shard?

According to their previous announcement and their FAQ that I provided the link to above, they consider this whole thing as a form of self-custody, so it is a little bit strange that the user doesn't participate in storing funds directly and instead has to trust centralized companies keeping a shared secret.

What prevents them from collaborating to steal customer funds and pretending that the user himself fucked up with recovery keys?

Absolutely nothing.

Does it mean we can't verify that they have no access to the decryption key used to reconstruct the initial seed? It is still unclear how the whole decryption process works and how a hardware wallet knows that you underwent a KYC procedure to start recovering. Who sends it a decryption key because it may be a different device from that you created your setup?

[HeRetiK]

Allegedly, and the fact that they have made it very clear everywhere, the Nano S model will be the only one that will not have that back door.
But how now are we to know? Doubts were left in the air, there is not much way to remedy it.

On the other hand it's unlikely that the backdoor has been there before because otherwise the hackers would have stolen the wallet seeds alongside the customer data way back when 

You don't need to open source the firmware if you just open source the costumer data! *taps forehead*

What happened with Trezor? I remember a seed extraction hack from a couple years back, but that one still required physical access which makes it not even nearly as bad as what Ledger is doing.

That, and their partnership with Wasabi and blockchain analysis firms, resulting in government sanctioned surveillance and censorship.

Interesting, I wasn't aware of the censorship controversy around Wasabi. Thanks for bringing this to my attention.

(Still, in my book not even remotely as bad as what Ledger is doing for 2 reasons: (1) I primarily expect security from a hardware wallet, with privacy being a nice-to-have, but I don't mind falling back on other options for that, (2) using transactions with questionable privacy is still optional while having a backdoor is not. But I'll leave it at that, for fear of straying off-topic. I definitely see your point regarding SatoshiLabs' company policy though.)

[Lucius]

"When I think of my mom using our product - there are two main hurdles. One is unreadable addresses, and two is managing your private key. If you know how to back up your 24 words securely, Ledger Recover isn't for you. But for people like my mother, those 24 words can be really complicated." - @P3b7_
---
"If you understand self-custody very well and can fully self-sovereign, you don't need Ledger Recover; if you are someone like my mother, then this product will be for you. At the end, you choose." - @P3b7_
--
"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." - @_pgauthier

From what the guys from Ledger wrote, it is a little clearer why they do such stupid things - their business decisions were obviously influenced by their mothers who are serious investors in cryptocurrencies, and at the same time they are not capable of making a backup and storing it safely.

It's even funnier that they justify their stupid moves with hundreds of millions of new users in the future who supposedly want to share their secret backup with various companies around the world. Apparently, they can also read the minds of their future clients...

I thought nothing could surprise me when it comes to Ledger, but these guys definitely do their best in creating unpleasant surprises - what's next, full KYC to be able to use Ledger Live or do a firmware update?

[o_e_l_e_o]

but honestly, some of their explanations were all over the place, not really addressing the tough questions head-on.
...
I'm left feeling like there's a whole lot of smoke and mirrors going on.

This exactly. The fact that none of the devs have actually just directly answered these questions head on in a couple of sentences, and are instead making people sit through an hour long recording, speaks volumes. It reminds of that quote from Vitalik about known scammer CSW:

In general, signaling theory says that if you have a good way of proving something and a noisy way of proving something, and you choose the noisy way, that means chances are it’s because you couldn’t do the good way in the first place.

Does it mean we can't verify that they have no access to the decryption key used to reconstruct the initial seed? It is still unclear how the whole decryption process works and how a hardware wallet knows that you underwent a KYC procedure to start recovering. Who sends it a decryption key because it may be a different device from that you created your setup?

It's not clear yet, but we know they must have the means to decrypt it themselves. You can lose your hardware wallet and your seed phrase, and still recover your wallets on a new device. This means that everything needed to recover your seed phrase (i.e. the shares and their decryption keys) are stored by one or more third parties, since you need to provide absolutely nothing yourself, not even the original device.

[Synchronice]

Seriously, this decision wouldn't be made without a lot of discussion and some research/statistics. Ledger is a company, business and aim is to increase profit. Me and you analyze that by implementing this subscription service, one thing is clear, we have to pay money for worsened security. I'm laughing so much, just thinking, what a stupid person you should be to pay money for a service that absolutely abandons the idea of owning a hardware wallet. I mean, you buy a hardware wallet for improved security and then subscribe their service for decreased security, this is such a crazy thing. But Ledger packs all of these positively, in order to generate money, you need to conquer the heart of majority, not minority, majority of people are not smart, minority are, they simply take an advantage of the situation.

How not to run a company, 101.

I bet their sales will increase, we will see. It offers people an option that they want. Do people lose their keys? Yes. Do they want a recovery option? Yes. Do people think that hardware wallet is safer than any other type of wallet? Yes but do they know why? No, they have just heard that. Do people think that they are confiscating their security by subscribing ledger's service? No. I know it sounds crazy but don't expect people to think and analyze things the way you do. People pay millions of dollars to digitally own a pixelated guy or a silly image of ape, so, do you really expect that majority of people have normal cognitive abilities?

[Similificator]

Man, this is scary. I should be telling the people I know about this so they can start preparing to transfer their funds as soon as possible since I was the one who recommended ledger to them and to most of the people who asks. I really don't understand what has gotten into their minds. They must be viewing security and privacy in a perspective that is way too different than every crypto enthusiast out there to have come up with such crap. Doing this is just the same as taunting hackers to a game of hide and seek. This is truly frightening and at the same time really disappointing.

[UniJoin]

This is a paid feature so it's not sending your seed phrase anywhere unless you pay $9.99 per month for it (which is a dumb subscription).

Honestly, you put me at ease a little.

Although, just recently we thought about ordering a batch of customized Ledgers for our employees and for raffles, but now we are very skeptical.