Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[rdluffy]

I just saw a local thread, and ran here to see if it was true or not, I thought it was a joke or a misunderstanding

The whole point of a hardware wallet is to store your seed phrase and private keys safely and securely inside and prevent them from being extracted. The whole point of Ledger's secure element is that there is no possible way to extract the seed phrase from it. Now we have just discovered that a simple firmware update will permit the secure element to start sending your seed phrase across the internet. Ledger have just admitted that their entire design is deeply flawed.

I have a question that might be important about this service:
--> Will this update make Ledger able to extract the seed from the hard wallet? (which I thought was impossible, like you said)
or
--> Will the user have to type the seed to be stored by the ledger?

If it's the second option it wouldn't change much regarding security for those who don't opt for the service
But if it is the first option, it is a tool that can fall into the wrong hands and generate an exploit

I'm worried, since I have a Ledger Nano S 

[1713578601]

1713578601

[1713578601]

1713578601

[dragonvslinux]

This is truly insane, never thought I'd hear of this from any hardware manufacturer. As others have said, it completely defeats the point and security of a hardware wallet and offline seed phrase.

To think you can shard your seed phrase and have 1/3 in escrow? What a laughable concept. At best it will simply open the door for fraudulent recovery of seed phrases (with stolen IDs etc) and at worst the three companies simultaneously get hacked and everyone loses their money! The worst thing is knowing how many users will opt-in to this thinking it's safe and secure method of seed phrase back up.

The fact they are charging $10 per month also suggests to me that they are in financial trouble, as that's quite an expensive form of non-custodial bank account. I'd expect this service to be more of a $10/20 one-off payment, or annual. Does anyone know about Ledger's financials? Given the state of the economy and this recent "product relase", I can't imagine that they are in good health right now.

[FatFork]

Anyone interested can listen live in Spaces right now: Introducing Ledger Recover: answering your Qs w/@iancr @P3b7_ @btchip

https://twitter.com/i/spaces/1RDxlavNoAzKL?s=20

[o_e_l_e_o]

Also something else I glossed over before - they are providing $50,000 in insurance for your holdings. They must, therefore, be monitoring all the balances on all your addresses in real time and linking all that information to your KYC and seed phrase back ups to ensure that they don't get scammed by someone claiming to have lost $50,000 when they were only holding $10.

https://twitter.com/i/spaces/1RDxlavNoAzKL?s=20

I've skim listened to this on 2x speed, but I can't find anywhere that they actually address that there now exists the ability for Ledger wallets to export seed phrases off of the secure element. Someone please correct me if I'm wrong. They answer questions like politicians. Direct quote from Nicolas Bacca (BTChip, Ledger VP): "I'm not sure what's not to like."

Absolutely unbelievable. This forum, Reddit, Twitter, literally everywhere pointing out the massive issues with this, and the VP responds by sticking his head in the sand and saying "Everything is great!"

[RickDeckard]

I have a question that might be important about this service:
--> Will this update make Ledger able to extract the seed from the hard wallet? (which I thought was impossible, like you said)
or
--> Will the user have to type the seed to be stored by the ledger?

If it's the second option it wouldn't change much regarding security for those who don't opt for the service
But if it is the first option, it is a tool that can fall into the wrong hands and generate an exploit

From my perspective, either answer will always affect negatively the overall product and void the concept behind the product sold by Ledger. Even if you don't opt in for this service, what Ledger is doing is claiming that ever since the beginning of their products it was always possible to extract the recovery phrases - encrypted or not - but the feature has since been dormant (until now it seems). If there is even a remote change that by a simple firmware upgrade the security chip starts broadcasting and exporting your recovery phrases, what security do their users have?

To answer to your second question, if you had to type your recovery phrases to use this service, it would be even worse than the current solution that they are proposing as you were violating one of the core rules of your funds safety - never share/type your recovery phrases anywhere, not even with your device manufacturer or the Pope.

I've skim listened to this on 2x speed, but I can't find anywhere that they actually address that there now exists the ability for Ledger wallets to export seed phrases off of the secure element. Someone please correct me if I'm wrong. They answer questions like politicians. Direct quote from Nicolas Barra (BTChip, Ledger VP): "I'm not sure what's not to like."

It's a total shitshow as of now. Their CTO even recorded[1] a video for Reddit to address the chaos that's currently ravaging their sub but the message is always the same - "We will not know your keys". They also seemed to launch a FAQ[2] for the service, but the answers there are laughable:

Why do I need Ledger Recover?
You’re responsible for storing your Secret Recovery Phrase. While this setup makes you enjoy all the benefits of self-custody and complete control over your assets, it also makes you solely responsible for their protection. Ledger Recover is designed for users who want to add an enhanced layer of security in case their Secret Recovery Phrase is lost or when they can't access it.

This system is "designed to add an enhanced layer of security" and how do they do that? By stripping away one of the core concepts behind Bitcoin and handing it over to 3 entities (2 of them unknown at least for me) and another one being Ledger. Ridiculous.

Who has access to my wallet with Ledger Recover?
In short, only you can access your wallet. When you subscribe to Ledger Recover, a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments, with each fragment secured by a separate company—Coincover, Ledger and an independent backup service provider. Each of these encrypted fragments is useless on its own. When you want to get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device, reassembling them to build your private key.

So what they are saying is that "They don't share your private keys" but instead share an encrypted derivated version of our private keys with external entities which then can be used to give us access to our funds. Do note that they said they are not our private keys, but at the end of the day when they are decrypted they still give us access to our funds.

What if I lose my Ledger device that is associated with my Ledger Recover subscription?
Simply get another Ledger device and follow the process to recover access to your wallet.

This means that these backups hold all the information that is needed to get access to the funds, meaning that the original device doesn't even need to "decrypt" anything and isn't the only machine capable of doing so. If this "backup" isn't a pure copy of the private keys - like Ledger claims that it isn't - then what is? Since they are exporting a copy, they claim that they aren't exporting the original recovery phrases? Do they really think their userbase is that stupid?

Does Ledger Recover store my personal data?
Your identity details are collected by Ledger Recover ID verification service providers. Coincover and Ledger store an encrypted excerpt of this data. Only authorized third parties have access to it. To learn more about how we collect and use this information, please read our Privacy Policy.

Alas, more privacy invasion policies and data hoarding of personal information. I'm baffled at so lack of respect by one's privacy.

What is even more laughable is that Coincover - the 2nd entity that will receive the backups - is operating in an environment made by Ledger as this piece of the FAQ claims it, so Ledger is actually present in 2 out of the 3 companies that hold your backup:

What if someone gets access to my wallet using Ledger Recover?
Ledger Recover comprises extensive identity verification processes—performed by Coincover within a secure environment built by Ledger. As an added layer of protection, subject to investigation, $50,000 compensation may be available from Coincover in the unlikely event that something were to go wrong.

Even if Ledger trashes this concept to the ground, the message is clear - Their secure chip was always able to extract your recovery phrase (encrypted or not) and it was just waiting for a firmware update to enable that option. If you care about your privacy and your funds, please stop using your Ledger device and transfer your funds to another wallet.
[1]https://www.reddit.com/link/13j5cna/video/u4texr0t270b1/player
[2]https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true

[o_e_l_e_o]

https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true

And still they ignore the most pressing question that everyone is asking: Why is this even possible in the first place?

No answer for that question on Reddit or Twitter either. If this "feature" isn't business suicide, then their PR and current handling of the situation definitely is. How difficult is it to just come out and give some straight answers?

[Zwei]

Ledger literally just committed suicide.

Since the wallet with this new firmware have the ability to share your seed phrase with outside entities, its just a matter of time for this to be exploited by a 3rd party.

[RickDeckard]

https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true

And still they ignore the most pressing question that everyone is asking: Why is this even possible in the first place?

They are and the way that they are doing it is shocking - They keep stating that as long as the user doesn't activate the backup, then everything is OK. Look at this contradicted reply from Ledger Customer Sucess Team[1]:

• Ledger designs what the code can and cannot do with the seed, and this has always been the case. As always, we design this code meticulously and with true security in mind every step of the way.
• The new 2.2.1 firmware contains new code that can manipulate the seed in order to split it into 3 separate encrypted shards.
• This new sharding feature, as with every other interaction that touches your seed, requires your consent with a physical button press in order to create the encrypted shards of your seed. If you're worried about this feature, you could choose to never trigger or accept the seed sharding operation.

They blatantly admitted that they have implemented a new feature that unlocked this possibility within the secure chip:

More precisely, the code running on the STM module now contains functionality to split the seed into encrypted shards, and only when the user consents to this operation with a physical button press.

These shards have additional mechanisms in place to make them truly useless for any purpose other than the Recover process that's been designed. Details for that are coming soon, but just know that this sharding cannot occur without your consent.

Since their customers were basically sold a lie - their recovery phrases would never be able to leave their device - isn't this a solid ground for a class-action lawsuit?
[1]https://safereddit.com/r/ledgerwallet/comments/13j5cna/introducing_ledger_recover_answering_your/jkea6xw/
[2]https://safereddit.com/r/ledgerwallet/comments/13j5cna/introducing_ledger_recover_answering_your/jkebms4/

[Zwei]

Since their customers were basically sold a lie - their recovery phrases would never be able to leave their device - isn't this a solid ground for a class-action lawsuit?

I think it was always possible via a firmware update for Nano X and the other models, but I don't think the same applies for Nano S based on their FAQ [1], "⚠️ Ledger Recover isn't compatible with Ledger Nano S." but why should we trust them anymore?
I'm not a lawyer, but I think there is definitely grounds for a class-action lawsuit since they 100% lied about keys never being able to leave the device, which was a key selling point.

[1] https://support.ledger.com/hc/en-us/articles/9579368109597-Ledger-Recover-FAQs?docs=true

[stompix]

Muhahahaha, what took them so long?
Just selling devices isn't making enough money, you don't make enough money out of selling a smartphone you make a ton on the apps the people are buying, so just as Mercedes wants a monthly fee for allowing you to fully use the car, how about Ledger charging you some monthly fee to lose all your money? Having people being their own banks and independent is simply not profitable, let's milk the cow while we have more and more users that are gullible enough to think that 9.99$ protects their money way better than they could do themselves.

Coincover provides the gold standard in digital asset security, addressing the most significant barrier to mainstream adoption: trust. If wallet access is lost, Coincover offers encrypted and military-grade storage for retrieving the key.

How many times have we heard about "gold standard" "military grade" and all those bs words only to find out a few years later the whole security was more like  Swiss standard Emmental cheese?

What is going to be interesting to see is how this will unfold if we fast forward one year or two, the ones that know what this shit means will stop buying, but...the people who already bought one and are throwing it out of the window weren't in their soon to be again customer base anyhow, so a backslash from the old guard won't affect them so much, while the new generation that still believes in the #SAFU bs is way more numerous.
Interesting times, a ton of popcorn is needed as I'm pretty sure we're in for even dumber things down the road.

[dragonvslinux]

https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true

And still they ignore the most pressing question that everyone is asking: Why is this even possible in the first place?

It seems the reality is that this was always possible, just not implemented as they didn't have a use case until now. Given the device firmware is closed source, the reality is this was always possibly (apart from for Ledger Nano S possibly). This doesn't make the situation any better, if anything much worse, but it seems many misunderstood what Ledger meant when they said seed phrases can't leave your device. What they really meant is that with the current firmware it's not possible, or at least not integrated I should say.

Here is also another discussion about the new update for anyone interested (includes Ledger CTO):
https://twitter.com/i/spaces/1PlKQpLVpPBxE/peek

The one takeaway I am getting from this is that there apparently isn't an option for an alternative firmware because ultimately the device remains capable of sharding/encrpting your seed phrase in the first place. The only upside is that it requires device-based confirmation, similar to signing signatures, or at least so they claim. So in reality, although this is an additional attack vector if you opt for this new service, their potentially isn't an extra attack vector by simply upgrading your firmware. Because just like requiring device-based confirmation for a signature, this is also true for sharding/encrypting your seed phrase. So the theory of not upgrading the firmware in order to avoid an extra attack vector is a false narrative, as based on the current chip, it remains possible to sharp/encrypt seed phrase anyway...

The bigger issue here is that sharing your seed phrase via device was never blocked by hardware, but instead firmware, up until now at least. Personally, I'm moving over to Trezor.

[BitcoinGirl.Club]

Seriously, do the management teams behind both wallets understand nothing about bitcoin?

It would be fool to think that they don't understand the basic. Question is why they are pretending that the don't have the basic understanding. Who is behind all these?
Let me guess, it's those who are printing notes and doing everything from the tax payers money.

Question remains.
The device is not an offline device then?
Someone please answer it.

[RickDeckard]

The device is not an offline device then?
Someone please answer it.

To me the device no longer can be considered as a offline device. They say that they will be releasing more information about it but just look at this reply[1] from /u/btchip (Ledger Co-Funder):

The device sends encrypted shards of your seed to different companies if you decide to use the service. You can of course still choose to backup it yourself.

If the user chooses or not to subscribe to this service is irrelevant to this problem. From the moment that the secure chip allows this connection to happen I can't continue to believe that my keys are safe anymore.
[1][url]https://safereddit.com/r/ledgerwallet/comments/13itm7u/is_there_a_backdoor_yes_or_no/jkbyyfp/

[Zwei]

It would be fool to think that they don't understand the basic. Question is why they are pretending that the don't have the basic understanding. Who is behind all these?
Let me guess, it's those who are printing notes and doing everything from the tax payers money.

It's all about making money, money, money and maximizing profits.
Their plan was to create a subscription model for their product, but ended up with this huge pile of shit.

[DireWolfM14]

You can't fix stupid.

Stupidity is a chronic disorder.  This strikes me as Ledger attempting to cater to the least common denominator, i.e. the really stupid!  The trouble is that whenever you try to make something fool-proof, someone goes out and builds a better idiot.  Maybe they're trying to compete with Jack Dorsey's (Block Inc) policy of "Shared-Self-Custody."

[examplens]

You can't fix stupid.

Stupidity is a chronic disorder.  This strikes me as Ledger attempting to cater to the least common denominator, i.e. the really stupid!  The trouble is that whenever you try to make something fool-proof, someone goes out and builds a better idiot.  Maybe they're trying to compete with Jack Dorsey's (Block Inc) policy of "Shared-Self-Custody."

No matter how stupid it all sounds, this is still a positive thing. At least now we all know how unsafe it is and that there is a possibility of a backdoor, and this is a serious reason to completely abandon this product. Without this idiocy, many would still have full confidence in them.
How can we be sure that this seed phrase game is integrated only from firmware version 2.2.1? Have they already collected all the backups?

[joker_josue]

I'm worried, since I have a Ledger Nano S 

The Nano S version allegedly does not support this function. At least that's what it says right on its list of explanations about this "new" feature.



I really find it strange that they did something like that. It seems to me that they made a serious miscommunication and mis-explained this alleged feature. They end up opening a pandora's box, taking away the doubt whether it will be possible to be exploited by hackers or not. Whether these devices really have a back door or not.

I no longer used their program (I never liked it), much less now. I only use it for Bitcoin, I don't need any firmware updates. Even because I only connect it to Electrum.

 

[libert19]

I wonder what they're thinking about when they're doing this?

Probably to generate profits for investors who have poured millions in.

I wonder why the Nano S Plus isn't mentioned? Maybe we can expect that in the release notes for the new S Plus firmware.

S Plus will be supported in future, it's addressed in faq.


p.s: I have Nano S, not sure how secure that is to not have this update available. Someone explain?

[Wind_FURY]

Wait.... Just bought a Ledger wallet a week ago. I have some ETh inside. Should i take them off? Is it unsafe ?

I believe you're safe from the backdoor if you don't update the firmware.

Seriously, do the management teams behind both wallets understand nothing about bitcoin?

It would be fool to think that they don't understand the basic. Question is why they are pretending that the don't have the basic understanding. Who is behind all these?
Let me guess, it's those who are printing notes and doing everything from the tax payers money.

Question remains.
The device is not an offline device then?
Someone please answer it.

The trust is currently broken. Ledger says anyone can opt-out of the service, but how can we verify that the backdoor wasn't there the whole time?

Ledger said it's "impossible for them to extract" the master key from the device, then they're currently saying that they backdoored the device to "allow" them to extract the master key? Laughable.

[Pmalek]

I'm still pretty skeptical about all this. Has Ledger put out any official statement or something that says the seed phrase won't be sent anywhere unless we subscribe to their monthly plan? However, even if such confirmation exists, we should still question whether we have any means of independently verifying this claim or if we're simply relying on their word. The mere possibility of the seed phrase leaving the hardware device and potentially being accessible online, in any form, undermines the fundamental purpose of a hardware wallet, which is to serve as the sole custodian of our private keys.

It's impossible to trust anything they say right now. If a software update can enable remote access to your seed, it means the option to do that was always there because they didn't release a new device or needed to change the hardware. They just didn't use the sleeping seed-share option, or perhaps, no one forced them to use it. If they can enable such a feature with the user's consent, what stops them from enabling it without the user's consent if the user doesn't want to use it? All they have now is a promise they can't do it, but their words and guarantees are worth very little at this stage.

No matter how stupid it all sounds, this is still a positive thing. At least now we all know how unsafe it is and that there is a possibility of a backdoor, and this is a serious reason to completely abandon this product.

It's much more serious and goes further than that. If Ledger has an option to do that through the secure element they are using in their devices, the other manufacturers using the same or similar SE can also do it. Ledger just showed us that everything we thought we knew about hardware wallet security is false. One firmware upgrade can change everything. Who is to say you'll even have an option to reject this nonsense in the future, be it from Ledger or a competitor?