Ledger Under Fire for Allegedly Exposing User Seed Phrases
Crypto hardware wallet provider Ledger is receiving major backlash from its online user base after releasing a controversial update that many fear exposes major security flaws with the manufacturer.
Ledger has claimed that the new functionality is both safe and entirely optional, but security experts and crypto holders are already distancing themselves from the company.
Ledger’s Controversial Recovery Service
Concerns began to swell late on Monday after Reddit user Joe_Smith _Reddit published a post asking for an official “yes or no” on whether Ledger has a built-in backdoor for accessing users’ private keys. A private key is the secret alphanumeric string that lets users access their crypto on the blockchain.
Smith’s question specifically pertained to Ledger’s new “Ledger Recover” service – a subscription service for Nano X device holders that lets them recover their crypto even if they’ve lost both their wallet device and recovery phrase. A recovery phrase is a user’s private key expressed in mnemonic form.
According to Ledger, the service – enabled in firmware update 2.2.1 – works by duplicating the device’s recovery phrase on the device, encrypting the copy, fragmenting it into three parts, and securing it with Ledger, Coincover, and a third unnamed provider. To access the service, users must verify their identity using an ID document and a selfie recording.
In a follow-up Twitter thread on Tuesday, Ledger clarified that the service is entirely “optional” and is not automatically enabled by any firmware update. “Your Secret Recovery Phrase is securely generated on your device. We have no access to it,” the company added.
Can Ledger “Rug” Users’ Private Keys?
Despite Ledgers’ assurances, community concerns continued to swell around one key idea: the update proved that Ledger devices do not, despite the manufacturer’s claims, protect its users’ private keys from all external access.
“Trusting the proprietary secure element to do its part was the single thread that held this company together and now, that’s been severed,” wrote Reddit user StPinkie in response to Ledger on Tuesday. “I can no longer recommend Ledger to anyone who gives a damn about their digital sovereignty.”
Popular crypto developer, writer, and auditor “foobar” on Twitter echoed this response, urging followers to migrate away from Ledger wallets immediately.
Stop using Ledger hardware wallets. Migrate away from them immediately. They’ve shown nothing but gross incompetence and wild misunderstanding of their own purpose. And now they’ve publicly admitted to intentionally backdooring their own proprietary hardware. Stop using Ledger pic.twitter.com/LLFFUsOW4y
— foobar (@0xfoobar) May 16, 2023
“The glaring issue with this update is that this exposes your private key can be rugged at any time with a malicious or mistaken firmware update,” he added.
Other users noted the contradiction between Ledger’s assertions on its website that users’ keys “never leave the device,” versus its Ledger Recover service, which “distributes” users’ private keys to three different providers in shards, according to CEO Pascal Gauthier.
This is a masterclass in how to kill your core business trying to “innovate”.
I kept recommending you guys even after doxxing your customers, but this is the final straw.
— Chris Dunn (@ChrisDunnTV) May 16, 2023
Many in the community recommended that Ledger launch a separate wallet that offers a seed-recovery service, rather than rolling it out as a firmware update to existing customers who expected maximum security from their devices.
Ledger has compromised user security in the past by accidentally leaking personal information about over 270,000 customers in July 2020, who were later victims to email and SMS phishing campaigns. This leak did not impact the security of users’ private keys.
Ledger sales spiked in the aftermath of FTX’s collapse in November, precisely as investors sought to secure their own crypto safely without trusting centralized intermediaries.
The post Ledger Under Fire for Allegedly Exposing User Seed Phrases appeared first on CryptoPotato.
OhNoRipple via https://www.ohnocrypto.com/ @Andrew Throuvalas, @Khareem Sudlow