Need some clarity regarding Ledger Recover’s Trust Model

[promise444c5]

Recently I was going to thorough an Article explaining Ledger recover services from Ledger’s page :

Ledger Recover is a paid optional subscription service for those who want to back up their wallet access, allowing more users to access a secure and seamless user experience in Web3.

That’s not even the a problem.. The real issue is what they wrote here:

The next step in the process is decryption. So you may be wondering “Do I have to enter my seed phrase into a new device?”

The answer is no. Your device will take care of that for you following the verified identification. When you want to restore your wallet, you initiate the recovery from Ledger Wallet™. You’ll have to log in to your account and then go through two independent identity verification processes. At this point, two of the three parties will send back their fragments to your Ledger signer using the same secure channel mechanism. Once contained in the secure element, they are decrypted and reconstitute your seed phrase.

This is quite suspicious.

So I have to submit my KYC in order to retrieve fragments of my own seed sent back to my Ledger device.. Doesn’t this implies that same Ledger holds the KYC, handles the upload, and the same Ledger handles how the decryption should be done? . Trying to understand how this is meaningfully different from a centralized entity?

The fact that Ledger Recover exists at all is alarming. It requires firmware that can possibly access & export the seed, and that firmware is closed source… So if there’s no way to independently verify , then isn’t it possible that ledger can access seed even if the user has not opted in fr Ledger Recover?

They went further and stated:

Well, if you believe third parties cannot be trusted, Ledger Recover is probably not for you.

Doesn’t  this  introduces new trust assumptions ?

Source of quotes

[Charles-Tim]

This is what most of us that know about this on this forum really against. Ledger Nano are not offline wallets, they are completely online wallets. If t is not online, how are the seed phrase sent to the anti-privacy companies for backup?

Did you know that if government want to seize the coin, it will be very easy for them. Ledger said they will give government the seed phrase if any legal action that says the coins should be seized is sent to them. It is not about the seizing of the coins that I meant, but about how you are not only the one that have access to your coins. It is completely centralized.

[bitmover]

This is what most of us that know about this on this forum really against. Ledger Nano are not offline wallets, they are completely online wallets. If t is not online, how are the seed phrase sent to the anti-privacy companies for backup?

This is only valid for newer models. 
Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it    but you must enable it.

I bought them years before such feature existed...

[Charles-Tim]

This is only valid for newer models. 
Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it but you must enable it.

Other Ledger devices made after Nano X also has it but it has to be enabled, it is not something that is compulsory. What people do not like about it is that why should such thing even exist at all? According to what you post, likely it is only Ledger Nano S that does not has the anti-privacy feature.

[bitmover]

This is only valid for newer models. 
Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it but you must enable it.

Other Ledger devices made after Nano X also has it but it has to be enabled, it is not something that is compulsory. What people do not like about it is that why should such thing even exist at all? According to what you post, likely it is only Ledger Nano S that does not has the anti-privacy feature.

Yeah  i agree.

This feature shouldn't exist, and it was amazing error by ledger team.

I used to only have good things to say about ledger. Not anymore.

Although I still love my devices, I know the company is making mistakes after mistakes in newer models and it's policies  I would definitely buy a trezor now if I needed

[Meuserna]

This is what most of us that know about this on this forum really against. Ledger Nano are not offline wallets, they are completely online wallets. If t is not online, how are the seed phrase sent to the anti-privacy companies for backup?

This is only valid for newer models.  
Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it    but you must enable it.

I bought them years before such feature existed...

But you can't prove that none of the code required for Ledger Recover isn't baked into the firmware on your device, which means you can't prove hackers (or Ledger, or Ledger's partners) can't access the keys in your device.

Remember, Ledger is the company that said:

"Your keys are always stored on your device and never leave it"

Then they wrote an API to do it, and they baked that API into their firmware and put it on your device whether you like it or not.

Just because the feature isn't compatible, that doesn't mean none of the code required to access your keys over the internet isn't on your device.

In my opinion, this makes the device even more dangerous. Users assume safety, while hackers assume there's vulnerability to be found.

Assuming safety is a mistake.

Bitcoin is open source. I would never trust my coins to closed source code, and I'd certainly never trust a company that lies so often about so many important things.

Here's a good example:

"WE ARE OPEN SOURCE"

Ledger printed that on the boxes for their hardware wallets which run closed source code. That is absolute scumbaggery.

Ledger is a terrible company.

Other Ledger devices made after Nano X also has it but it has to be enabled, it is not something that is compulsory. What people do not like about it is that why should such thing even exist at all? According to what you post, likely it is only Ledger Nano S that does not has the anti-privacy feature.

Actually, what people who understand the importance of open source code don't like about Ledger Recover is that you can't prove it can't be enabled remotely.

You assume it can't be enabled remotely. You can't prove it.

You can't prove it because the code isn't open, so you have to just assume. "Well, they said..." And they lie, so their word is trash.

No hardware wallet should be reachable over the internet. Period. Anyone who thinks otherwise doesn't understand how Bitcoin signatures work or what hardware wallets actually do.

The point of using a hardware wallet is to be able to sign transactions without exposing your keys. Key extraction code is a key exposure risk. Even if you don't enable that feature... even if Ledger doesn't offer that feature for your device... if the code required to enable key extraction is on your device, your coins are at risk. It's just a matter of time until somebody figures out how to hack the code to enable the feature remotely.

[Pmalek]

This is only valid for newer models. 
Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it    but you must enable it.

I bought them years before such feature existed...

Ledger Nano S is the only device that doesn't support Ledger Recover. Allegedly. There is no way to prove that claim. Considering that the Nano S has very limited internal storage, the claim may be true. Also, the last firmware update for the Nano S was released in November 2021. Nothing has been released after that. Unless they already added seed extraction code in that firmware upgrade four years ago, you should be safe from Ledger Recover. Again, there is no way to prove it.

Ledger also said that they would make Ledger Recover or crucial parts of it open-source. That didn't happen, and I doubt it will. Instead, the company released a physical seed backup in the form of a card. Ledger Recovery Key. I think that product is open-source, but you would still be using it with closed-source firmware installed on their hardware wallets.

[FinneysTrueVision]

Ledger has a famous security team that has found vulnerabilities in other hardware wallets, but it seems hypocritical that they have not made an effort to become fully open source so their own code can be independently audited.

The way Ledger Recover is supposed to work, your seed is divided into shards and those shards are encrypted and sent separately to three different companies located in different countries. Those three countries’ governments happen to work closely together, so it would be trivial for law enforcement to gain access to your wallet. This does not seem much better than keeping all your cryptocurrency on Coinbase. At least Coinbase doesn’t charge a monthly fee for the privilege of being able to steal from you.

[Lucius]

But you can't prove that none of the code required for Ledger Recover isn't baked into the firmware on your device, which means you can't prove hackers (or Ledger, or Ledger's partners) can't access the keys in your device.

Remember, Ledger is the company that said:

"Your keys are always stored on your device and never leave it"

~snip~

It is not strange to me that some beginners believe that they are safe because they have their device that supposedly does not support seed extraction, but I find it very strange that experienced people still believe that this company is telling the truth when they have messed up so many times or been caught in a lie.

As much as I find such behavior strange, everyone is responsible for themselves, and if something bad happens and someone finds a way to extract seeds remotely, I have no doubt that all those who still believe in that company will blame it instead of themselves. I was personally relieved when I removed all the coins from their devices.

[Yamane_Keto]

The fact that Ledger Recover exists at all is alarming. It requires firmware that can possibly access & export the seed, and that firmware is closed source… So if there’s no way to independently verify , then isn’t it possible that ledger can access seed even if the user has not opted in fr Ledger Recover?

Ledger Recover service is distributed, not centralized. The seeds are encrypted and distributed to Ledger, Coincover, and EscrowTech. Coincover, and EscrowTech trust Ledger by default, and when Ledger asks them to sign a message, they will do. If Ledger servers are hacked, you will be safe, but you still need to trust Ledger.

Leger nano S and Nano X work without this feature. I have both and they dont have such feature. X supports it    but you must enable it.

I bought them years before such feature existed...

At some point firmware updates may be necessary

[promise444c5]

Ledger Recover service is distributed, not centralized. The seeds are encrypted and distributed to Ledger, Coincover, and EscrowTech. Coincover, and EscrowTech trust Ledger by default, and when Ledger asks them to sign a message, they will do. If Ledger servers are hacked, you will be safe, but you still need to trust Ledger

How are you sure the shards are truly distributed… and even if they are, how would you monitor what is actually happening to them? In practice, you are forced to blindly trust that no party is openly or secretly breaking the rules.

What about the government? Can’t they simply obtain the shards through a court order, or even prevent future retrieval, assuming all other scenarios have already been considered…

[Yamane_Keto]

How are you sure the shards are truly distributed… and even if they are, how would you monitor what is actually happening to them? In practice, you are forced to blindly trust that no party is openly or secretly breaking the rules.

It is a Shamir Secret Sharing (SSS) encryption process where you need the device you first used to create the recovery service, complete ID-verification and then wait a week to be able to decrypt the file and access your wallet.



Source https://www.ledger.com/blog/part-1-genesis-of-ledger-recover-self-custody-without-compromise

What about the government? Can’t they simply obtain the shards through a court order, or even prevent future retrieval, assuming all other scenarios have already been considered…

government can access your account, just as Ledger did. Therefore, forum members do not recommend using this wallet.

[Meuserna]

How are you sure the shards are truly distributed… and even if they are, how would you monitor what is actually happening to them? In practice, you are forced to blindly trust that no party is openly or secretly breaking the rules.

It is a Shamir Secret Sharing (SSS) encryption process where you need the device you first used to create the recovery service, complete ID-verification and then wait a week to be able to decrypt the file and access your wallet.

Nobody can prove it though. That's the problem.

Bitcoin is open source. Every step of the way, the code is open and published in full, which allows anyone to prove what the code does.

I keep seeing people post assumptions about what Ledger's code does. Or, worse, they quote Ledger as if Ledger is a trustworthy source. Ledger's word cannot be trusted. Ledger has lied to their users so many times, publicly:

"Your keys are always stored on your device and never leave it"

SOURCE: btchip, Ledger Co-Founder, on May 14th, 2023.
https://np.reddit.com/r/ledgerwallet/comments/13gs0xn/using_ledger_with_3rd_party_wallets/jk34kcn/

They were saying that while writing a key extraction API to bake into their firmware.

That's like your wife saying she'd never cheat on you while she's booking a hotel room for her and some other guy to have sex in.

It's such a brazen lie, and it's one of many.

Their website used to say this, before they had to scrub it and delete delete delete:

"Private data, such as your private keys will be protected and never leave the device due to the combination of BOLOS and the Secure Element."

"The secret keys or seed are never exposed to the BLE stack and never, ever leave the Secure Element."

"While Ledger is using a dual chip system with an MCU as well, the important part is that your private keys remain inside the Secure Element."

"This means that, beyond keeping your private key offline and away from hackers, the Ledger device itself is also completely impenetrable from external threats"

Every one of those is a lie. By adding a key extraction API to the firmware for the device, they opened the device to external threats. And they keep the code closed source so no one can prove anything.

And if you're thinking "Well, I'm safe because Ledger Recover isn't compatible with my model," you're wrong. Even if your Ledger isn't compatible, parts of the code are still in your firmware, just waiting to be exploited by hackers. And Ledger Live is loaded with trackers, so it's not like hackers will have trouble finding you.

The whole thing is a disaster waiting to happen.

[Lucius]

~snip~
What about the government? Can’t they simply obtain the shards through a court order, or even prevent future retrieval, assuming all other scenarios have already been considered…

You've already received an answer, and I guess it makes it clear to everyone that all those who use the recovery option or Ledger in general could become those who will fill national reserves with coins that can become part of the seizure at any time for any reason. I don't understand why anyone wants to live with such a risk that they can eliminate for a few dozen $ by buying a new hardware wallet.

~snip~
At some point firmware updates may be necessary

This happened to me when I tried to empty all wallets on the X model, I simply couldn't make transactions with some alts until I upgraded to the latest firmware.