Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

[RickDeckard]

Right. But approve what?
Does the person have to repeat the passphrase in order to be registered in this "recovery program"? Or is it just a mere question, which person answers "yes"?

From what I can comprehend from Ledger replies all over Twitter, it seems that a prompt will appear on the device screen asking you if you want to subscrive to the service (or a similar message). If you decide to approve by means of physically pressing the button on your Ledger then this circus happens[1]:

If a user decides to subscribe to Ledger Recover, then his/her SRP will be encrypted, fragmented into three parts, and each part will be sent end-to-end encrypted between your Ledger product and the backup providers' secure Hardware Security Models (HSMs – not in the cloud).

Basically they are, once again, saying that a copy of your Secret Recovery Phrase will be encrypted and then sent over to 3 entities by E2E encryption channels. What they keep claiming is that without a user concept, Ledger isn't able to proactively access their users SRP[2]:

Ledger acts as backup provider for only one encrypted fragment, and a single fragment doesn't allow the SRP to be recovered.
Ledger cannot access any user’s SRPs, nor will it be able to do so at any point in the future.

Remember o_e_l_e_o previously linked tweet[3]? I'll like you to introduce you to the following statement[4] by Ledger about 4h ago:

Someone correct me if I'm wrong, but isn't Ledger openly admitting that enabling this feature was always possible from the beginning? Isn't this mocking their userbase?

EDIT: Look at this Twitter user[5] - When faced with the decision to evaluate what is worse - either a company accessing their SRP within the secure chip or having the user to type the seed so that Ledger could send it over to their partners - they would prefer to have the last option being implemented which is shocking as both of them goes against the core principles of the products being sold by Ledger. What's even worse is that Ledger comes up and actually says "No, you're wrong, we don't need that, that would go against our motto ( ), we just need your consent and we can syphon away a copy of your SRP and send them over to our partners".

EDIT 2: Ledger just keeps giving wood[6][7] to a fire that keeps on growing:

[1]https://nitter.it/Ledger_Support/status/1658828387807264772
[2]https://nitter.it/Ledger_Support/status/1658824425192521728
[3]https://bitcointalk.org/index.php?topic=5452900.msg62258795#msg62258795
[4]https://nitter.it/Ledger_Support/status/1658910942405566485
[5]https://nitter.it/Ledger_Support/status/1658978163047776257
[6]https://nitter.it/Ledger_Support/status/1658892462440456192
[7]https://nitter.it/Ledger_Support/status/1658970979417088000

[1714284451]

1714284451

[1714284451]

1714284451

[1714284451]

1714284451

[1714284451]

1714284451

[1714284451]

1714284451

[Volgastallion]

I think Ledger want to be the first oficial """"""aproved hardware wallet"""""" by the goverments/stablishment, i cant find another idea about what are they doing.

Because this seem very very similar at how it works the payment system on shops online when you paid with credit/debit card. You never give to the local where you are buying you credit card info, you send that information to a third party who say its OK or not and make the payment in conection with the bank and the commerce.

So i think this its very similar, they are making some lobby and making some new units of business with someone to be the first and only """"LEGAL"""" hardware wallet.
Trusted by some XXX third party companie who the goverment aproves and they are all friend between them.

And yes before you say, they sell their soul to the devil.

[Sarah Azhari]

I have a few bitcoin savings in Ledger Nano s which I never open since 2 years ago, and I never connect with Live applications except only connect with Electrum. So, does my ledger have an impact or effect? I don't want to try it and don't intend to open it now, because I save it for the next 10-15 years, now, I have doubts if is it really safe to continue it or if I must move my balance to another hardware wallet, Please give me instruction what the best, I'm still young and only have bitcoin as my current investment for future.

[tread93]

If anyone is wondering how can an entity destroy the concept of their own products - in this case by exporting the seed phrase to outside entities, even if it is encrypted - then wait no more because Ledger will launch their new service, Ledger Recover[1]:

Ledger is preparing to launch a new service called Ledger Recover that splits a wallet recovery phrase—basically, a human-readable form of the private key—into three encrypted shards and distributes them to three custodians: Ledger, crypto custody firm Coincover, and code escrow company EscrowTech.  If somebody loses their recovery phrase, two of the three shards can be combined—pending an ID check—to regain access to the locked funds. Essentially, Ledger Recover is an additional safety net; for the price of $9.99 a month, it takes the jeopardy out of crypto’s version of stuffing dollars under the mattress. It’ll be available in the UK, EU, US, and Canada and come to other territories later in the year.
(...)
Ledger Recover is a service, he says, not a feature—one that provides all the niceties and safety mechanisms regular people are looking for. The fragments of the recovery phase are encrypted and stored by each custodian on specially secured servers, and the balance of the user’s wallet is covered up to a value of €50,000 ($55,000) if something goes awry, a little like deposit insurance at a bank. It’s also being designed with a less technical user in mind.

I've tried to look upon any more news regarding this paid service, but so far I'm not able to find anything on Ledger website (release notes are currently on OS version 2.1.0). The only reference that I found was this[2] Reddit post where the concept appears in Ledger Nano X newest firmware update (2.2.1):

I believe most Ledger customers will see this as a service to subscribe to since this will be seen as a "safe heaven" in order to avoid the loss of their funds, or even an alternative that holds their hand and makes them feel safe regarding their funds. Sadly they aren't aware of what is actually happening in the background, but I don't think most people will care as long as they have another option to access their funds...
[1]https://www.wired.co.uk/article/ftx-crypto-investors-hardware-wallets
[2]https://safereddit.com/r/CryptoCurrency/comments/13im3bc/wtf_ledger_this_is_a_disaster_waiting_to_happen/

Hands down worst thing they could ever do, talk about shooting yourself in the foot. Did the company honestly think about how crypto users of their wallets would take this news? They thought they were moving a step in the right direction here I guess. Even with the best intentions this is putting people at even greater risks to malicious and bad actors

[mendace]

An update is irrelevant. As I explained earlier in this thread and in the tweet just above, the whole point of Ledger's Secure Element was that the private keys could never leave the Secure Element. We now know that claim is a lie, and has therefore been a lie since day one. A simple piece of code is all that is required to extract your private keys. All Ledger devices are vulnerable whether or not you opt in to this or update to the latest firmware.

But at this point with Ledger's statement, all devices (even coldcards for example) that have the same secure element chip are vulnerable or am I wrong?  Because if it's true that until yesterday you couldn't extract the private key, today it seems that it can be done simply via software, and who can guarantee me that it can't be done with others as well?

[satscraper]

According to their statement

Right. But approve what?
Does the person have to repeat the passphrase in order to be registered in this "recovery program"? Or is it just a mere question, which person answers "yes"?

Does it in fact matter for those ones who will never approve that shit?

Or you are bothering of those pinks who are going to fall for the bait?

[joker_josue]

~~

I am getting the point.

In that sense, if the person never updates the firmware, everything will remain the same. Although you already know that if the equipment falls into the wrong hands, this situation can be exploited.

Furthermore, this may have left a message to hackers that eventually there is a backdoor, and therefore they will be able to look for it with greater intensity. By the way, taking into account that this firmware came to be available (now it is no longer, right), many may already be analyzing to see if they detect where this back door is.

Although I think they have a big miscommunication on this topic, they will hardly be able to control this situation.

[Pmalek]

I have a few bitcoin savings in Ledger Nano s which I never open since 2 years ago, and I never connect with Live applications except only connect with Electrum. So, does my ledger have an impact or effect? I don't want to try it and don't intend to open it now, because I save it for the next 10-15 years, now, I have doubts if is it really safe to continue it or if I must move my balance to another hardware wallet, Please give me instruction what the best, I'm still young and only have bitcoin as my current investment for future.

Here is the problem. Ledger is one of many hardware wallet brands that use a secure element chip whose sole job was to keep your seed and private keys offline. Meaning, it was supposed to be impossible that sensitive information leaves the chip and gets transmitted online. Turns out, that's not the case at all. The Ledger Nano X secure element can change its behavior after a software update, allowing you to "voluntarily" share your keys online with 3rd-parties. Soon, the same thing will be possible for the Nano S Plus. Apparently, only the old Nano S can't implement this feature.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work. That's just the theory. It's again a matter of trust. We have trusted Ledger to protect our keys and we trusted them when they said nothing can ever leave the safe enclosure of the secure element. That trust is now gone because the most valuable data can, in fact, leave the SE.

Now you have to make up your own mind. Are you going to trust that what they have said about Ledger Recover is accurate, and that they need your approval to share your seed? Or, can they just do it with or without your consent? They have already told us that data was always obtainable from secure element chips, they just didn't activate that feature before.   

[NotATether]

I think Ledger want to be the first oficial """"""aproved hardware wallet"""""" by the goverments/stablishment, i cant find another idea about what are they doing.

Because this seem very very similar at how it works the payment system on shops online when you paid with credit/debit card. You never give to the local where you are buying you credit card info, you send that information to a third party who say its OK or not and make the payment in conection with the bank and the commerce.

So i think this its very similar, they are making some lobby and making some new units of business with someone to be the first and only """"LEGAL"""" hardware wallet.
Trusted by some XXX third party companie who the goverment aproves and they are all friend between them.

And yes before you say, they sell their soul to the devil.

I'm guessing the endgame here is to sell the company to some big bank or to Paypal or someone else, there's literally no other reason why they would want a government to "approve" a hardware wallet unless they don't mind making it easier for Feds to seize cold storage coins at a whim.

Here is the problem. Ledger is one of many hardware wallet brands that use a secure element chip whose sole job was to keep your seed and private keys offline. Meaning, it was supposed to be impossible that sensitive information leaves the chip and gets transmitted online. Turns out, that's not the case at all. The Ledger Nano X secure element can change its behavior after a software update, allowing you to "voluntarily" share your keys online with 3rd-parties. Soon, the same thing will be possible for the Nano S Plus. Apparently, only the old Nano S can't implement this feature.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work. That's just the theory. It's again a matter of trust. We have trusted Ledger to protect our keys and we trusted them when they said nothing can ever leave the safe enclosure of the secure element. That trust is now gone because the most valuable data can, in fact, leave the SE.

Now you have to make up your own mind. Are you going to trust that what they have said about Ledger Recover is accurate, and that they need your approval to share your seed? Or, can they just do it with or without your consent? They have already told us that data was always obtainable from secure element chips, they just didn't activate that feature before.   

You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.

[o_e_l_e_o]

But at this point with Ledger's statement, all devices (even coldcards for example) that have the same secure element chip are vulnerable or am I wrong?

You are correct. All Ledger devices use the same internal framework, and we know that it has been possible all along for the secure elements to export private keys, which is completely contradictory to all the claims Ledger have previously made.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work.

Which is completely irrelevant. Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen. The only hardware wallet I would even think about touching right now is a Passport - permanently airgapped and completely open source - but as I said before, airgapped, encrypted, cold storage on an old laptop or similar is far preferable.

[HeRetiK]

[...]

The way that Ledger is partially closed source always left a sour taste in my mouth but I had given them the benefit of the doubt by virtue of being one of the oldest hardware wallet vendors around.

Alas, thank you Ledger for reminding me that giving someone the benefit of the doubt is never a good idea in the crypto space.

Right. But approve what?
Does the person have to repeat the passphrase in order to be registered in this "recovery program"? Or is it just a mere question, which person answers "yes"?

Does it in fact matter for those ones who will never approve that shit?

Or you are bothering of those pinks who are going to fall for the bait?

Repeating the passphrase, while stupid, would at least have implied that the seed isn't extracted from the "secure element".

However the Tweets referenced by RickDeckard point towards the firmware being able to extract the seed directly. In that case "requiring" the user to press "yes" doesn't matter. It's just security theater. There's nothing stopping the firmware from extracting and sending the seed without user interaction.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen. The only hardware wallet I would even think about touching right now is a Passport - permanently airgapped and completely open source - but as I said before, airgapped, encrypted, cold storage on an old laptop or similar is far preferable.

Source? From my understanding of Trezor's architecture the private key never leaves the chip -- the firmware is only able to send messages in and getting signed messages out. Which is also why all key extraction attacks (that I'm aware of) have to rely on side channel and glitching attacks rather than simply flashing the Trezor with malicious firmware (which anyone could, since unlike Ledger, everything single component of Trezor is open source).

[mendace]

But at this point with Ledger's statement, all devices (even coldcards for example) that have the same secure element chip are vulnerable or am I wrong?

You are correct. All Ledger devices use the same internal framework, and we know that it has been possible all along for the secure elements to export private keys, which is completely contradictory to all the claims Ledger have previously made.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work.

Which is completely irrelevant. Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen. The only hardware wallet I would even think about touching right now is a Passport - permanently airgapped and completely open source - but as I said before, airgapped, encrypted, cold storage on an old laptop or similar is far preferable.

The problem is that the chip in question (ST31H320 chip)  is not only on the ledger but who knows how many other devices and this compromises an entire part of security that until today we thought was inviolable.  And in all honesty, Ledger doesn't worry me but the hackers who will try to force the servers after such news, because even if Ledger were to operate correctly and keep the seeds separate in some way they must know how to recompose that seed and it will be just that Achilles' heel.

[LoyceV]

Hey, I can compete with this! For only $8.99 per month I'll keep a backup of all your seed phrases, and I guarantee you that if your funds ever gets lost, I'll blame you and you won't get €50,000 from me! Still not convinced? Unlike Ledger, I've never leaked full address data of millions of my customers. How's that?

This is so bad that i might give them negative feedback if they have account on this forum.

I've actually done that to "services" that ask users to send their seed phrase. This is no different.

And considering this "feature" require ID verification where Ledger already leak user data in past, it feels like disaster waiting to happen. By disaster, i mean your legal document will be leaked and misused by criminal to perform identity theft.

Don't be so pessimistic, they don't need to misuse your identity if they can use it to recover your seed phrase from Ledger directly.
Sorry, I can't stop being sarcastic about this
It's genius though: first telling people never to share their seed phrase with anyone, then telling them it's okay to share it as long as they pay a monthly subscription fee.

So the very fact that this exists, even if you don't sign up for it, means that the next firmware update for Ledger devices will create a process by which your seed phrase is extracted from your hardware device, downloaded on to your computer, and then sent across the internet. That is a massive attack vector. It negates literally the entire point of a hardware wallet to keep your seed phrase and private keys isolated from computers and the internet. Not to mention this gives governments a very easy path to seizing all your assets, if they want, and allows all your coins to be stolen with some very basic social engineering. If you have completed KYC anywhere ever, then you've given away all an attacker needs to recover your seed phrase and empty your wallets.

Remember when Trezor and Ledger were the two best hardware wallets out there, and every thread had people (me included!) recommending either/both of them. How the mighty have fallen! Both are complete and utter trash now, completely ruined by awful decisions such as this one. Seriously, do the management teams behind both wallets understand nothing about bitcoin?

More and more I am glad that I have moved pretty much exclusively to airgapped, encrypted, cold storage for the bulk of my bitcoin. I know that my wallets will never suddenly pose a massive security and/or privacy risk out of the blue because of some absolutely moronic decision by a third party trying to squeeze more and more profits out of their customers.

I've never trusted hardware wallets with any substantial amount. Being paranoid has it's perks. I haven't even updated the firmware in a long time, and I don't regret it.
And some people say paper wallets are outdated!

To become part of their revolutionary seed sharing solution, you have to subscribe to it somewhere, give your consent, and agree to pay those $9.99 per month. So, you don't have to use it.

But can you ever be sure? I wouldn't want my seed phrases to be 1 tick box away from being send to them, and risk they take it anyway.

Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software.

How long would it take before there's malware that replaces the firmware and steals your funds?

Just a thought: did yogg get a new job at Ledger or something? They're both from France and planning the biggest exit scam ever would be the only thing that makes sense.

Serious question: can you upgrade the firmware without unlocking the device?

[o_e_l_e_o]

From my understanding of Trezor's architecture the private key never leaves the chip -- the firmware is only able to send messages in and getting signed messages out.

Which is exactly what Ledger said about their secure element. At the end of the day, the hardware, software, and all the architecture is designed and built by a single entity, and if they wanted to extract your private keys, they could. If Trezor's microcontroller was actually impervious to such attacks, then why are they trying to build their own secure element?

[vv181]

Seriously, this decision wouldn't be made without a lot of discussion and some research/statistics. Ledger is a company, business and aim is to increase profit. Me and you analyze that by implementing this subscription service, one thing is clear, we have to pay money for worsened security. I'm laughing so much, just thinking, what a stupid person you should be to pay money for a service that absolutely abandons the idea of owning a hardware wallet. I mean, you buy a hardware wallet for improved security and then subscribe their service for decreased security, this is such a crazy thing. But Ledger packs all of these positively, in order to generate money, you need to conquer the heart of majority, not minority, majority of people are not smart, minority are, they simply take an advantage of the situation.

How not to run a company, 101.

I bet their sales will increase, we will see. It offers people an option that they want. Do people lose their keys? Yes. Do they want a recovery option? Yes. Do people think that hardware wallet is safer than any other type of wallet? Yes but do they know why? No, they have just heard that. Do people think that they are confiscating their security by subscribing ledger's service? No. I know it sounds crazy but don't expect people to think and analyze things the way you do.

One thing that came to my mind is also their market research. Surely they should have done it right?

"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." -@_pgauthier

"Ask yourself... Where do users keep their private keys... On an exchange 🙈 @cz_binance In the cloud 🙈 On a password manager 🙈 In a software wallet 🙈Ledger Recover fixes this. It will also help the next 100M users to onboard self custody 😎 And... (1) You dont have to use it if you don't want to (2) it changes nothing to your ledger. Only you are in charge of your private keys and what you do with them..."-@_pgauthier

I think it seems clear that regardless of any market research outcome of their current customers, and any potential future customer outlook, they have chosen another path.

Ledger has proven didn't protect its customer data. Twice, due to the hacks incident. And now they are moving this way to implement such a system. Those who need it, notwithstanding any consequences, are free to utilize it, on the other hand, anyone who at least bothers to have some "standard" should refrain from using any of Ledger devices and educates other about its risks. Even the key extraction is possible in the first place, it is not worth advocating for them to stop it.

[Synchronice]

Seriously, this decision wouldn't be made without a lot of discussion and some research/statistics. Ledger is a company, business and aim is to increase profit. Me and you analyze that by implementing this subscription service, one thing is clear, we have to pay money for worsened security. I'm laughing so much, just thinking, what a stupid person you should be to pay money for a service that absolutely abandons the idea of owning a hardware wallet. I mean, you buy a hardware wallet for improved security and then subscribe their service for decreased security, this is such a crazy thing. But Ledger packs all of these positively, in order to generate money, you need to conquer the heart of majority, not minority, majority of people are not smart, minority are, they simply take an advantage of the situation.

How not to run a company, 101.

I bet their sales will increase, we will see. It offers people an option that they want. Do people lose their keys? Yes. Do they want a recovery option? Yes. Do people think that hardware wallet is safer than any other type of wallet? Yes but do they know why? No, they have just heard that. Do people think that they are confiscating their security by subscribing ledger's service? No. I know it sounds crazy but don't expect people to think and analyze things the way you do.

One thing that came to my mind is also their market research. Surely they should have done it right?

"Ledger Recover is what our future 100m of customers want - they will onboard into crypto in a secure way with Ledger Recover." -@_pgauthier

"Ask yourself... Where do users keep their private keys... On an exchange 🙈 @cz_binance In the cloud 🙈 On a password manager 🙈 In a software wallet 🙈Ledger Recover fixes this. It will also help the next 100M users to onboard self custody 😎 And... (1) You dont have to use it if you don't want to (2) it changes nothing to your ledger. Only you are in charge of your private keys and what you do with them..."-@_pgauthier

I think it seems clear that regardless of any market research outcome of their current customers, and any potential future customer outlook, they have chosen another path.

Ledger has proven didn't protect its customer data. Twice, due to the hacks incident. And now they are moving this way to implement such a system. Those who need it, notwithstanding any consequences, are free to utilize it, on the other hand, anyone who at least bothers to have some "standard" should refrain from using any of Ledger devices and educates other about its risks. Even the key extraction is possible in the first place, it is not worth advocating for them to stop it.

Exactly! I haven't really seen their tweet yesterday but this is what I predicted. This sounds crazy for me, for you and for some other members but not for the majority. When you run a company and want to increase sales and profit, your aim and priority should be to fulfill the needs of majority of your users and as they have stated, this is what their future 100 million users want and Ledger definitely wants monthly $900M dollars
And I don't believe in built-in optional features, it's optional formally, you don't actually know how optional it is.

[Pmalek]

You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.

They mentioned in some of their correspondence that Ledger Recover will be open-source, but that changes nothing if you ask me. Let's say the code confirms every word they have said about Ledger Recover, would you be comfortable using it due to its open-source nature? The sharing of private keys with others is a big no-go, and so is the possibility that such a feature is even possible.

It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen.

The same is possible on all other hardware wallets using similar types of secure element chips. Ledger exposed the whole industry, not just their own business model. We now know that SEs can communicate remotely with other servers if the code tells it to. All non-airgapped hardware wallets are no longer offline devices that have a secure and impenetrable storage for private keys.

But can you ever be sure? I wouldn't want my seed phrases to be 1 tick box away from being send to them, and risk they take it anyway.

Of course not. I am just stating what the gentlemen from Ledger said.

Serious question: can you upgrade the firmware without unlocking the device?

You have to enter your unlocking PIN the moment you connect your Ledger to your computer to get it to communicate with Ledger Live. I think the firmware gets updated through the Ledger Device Manager, so you have to open that app as well.

[HeRetiK]

From my understanding of Trezor's architecture the private key never leaves the chip -- the firmware is only able to send messages in and getting signed messages out.

Which is exactly what Ledger said about their secure element. At the end of the day, the hardware, software, and all the architecture is designed and built by a single entity, and if they wanted to extract your private keys, they could. If Trezor's microcontroller was actually impervious to such attacks, then why are they trying to build their own secure element?

Ledger is partially closed source, so there's always been a black box surrounding their "secure element". Accordingly security researchers were somewhat limited in their research.

Trezor on the other hand is completely open source, from top to bottom, from hardware to software. Accordingly security researches have been able to take it apart completely. Theoretically you can even build one yourself! And while they did find vulnerabilities that enabled the extraction of private keys with physical access, none of these where as simple as just adding custom firmware to the device. Which is something that for Trezor hardware would be fairly trivial, given the open nature of the device. Heck, there's even a guide by Trezor themselves on how to flash your device with custom firmware within their GUI: https://trezor.io/learn/a/downgrade-firmware-trezor-model-one

If extracting the seed from a Trezor were as simple as a malicious firmware update I'm fairly certain we'd know at that point. Otherwise researchers wouldn't have to rely on side channel attacks [1] or forcing RAM dumps by physically glitching the hardware [2][3]. [2] also briefly touches on why the seed itself can't be accessed by custom firmware at around the 38:45 mark.
(afaik [2] is still a threat, but [1] has been fixed before public disclosure and [3] seems to have been mitigated by increasing PIN length [4])

[1] https://jochen-hoenicke.de/crypto/trezor-power-analysis/
[2] https://av.tib.eu/media/39203
[3] https://cointelegraph.com/news/trezor-wallets-can-be-hacked-kraken-reveals
[4] https://www.reddit.com/r/Bitcoin/comments/sdx4r6/psa_trezor_doesnt_have_the_oftmentioned_seed/

TL;DR: Trezor we can verify, Ledger we have to trust. And what a misplacement of trust that has been.

[Pmalek]

<Snip>

Let's also not forget that it took a famous hardware hacker three months to discover a vulnerability in a Trezor he had physical access to. And the only reason it worked was because the device used an outdated firmware version that made such a vulnerability possible. That has been patched a long time ago. Trezors remain vulnerable to physical manipulation, but you must know what you are doing. A random thief doesn't. Even if the required hardware for a successful attack isn't expensive, it's not something most people keep in their garage or know how to use. 

[joker_josue]

Serious question: can you upgrade the firmware without unlocking the device?

You have to enter your unlocking PIN the moment you connect your Ledger to your computer to get it to communicate with Ledger Live. I think the firmware gets updated through the Ledger Device Manager, so you have to open that app as well.

If you never connect Ledger to the Ledger Live program, it will not receive any updates, or it will not even be able to install wallets for other currencies.

I never used Ledger Live, only when it was initial setup for Bitcoin. Otherwise I only work with Electrum. That way, I don't even know if it has updates or not pending in the past. Knowing this, I'm not even going to open Ledger Live on my computer. Alias was even uninstalled.