Exciting update, Ledger has a new product, Ledger Recover, that’s launching soon: https://www.ledger.com/recover
Self-custody is at the core of our offering, and your Secret Recovery Phrase is securely generated on your device. We have no access to it. This will NEVER change. We are uncompromising about security.
Here’s what Ledger Recover is and what it isn’t, explained by our CTO Charles Guillemet and further down below.
https://reddit.com/link/13j5cna/video/u4texr0t270b1/player
Ledger Recover is an optional subscription for users who want a backup of their secret recovery phrase. You don’t have to use it, and can continue managing your recovery phrase yourself if that’s why you bought a Ledger.
This is not automatically enabled by any firmware updates. This is your choice.
For full FAQs:https://support.ledger.com/hc/articles/9579368109597?docs=true
But first and foremost, how is your Secret Recovery Phrase (SRP) generated? Ledger uses the BIP39 standard for the generation of the SRP on all of our devices.
This is generated by the secure element of your device and is ONLY ever shared with you. Never us.
More here: https://support.ledger.com/hc/en-us/articles/4415198323089-How-Ledger-device-generates-24-word-recovery-phrase?docs=true
If you choose to subscribe, Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) – all of this happens on the Secure Element chip, so your Secret Recovery Phrase is not at risk.
These encrypted fragments are stored by 3 different parties on cryptographically-secure Hardware Security Modules.
Individually, these encrypted fragments are completely useless. When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.
Decryption can ONLY happen on a Ledger’s Secure Element chip, which has never been compromised. So why did we develop Ledger Recover? To provide full peace of mind to some of our users.
You need to approve the service on your Ledger, otherwise the backup is never created. This is why we have secure hardware and a secure screen – trust your device. There's no backdoor to a backup.
Self-custody remains and will always be the core principle of Ledger. The ethos of self-custody is that it’s your choice – you can choose to manage all your assets yourself, or you can have a backup with Ledger Recover. It’s up to you – and that won’t change.
How to kill your business 101
Hell no wtf is this
This was a massive mistake
>When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.
Can this be done with any ledger device, or only the original device that created the fragments? If the former, could 2 of the 3 parties collude to create your secret phrase? Or someone with access to your identity gain access to the secret phrase?
Lawsuits coming. The premise the seed stayed secure on the chip was your entire business model which we now know was a lie all along
How could you think this was a good idea? You just destroyed your business.
> If you choose to subscribe, Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) – all of this happens on the Secure Element chip, so your Secret Recovery Phrase is not at risk.
This is a reasonably meaningless distinction. The recovery phrase is used to create the private key using a derivation path. So, great, only the private key that controls access to actual funds is at risk, not every potential private key that could be created with the phrase. Yay?
>You need to approve the service on your Ledger, otherwise the backup is never created. This is why we have secure hardware and a secure screen – trust your device.There’s no backdoor to a backup.
The concern is that the secure enclave can export the secret key. Which means that malicious firmware can exfiltrate the secret key. This was not meant to be possible.
I get that firmware updates are under the control of the user, and Ledger firmware promises to never create features that exfiltrate the key without the user’s consent.
Frankly: Not good enough.
I don’t get it. It sounds like 2 out of 3 parts can be recombined via ANY Ledger device, since the service seems also intended for people who lost their ledgers.
If that is true, then it sounds like ANYONE with access to 2 of 3 parts and a ledger device can recombine the seed – not just the customer. The only thing preventing that seems to be a KYC check by the companies involved, but that carries various counterparty risks.
I hope they get a ton of negative feedback in their AMA. This shit needs to stop, right now
This is horrible
You need to open source this, otherwise its DOA.
Just ordered a Trezor. Going to try it out.
Class action lawsuit incoming..
This doesn’t change the fact that a firmware update can send the seed phrase out of a ledger, something you guys always claim. That’s not cool at all.
I can’t wrap my head around what you’re thinking with this. And there are so many red flags. Just picking up on a few
> These encrypted fragments are stored by 3 different parties on cryptographically-secure Hardware Security Modules
Those three companies are (according the FAQ) are an unnamed backup provider, Ledger themselves, and Coincover using an environment built by Ledger.
> When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.
Right, but you’re one of the companies holding a fragment and you built the architecture for one of the other companies. What’s the unnamed third “backup” company? Is it Regdel? Ledger wearing a fake moustache?
From you FAQs:
> Ledger Recover uses ID verification because we believe in self-custody and individual autonomy. Unlike the full KYC process, ID verifications are less complicated and reveal only the necessary information.
Because you care about individual autonomy you’re going to hold my personal data? That doesn’t sound very autonomous. Thankfully you have an excellent record of keeping personal data secure….. oh wait.
You keep repeating things like:
> Throughout this process, Ledger and our trusted providers have no access to your Secret Recovery Phrase.
But it doesn’t really matter, does it? You’re sharing something from which the SRP is derived (or I guess, based on your super fucking vague FAQs something derived from the root key, but that can be used to reconsitute the root key? I’ve no idea and you’ve not said exactly how this works). It’s like saying you’ll never share the photocopy of my passport whilst freely sharing my actual fucking passport.
This is insane, and I really worry about the thinking inside the company that thought this was in any way a good idea.
Because it’s so difficult to store our own secret words somewhere safe. Basically nerf the entire reason for a hardware wallet for some bullshit SAAS monetization. Time to grab a competitor wallet.
This is worse than the Bud Light campaign 🤣
would i be able to get a refund if i return my ledgers?
Who was the “genius” who thought this was a good idea?? I wanna know the name!!
You’ve got to be kidding me. If the firmware allows to send my keys to third parties, then this means it can be exploited. WHY in the world would you do this? I understand you want to offer additional services as a monthly subscription, but this can’t be worth it. I think I’m going to cancel my Stax pre-order.
Who ever suggested and approved this just killed your company
So this confirms data that is stored in the secure element can in fact leave it?
can you open international refund for peoples that don’t trust anymore your company ?
Great, literally the only reason for me to buy a Ledger was the fact that not a single part of the Secret Key would leave the device. What a waste.
NOBODY NOT A SINGLE PERSON ASKED FOR THIS. Totally annihilates the entire purpose of owning a Ledger
The question you’re all not answering is, how is it possible for the secure element chip to be told to give up its secret key, in any fashion?
We bought Ledger because we were assured repeatedly and with audits that such a thing wasn’t possible.
How you store it doesn’t matter, please stop deflecting. Opt in doesn’t matter. How you encrypt it doesn’t matter.
What matters is, how can the secure element possibly give up any reconstructible form of the root key?
Edit: just want to point out, if you go to the Ledger CTO’s reddit account (sidebar) and look at his last post 3 years ago, it ends with this:
> => If ever, you use a wallet on which mnemonics extraction is possible, my recommandation is to maintain the mnemonics’ level of security and using a 256-bit entropy passphrase: ~36 random characters passphrase
Oh really guy? Tell me more about wallets with extractable mnemonics.
“Ledger Recover is an optional subscription for users who want a backup of their secret recovery phrase”
Any user who wants an “online” backup of their offline recovery phrase doesn’t really understand the purpose of a cold wallet and Ledger should not have compromised the security of their devices for everyone else by offering to do so!
“These encrypted fragments are stored by 3 different parties…”
And how do they get to these different parties? Not by osmosis!! They’re sent over the internet!!
The next time I connect my ledger to my computer, it will be to send to send my crypto to a more secure cold wallet.
Hello, I have one unused Ledger I’d like to update to the latest firmware version WITHOUT Ledger Recover or other features which allow the device to send my seed somewhere else.
Which is the latest version which doesn’t include these “features”?
How can I update the device to that firmware version avoiding the new one?
Of course I’m not going to buy any new Ledger device from now on, I’d just like to know how to configure the one I already have.
This feature was a HUGE mistake no matter how secure you say it is. People who buy ledgers want to be fully in control of their seed phrase. Know your market, know your users. If we wanted KYC we’d keep our crypto on exchanges. Are you that desperate for monthly subscriptions that you’re willing to risk it all for it. Our trust? Bad bad move.
What’s stopping government entities from going to the companies who store the shards and demanding you hand them over?
It’s sad to see when a “trustworthy” company insults people’s intelligence.
So you’re trading millions of loyal users for a handful that “might” be willing to throw 10$ at you. Where did your team go to business school again?
My 10$ says nobody on your staff would even trust this service.
Trezor must be wondering why the enormous increase in sales all of a sudden.
Guys in trezor are now drinking beer celebrating 🍻😂
Old point of failure: We lost our recovery phrase AND ledger is damaged/lost.
New point of failure: 2/3 companies face a data breech at any point of time.
​
I wonder was is ledger’s liability in case of fragments leaks ….
Cold wallet company storing private keys on their servers (and already had a data breach in 2020). What could possibly go wrong?
Ledger, you need to stop this.
Got 4 nano s. I want a refund for all of them. Fucking bull shit. These things were not cheap.
Let’s clear up some misconceptions in this thread…
I’ll go through the comments here and address other points more specifically, but there are so many misconceptions here that I figured a pinned post would be best.
Guys – I don’t think we can be all that surprised. Take a look at the image they use on the order status page: https://my-order.ledger.com/build/images/my_order/my-order-login.png
It’s literally an illustration of a back door to your Ledger wallets.
You guys will lose market share like crazy – well deserved you greedy folks!
You need to open source this immediately. Otherwise it’s just another case of “trust us”
It’s crazy because this is such a terrible move. Do you think I’m going to risk 6+ figures just waiting to see if someone finds out how to exploit this. Literally killed your business and go directly against the reason I’ve purchased multiple ledgers and used them over the years. Like why blanket roll It out to all devices when your customer base wants cold wallets where the srp never leaves the secure element in any fashion. The decision to not just make a separate product for the normies or more specifically “some people” is crazy, when going this route angers most users. Idk how ledger saves face on this, this will be a great study some day in the future.
On the off chance they actually answer:
What we need answered in clear unambiguous terms is this: Is Ledger capable of writing firmware that can extract and read the seed. If they can write firmware that creates 3 shards surely they could theoretically write firmware that creates 1 shard (not really a shard if it’s the whole key obviously). They talk about needing to sign on the device to create these shards, is there anything enforcing this on a hardware level that you cannot overcome in software.
In other words is there anything physically stopping you on a hardware level from distributing firmware that could extract and send the seed to you if you so desired or were compelled.
Given they are more or less dancing around this almost certainly means they likely can do this. But they still need to unambiguously answer this question.
There is a big difference between “Trust us we won’t do this” and “Trust us we can’t do this” and I think basically every customer you have ever had bought the device with the marketing and understanding that we were under the “can’t” condition.
Great, my once secure device no longer secure from 3rd parties. Or it has been the whole time?
Time for a Trezor.
Great work killing your brand for a subscription model. Microtrans scum
Optional or not, this allows the sharing of keys from the device to the outside world.
This is not what your customers bought these devices for.
Is it really surprising that many users feel violated by this announcement?
This is so insane, it looks like you want to scare your customers away – a canary of sorts.
“While Ledger is using a dual chip system with an MCU as well, the important part is that your private keys remain inside the Secure Element. To process a transaction, the secure element lets you use the private key without allowing it to leave the chip. Equally the device’s firmware and all cryptographic operations reside within the chip too.”
“Private keys are stored and remain within the chip”
“Private keys ALWAYS remain within the Secure Element”
https://www.ledger.com/academy/security/not-all-chips-are-born-equal
​
“Always remember: not your keys, not your coins. “
https://www.ledger.com/blog/manage-stake-your-osmosis-through-ledger-live
I understand that you’re saying the Ledger recovery requires consent to enable. I understand that firmware is needed to enable it.
But it appears we were led to believe that NO private key is to leave the device and they would remain in the secure element. Now they can be sharded and handed over to third parties?
Worst move ledger could have made. I’m out.
You not only destroyed your own reputation, but also the reputation of everyone who promoted your products to their friends, family, and other crypto users.
CEO basically just admitted he’s a captured operation. Bounce.