Ledger’s line of cryptocurrency hardware wallets is one of the most popular options for self-custody in the world. This popularity is heavily backed by the trust that a user’s private keys cannot be accessed without these devices. However, this trust has recently been shaken with the announcement of Ledger’s upcoming ‘Ledger Recover’ service, a monthly subscription that provides a backup of Secret Recovery Phrases.
Following the reveal, sales spiked on competing hardware wallets (Trezor saw a 900% increase), indicating many Ledger users intended to use other methods for self-custody. Are these concerns legitimate, or is the situation being overblown?
Understanding the controversy requires revisiting the basic use case of a hardware wallet. Software wallets, such as Metamask, are connected to the internet when using their stored private keys to make transactions on the blockchain, which can provide potential vulnerabilities. Hardware wallets have private keys saved on the device itself and do not expose this information to the internet.
Owners of hardware wallets are expected to keep their Secret Recovery Phrases personally secured in the instance they need to recover their private keys. Though this is a great responsibility, this also means that owners of hardware wallets are in complete control over their wealth.
Ledger believes that this personal responsibility is a barrier to self-custody, being described as a “hard-to-use form of storing and securing… seed phrases” in a tweeted letter by Pascal Gautheir, the company’s CEO. Ledger Recover encrypts a user’s private key within the hardware wallet, duplicates it, then divides it into three fragments that are secured individually by three separate companies- Coincover, Ledger, and EscrowTech. After a user proves their identity, at least two of these fragments are sent back to a Ledger device and they are reassembled within the device to rebuild their private key.
I want to address the feedback over Ledger Recover, the way it was communicated, and share our path forward. Read my letter and join our town hall with our leadership team to learn more.
🧵👉 https://t.co/2hlPrMwzaN pic.twitter.com/juVBOpWeeG
— Pascal Gauthier @Ledger (@_pgauthier) May 23, 2023
Many users see this method of private key recovery as adding an attack vector for the stealing or seizure of private keys. Fragments are not generated unless a user opts in to Ledger Recover, but concern was raised on the reveal that software for the service was part of firmware update 2.2.1 (which has since been taken down), raising questions on if this presented a vulnerability or a backdoor to private keys. This concern was then elevated to outrage when Ledger’s Twitter account briefly tweeted that “it is and always has been possible to write firmware that facilitates key extraction.” This tweet, an action that Pascal Gauthier described as “bad wording,” has since been removed.
Nov 2022: A firmware update cannot extract the private keys from the Secure Element — Ledger
May 2023: Technically speaking it is and always has been possible to write firmware that facilitates key extraction — Ledger@Ledger, do you now understand the problem? pic.twitter.com/czG53SuCOu
— olimpio (@OlimpioCrypto) May 17, 2023
Amidst the controversy, the main concerns within the crypto community revolve around two questions: can Ledger create firmware that includes a backdoor to private keys, and is there a possibility of intercepting or subpoenaing these key fragments?
Long story short, Ledger’s response to these questions has been to trust them. Gauthier explained that there is currently no backdoor to private keys and that it would be “bad for business” during his interview with the YouTube channel What Bitcoin Did. He even went on to state that the company would publicize if they ever are required to implement one.
Fragments cannot be used to build private keys if intercepted since they are encrypted and can only be decrypted within a Ledger device. Fragments are only sent to devices after a user verifies their identity with the three parties that hold them- a process that hopefully cannot be spoofed.
Subpoenas, while possible, are “extremely improbable.”
Ledger has promised to open source more aspects of their operating system in a move to regenerate trust. In the end, however, Ledger owners will need to decide if they are going to trust the company to allow them to continue to use their hardware wallets to store their keys in the way they are used to.
Ledger’s mission is, and will always be, to provide our users with the right tools to own their digital value securely.
We have decided to accelerate our open-sourcing roadmap to bring more verifiability to everything we do.
A thread 🧵 pic.twitter.com/Dv0jBCM4Ys
— Charles Guillemet (@P3b7_) May 23, 2023
This is a Contributor Post. Opinions expressed here are opinions of the Contributor. Influencive does not endorse or review brands mentioned; does not and cannot investigate relationships with brands, products, and people mentioned and is up to the Contributor to disclose. Contributors, amongst other accounts and articles may be professional fee-based.