Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[Cricktor]

...

I don't want to justify anything but it's mainly the users who are to blame for their losses. They installed a software on their computer from which they do their crypto stuff and wallet handling that they didn't verify to be legit via the original Ledger website. (Yes, I'm aware that Ledger doesn't make it very easy to check their own software via crypto hashes or signatures; another reason to avoid Ledger crap.)

How does that work? Someone installs malware, enters their PIN on the Ledger, doesn't verify the address on the Ledger, and clicks send? If that's the case, why did they bother buying a hardware wallet?

It could be that the victims didn't pay attention to check the transaction details before they confirmed to sign the transaction with their Ledger hardware wallet, i.e. the malware presented a forged transaction to be signed by the hardware wallet. But this is easy to spot if you follow basic best practices.

Or is it much more advanced, like this: The user installs malware, enters their PIN on the Ledger, (fake) Ledger Live extracts the seed phrase and sends it to the attacker? I guess this scenario didn't happen yet, but that's just a matter of time now.

Not likely in my opinion, but of course I don't know what kind of flaws already exist in Ledger's firmware that has the recovery feature already in it. (After reading the technical white paper from Ledger about the recovery service it seems to me that it's not going to be easy to exploit it, but white paper and actual implementation don't need necessarily to match; complex software tends to be buggy, closed-source doesn't make it better.)


My guess is that the fake Ledger Live Web3 shit tricked the users to enter their wallet's recovery words into the malware itself, pretending some "good" reason why this might be necessary. Maybe 1 year free Ledger recovery service, lol.

The stealing transactions could be suspicious to users as they usually don't have any change address in the transaction's outputs. Newbies might not be aware of it, but if I were the malicious actor I wouldn't count on that.


Some blame goes to Micro$oft who allowed such a malware in their security section of the app store without verifying that it actually comes from Ledger, Paris.

But frankly I see the majority of blame on the users themselves: never install and use unverified software on your crypto handling devices! Always check transaction details to be signed solely on the display of your hardware wallet! Never enter your mnemonic recovery words on an online computer or website!

[1714214028]

1714214028

[1714214028]

1714214028

[1714214028]

1714214028

[1714214028]

1714214028

[Marvelman]

I believe it's more the opposite, instead of sending it's receiving.
The fake wallet creates an address allegedly from Ledger, and then the victim thinks he is going to load his Ledger wallet, but he is actually loading the hacker's wallet.

That comes down to the same problem: not verifying the address on the hardware wallet. It could also work with a fake version of Electrum, hooked to a hardware wallet. It's convenient to copy the address only from Electrum, but it doesn't give you the security for which you bought the hardware wallet.

Then again, some people would just enter their seed phrase into a phishing website. Some people just don't want to learn.

But here comes another hardware issue. You cannot directly browse the addresses it has on the hardware. You always need software to validate.

At least, in the test I did today, if I simply connect the Ledger to the PC, without opening any software, using just the Ledger display, I cannot see any address.

In this sense, if the software a person uses is fake, they run into serious problems and have no way of validating it.

This whole situation is pretty confusing to me.  I don't get why someone would use that fake Ledger browser extension to access their wallet instead of just using Ledger's normal app.  Seems like it'd be less complicated to stick with the real deal.

My guess is the fake extension probably changed the recipient address so the coins got sent to scammer.  But then the user just confirmed it without double checking the actual Ledger screen.  I cant believe people are so careless when transferring such huge amounts of money.  We're talking like tens of thousands of dollars here, not chump change.  But I guess some folks get lazy or too trusting.  It's crazy irresponsible if you ask me.

[LoyceV]

But here comes another hardware issue. You cannot directly browse the addresses it has on the hardware. You always need software to validate.

At least, in the test I did today, if I simply connect the Ledger to the PC, without opening any software, using just the Ledger display, I cannot see any address.

That's not an issue. Most hardware wallets are designed to be used in combination with software running on a computer. You're not supposed to get an address from just the hardware wallet. It wouldn't know transaction data anyway.

In this sense, if the software a person uses is fake, they run into serious problems and have no way of validating it.

Before funding an address, you should ask your wallet software to verify the address on the screen if your hardware wallet. I know some mobile wallets don't offer that option, so I wouldn't use them. But normal desktop wallets have this option.
If you're using a fake or compromised wallet, there are 3 options:

• It doesn't allow you to verify the address on the hardware wallet. Solution: don't use it.
• It allows you to verify the address on the hardware wallet, but the address can't be verified. Solution: don't use it, and consider your computer compromised.
• You skip all verification steps, and lose your money. Solution: none. Learn from it, and don't do it again. Also consider your computer compromised.

Some blame goes to Micro$oft who allowed such a malware in their security section of the app store without verifying that it actually comes from Ledger, Paris.

Lol. Microsoft has produced insecure software for decades. Isn't that the reason people bought hardware wallets in the first place?

[Volgastallion]

...

I don't want to justify anything but it's mainly the users who are to blame for their losses. They installed a software on their computer from which they do their crypto stuff and wallet handling that they didn't verify to be legit via the original Ledger website. (Yes, I'm aware that Ledger doesn't make it very easy to check their own software via crypto hashes or signatures; another reason to avoid Ledger crap.)

Its always the same the weak link is allways PEOPLE AND HIS LAZINESS, no matter what a company do for security if dumb or lazy people are in the combo, the 90% of "hacking" are because of some eploy making idiots clicks enter credetials or give it to X people. Its more social enginiering than real hacking.

For example of this lazines the 70% of the people doesnt check if a web had their SSL certificates working, doesnt check if their are linked to a real company, in case of electronic commerce they also dont look into the bottom of the page to see if they have the correct certificates of the goverment, or real social media profile etc etc.

And im talking about BASIC stuff, they are like horse with blinders, they only see the offer ahead the promotion and wants to take the opportunities no matter the risk.

[Pmalek]

But here comes another hardware issue. You cannot directly browse the addresses it has on the hardware. You always need software to validate.

At least, in the test I did today, if I simply connect the Ledger to the PC, without opening any software, using just the Ledger display, I cannot see any address.

It depends on the hardware wallet. Ledger and Trezor don't have such options, but airgapped devices, such as the Coldcard or Seedsigner, have functionalities that allow you to see a series of BTC addresses on the HW's screen. Regardless if they do, you don't need it. You should first compare the address you are sending to with the original source. Once the transaction is ready and before signing and broadcasting, you check each detail on the hardware wallet screen. It's like a second-factor-authentication. Confirm the transaction only if everything matches. 

[cygan]

i'm putting the message in this thread now, because at the moment this is the most frequented one regarding Ledger.
at the moment, more and more fake e-mails are being sent again, pretending to be a request from Ledger to activate 2fa

this is of course a fake/fraud - do not click on any of the available links and delete this mail immediately!

[LoyceV]

this is of course a fake/fraud

So someone managed to turn the word 2FA into an attack vector. And there will always be people falling for it.

[jerry0]

If you don't plan to use ledger recovery, just ignore it right?


I got to wonder what percentage of people use this here on this forum?  Got to be 5% or less?  But for other people, probably 20% or higher?

[Volgastallion]

this is of course a fake/fraud

So someone managed to turn the word 2FA into an attack vector. And there will always be people falling for it.

Yes and also, the main problem it can be when someone is not alert of the leak, for example it pass 5 years so you think that stops, but someone with the leaked directions send a mail, and one people can get scamed easily.

Is a very serious threat, but i allways repeat the same, never enter any info.

[HeRetiK]

If you don't plan to use ledger recovery, just ignore it right?

Ledger can use (or be cooerced to use) this backdoor regardless of whether you plan on using Ledger Recover or not, so ignore at your own peril.

I got to wonder what percentage of people use this here on this forum?  Got to be 5% or less?  But for other people, probably 20% or higher?

20% seems a bit high for a paid subscription that for most users will do nothing, but who knows? I doubt Ledger will ever publish numbers on that though, unless they go for an IPO at one point.

[RickDeckard]

I know that this is a case of "stop beating the dead cat" but this really has to have more light shed on it: As soon as you connect to Ledger Live, every stroke you make is being tracked[1] by Ledger (and probably being analyzed and categorized in order to make something with that data). The leaked X/Twitter thread is also a joy to read[2].

The same user also managed to erase the trackers and compiled a usable build - You can check it out here[3]. Like always, treat it with a grain of salt and do your own due diligence if you intend to test the build out. I'm not sure how he's able to "allow fully anonymous ledger HW setup and updates" but if the application achieves all of the proclaimed goals then it is the single best piece of software that Ledger will never make.
[1]https://crypto.bi/forum/threads/ledger-live-data-collection-is-more-than-a-little-concerning.5/#post-13
[2]https://nitter.net/rektbuildr/status/1732542258698694875
[3]https://github.com/rektbuildr/lecce-libre

[joker_josue]

The same user also managed to erase the trackers and compiled a usable build - You can check it out here[3]. Like always, treat it with a grain of salt and do your own due diligence if you intend to test the build out. I'm not sure how he's able to "allow fully anonymous ledger HW setup and updates" but if the application achieves all of the proclaimed goals then it is the single best piece of software that Ledger will never make.

Have you already tested this application?
This idea is interesting, of having a third party program obtain the updates. But, I see two points that need to be taken into account: trust (you have to trust the author of this program) and update (if the updates come from Ledger, the problem remains because it comes with the new features they include) .

[m2017]

I know that this is a case of "stop beating the dead cat" but this really has to have more light shed on it: As soon as you connect to Ledger Live, every stroke you make is being tracked[1] by Ledger (and probably being analyzed and categorized in order to make something with that data). The leaked X/Twitter thread is also a joy to read[2].

Indeed, this is exactly what "stop beating the dead cat" looks like.

When there are dozens of HW device manufacturers on the hardware wallet market, supporters must certainly bother with assemblies of unknown persons in order to be able to use Ledger Live from a company that steals data about your every action, loses personal and other confidential data, and imposes very dubious services. Let’s not forget about the recent story of the contents of ledger live wallets being hacked due to a vulnerability created by a former employee of the company. You have to be a true masochist to continue using their products thanks to third-party crutches codes written by unknown programmers.

What other unpleasant incident would have to happen to ledger owners (or must happen to you) to convince you that you should not use any ledger products? Even with the help of solutions like these proposed by you.

The same user also managed to erase the trackers and compiled a usable build - You can check it out here[3]. Like always, treat it with a grain of salt and do your own due diligence if you intend to test the build out. I'm not sure how he's able to "allow fully anonymous ledger HW setup and updates" but if the application achieves all of the proclaimed goals then it is the single best piece of software that Ledger will never make.

And this application will become “open source” (which their community has long dreamed of), since ledger was reproached for keeping the code closed?

2 important points:
1 - how completely did the author remove all trackers and other unnecessary things for an adequate user from this application?
2 - how much can you trust this (or another) author and has he added anything unnecessary to the code?

[Pmalek]

1 - how completely did the author remove all trackers and other unnecessary things for an adequate user from this application?

He couldn't remove all tracking code because the software breaks and becomes useless if he does. He removed a great deal of it, but there is still tracking software in the code that becomes active for certain actions you perform.

2 - how much can you trust this (or another) author and has he added anything unnecessary to the code?

Someone who knows how to read code would have to go through each line, checking what it does. And I don't see anyone doing that thoroughly for free. Otherwise, it's a matter of trust. You can either trust Ledger, their code, and their indentations or everything rektbuildr made.   

[tabas]

A not so exciting and discouraging update from them for the Nano S Plus users. This is anticipated that it shall come as they've said that it's not just going to be with the Nano X users but also soon to come with the S plus users and that time has come. I've just seen it posted on their sub-reddit[1] 18 days ago.
[1] Ledger Recover access is now rolling out to Ledger Nano S Plus users!
Reading the comments on that update is amusing on how many dislike and aware of what Ledger is doing.

[joker_josue]

A not so exciting and discouraging update from them for the Nano S Plus users. This is anticipated that it shall come as they've said that it's not just going to be with the Nano X users but also soon to come with the S plus users and that time has come. I've just seen it posted on their sub-reddit[1] 18 days ago.
[1] Ledger Recover access is now rolling out to Ledger Nano S Plus users!
Reading the comments on that update is amusing on how many dislike and aware of what Ledger is doing.

So I give you a good suggestion:
DO NOT FOLLOW THE STEPS YOU FIND ON THIS PAGE - https://support.ledger.com/hc/en-us/articles/4445777839901-Update-Ledger-Nano-S-Plus-firmware

If you only use BTC, do not count the wallet to Ledger Wallet. Use Electrum, for example.
If you had a problem and had to restart everything... well, you'll have to choose whether you want to continue using Ledger with these new conditions or not. 

[Meuserna]

A not so exciting and discouraging update from them for the Nano S Plus users. This is anticipated that it shall come as they've said that it's not just going to be with the Nano X users but also soon to come with the S plus users and that time has come. I've just seen it posted on their sub-reddit[1] 18 days ago.
[1] Ledger Recover access is now rolling out to Ledger Nano S Plus users!
Reading the comments on that update is amusing on how many dislike and aware of what Ledger is doing.

The comments would be even more negative if Ledger hadn't already shadowbanned tons of users who complained about their seed extraction firmware.

I was a long time Ledger user, but once they announced that nonsense, I moved my Bitcoin to a new seed & switched to a different hardware wallet.  You couldn't even pay me to use a Ledger anymore.

A lot of people are going to stick with Ledger because they haven't seen Ledger's Recover & seed extraction scheme get hacked yet, so it much not be anything to worry about.  They're missing the bigger picture.  It's not about coins being safe today or even this year.  It's about staying safe for years to come.  When something goes wrong, it's going to be uuuuuuuugly.  And by the time anybody realizes Ledger's Recover was hacked, it'll be too late.  I assume hackers will gather as many keys as possible before they start draining wallets in order to prevent Ledger from realizing they've been hacked.

[tabas]

So I give you a good suggestion:
DO NOT FOLLOW THE STEPS YOU FIND ON THIS PAGE - https://support.ledger.com/hc/en-us/articles/4445777839901-Update-Ledger-Nano-S-Plus-firmware

If you only use BTC, do not count the wallet to Ledger Wallet. Use Electrum, for example.
If you had a problem and had to restart everything... well, you'll have to choose whether you want to continue using Ledger with these new conditions or not. 

Yeah, I wouldn't be updating my firmware with what they've said and I haven't opened it for years actually. I'm already contemplating on another hardware that has a better feature and doesn't have this updates that go against the purpose of having an HW.

The comments would be even more negative if Ledger hadn't already shadowbanned tons of users who complained about their seed extraction firmware.

I was a long time Ledger user, but once they announced that nonsense, I moved my Bitcoin to a new seed & switched to a different hardware wallet.  You couldn't even pay me to use a Ledger anymore.

Oh, so there has been shadowbanned comments there and they just can't do that to most of the redditors since they're a lot.

A lot of people are going to stick with Ledger because they haven't seen Ledger's Recover & seed extraction scheme get hacked yet, so it much not be anything to worry about.  They're missing the bigger picture.  It's not about coins being safe today or even this year.  It's about staying safe for years to come.  When something goes wrong, it's going to be uuuuuuuugly.  And by the time anybody realizes Ledger's Recover was hacked, it'll be too late.  I assume hackers will gather as many keys as possible before they start draining wallets in order to prevent Ledger from realizing they've been hacked.

I agree, I've trusted them for years but it all came downhill when they've introduced this ledger recovery and have forced the updates through their firmware for which many have believed to be safe before this thing has came. I feel bad for those folks that are trusting them with this feature. 

[LoyceV]

No, not the Ledger Nano S. They aren't selling this model anymore and will eventually drop support for it. The Ledger Nano S Plus will have support for Ledger Recover. So far they haven't mentioned anything about the Ledger Stax.

Could it be the Ledger Nano S actually does what they promised back then? That would mean it's impossible for them to update the firmware to get your seed phrase out, because the hardware doesn't allow it. Maybe I'm too optimistic here, but it could be they were still trying to make a honest product back then, instead of going for maximum profit through subscriptions.

[Pmalek]

Could it be the Ledger Nano S actually does what they promised back then? That would mean it's impossible for them to update the firmware to get your seed phrase out, because the hardware doesn't allow it. Maybe I'm too optimistic here, but it could be they were still trying to make a honest product back then, instead of going for maximum profit through subscriptions.

Perhaps, but who knows!? Ledger, sure as hell, isn't going to be honest about it, unless they admit it by mistake. It could be related to hardware and memory limitations with the old Nano S. Something similar to why the old Trezor One still doesn't and can't support Monero after all these years. I guess there isn't enough RAM available on that granddad of a HW to carry out the needed operations. If I remember an old discussion I read somewhere correctly, Monero's privacy scripts and cryptography requires too much memory.