Can Ledger Recover from ‘Ledger Recover?’

Ledger’s line of cryptocurrency hardware wallets is one of the most popular options for self-custody in the world. This popularity is heavily backed by the trust that a user’s private keys cannot be accessed without these devices. However, this trust has recently been shaken with the announcement of Ledger’s upcoming ‘Ledger Recover’ service, a monthly subscription that provides a backup of Secret Recovery Phrases.

Following the reveal, sales spiked on competing hardware wallets (Trezor saw a 900% increase), indicating many Ledger users intended to use other methods for self-custody. Are these concerns legitimate, or is the situation being overblown?

Understanding the controversy requires revisiting the basic use case of a hardware wallet. Software wallets, such as Metamask, are connected to the internet when using their stored private keys to make transactions on the blockchain, which can provide potential vulnerabilities. Hardware wallets have private keys saved on the device itself and do not expose this information to the internet.

Owners of hardware wallets are expected to keep their Secret Recovery Phrases personally secured in the instance they need to recover their private keys. Though this is a great responsibility, this also means that owners of hardware wallets are in complete control over their wealth.

Ledger believes that this personal responsibility is a barrier to self-custody, being described as a “hard-to-use form of storing and securing… seed phrases” in a tweeted letter by Pascal Gautheir, the company’s CEO. Ledger Recover encrypts a user’s private key within the hardware wallet, duplicates it, then divides it into three fragments that are secured individually by three separate companies- Coincover, Ledger, and EscrowTech. After a user proves their identity, at least two of these fragments are sent back to a Ledger device and they are reassembled within the device to rebuild their private key.

Many users see this method of private key recovery as adding an attack vector for the stealing or seizure of private keys. Fragments are not generated unless a user opts in to Ledger Recover, but concern was raised on the reveal that software for the service was part of firmware update 2.2.1 (which has since been taken down), raising questions on if this presented a vulnerability or a backdoor to private keys. This concern was then elevated to outrage when Ledger’s Twitter account briefly tweeted that “it is and always has been possible to write firmware that facilitates key extraction.” This tweet, an action that Pascal Gauthier described as “bad wording,” has since been removed. 

Amidst the controversy, the main concerns within the crypto community revolve around two questions: can Ledger create firmware that includes a backdoor to private keys, and is there a possibility of intercepting or subpoenaing these key fragments?

Long story short, Ledger’s response to these questions has been to trust them. Gauthier explained that there is currently no backdoor to private keys and that it would be “bad for business” during his interview with the YouTube channel What Bitcoin Did. He even went on to state that the company would publicize if they ever are required to implement one.

Fragments cannot be used to build private keys if intercepted since they are encrypted and can only be decrypted within a Ledger device. Fragments are only sent to devices after a user verifies their identity with the three parties that hold them- a process that hopefully cannot be spoofed.

Subpoenas, while possible, are “extremely improbable.”

Ledger has promised to open source more aspects of their operating system in a move to regenerate trust. In the end, however, Ledger owners will need to decide if they are going to trust the company to allow them to continue to use their hardware wallets to store their keys in the way they are used to.