Introducing Ledger Recover & Answering Your Questions

50 thoughts on “Introducing Ledger Recover & Answering Your Questions”

1. How to kill your business 101

2. Hell no wtf is this

3. This was a massive mistake

4. >When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.

   Can this be done with any ledger device, or only the original device that created the fragments? If the former, could 2 of the 3 parties collude to create your secret phrase? Or someone with access to your identity gain access to the secret phrase?

5. Lawsuits coming. The premise the seed stayed secure on the chip was your entire business model which we now know was a lie all along

6. How could you think this was a good idea? You just destroyed your business.

7. > If you choose to subscribe, Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) – all of this happens on the Secure Element chip, so your Secret Recovery Phrase is not at risk.

   This is a reasonably meaningless distinction. The recovery phrase is used to create the private key using a derivation path. So, great, only the private key that controls access to actual funds is at risk, not every potential private key that could be created with the phrase. Yay?

   >You need to approve the service on your Ledger, otherwise the backup is never created. This is why we have secure hardware and a secure screen – trust your device.There’s no backdoor to a backup.

   The concern is that the secure enclave can export the secret key. Which means that malicious firmware can exfiltrate the secret key. This was not meant to be possible.

   I get that firmware updates are under the control of the user, and Ledger firmware promises to never create features that exfiltrate the key without the user’s consent.

   Frankly: Not good enough.

8. I don’t get it. It sounds like 2 out of 3 parts can be recombined via ANY Ledger device, since the service seems also intended for people who lost their ledgers.

   If that is true, then it sounds like ANYONE with access to 2 of 3 parts and a ledger device can recombine the seed – not just the customer. The only thing preventing that seems to be a KYC check by the companies involved, but that carries various counterparty risks.

9. I hope they get a ton of negative feedback in their AMA. This shit needs to stop, right now

10. This is horrible

11. You need to open source this, otherwise its DOA.

12. Just ordered a Trezor. Going to try it out.

13. Class action lawsuit incoming..

14. This doesn’t change the fact that a firmware update can send the seed phrase out of a ledger, something you guys always claim. That’s not cool at all.

15. I can’t wrap my head around what you’re thinking with this. And there are so many red flags. Just picking up on a few

    > These encrypted fragments are stored by 3 different parties on cryptographically-secure Hardware Security Modules

    Those three companies are (according the FAQ) are an unnamed backup provider, Ledger themselves, and Coincover using an environment built by Ledger.

    > When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.

    Right, but you’re one of the companies holding a fragment and you built the architecture for one of the other companies. What’s the unnamed third “backup” company? Is it Regdel? Ledger wearing a fake moustache?

    From you FAQs:

    > Ledger Recover uses ID verification because we believe in self-custody and individual autonomy. Unlike the full KYC process, ID verifications are less complicated and reveal only the necessary information.

    Because you care about individual autonomy you’re going to hold my personal data? That doesn’t sound very autonomous. Thankfully you have an excellent record of keeping personal data secure….. oh wait.

    You keep repeating things like:

    > Throughout this process, Ledger and our trusted providers have no access to your Secret Recovery Phrase.

    But it doesn’t really matter, does it? You’re sharing something from which the SRP is derived (or I guess, based on your super fucking vague FAQs something derived from the root key, but that can be used to reconsitute the root key? I’ve no idea and you’ve not said exactly how this works). It’s like saying you’ll never share the photocopy of my passport whilst freely sharing my actual fucking passport.

    This is insane, and I really worry about the thinking inside the company that thought this was in any way a good idea.

16. Because it’s so difficult to store our own secret words somewhere safe. Basically nerf the entire reason for a hardware wallet for some bullshit SAAS monetization. Time to grab a competitor wallet.

17. This is worse than the Bud Light campaign 🤣

18. would i be able to get a refund if i return my ledgers?

19. Who was the “genius” who thought this was a good idea?? I wanna know the name!!

20. You’ve got to be kidding me. If the firmware allows to send my keys to third parties, then this means it can be exploited. WHY in the world would you do this? I understand you want to offer additional services as a monthly subscription, but this can’t be worth it. I think I’m going to cancel my Stax pre-order.

21. Who ever suggested and approved this just killed your company

22. So this confirms data that is stored in the secure element can in fact leave it?

23. can you open international refund for peoples that don’t trust anymore your company ?

24. Great, literally the only reason for me to buy a Ledger was the fact that not a single part of the Secret Key would leave the device. What a waste.

25. NOBODY NOT A SINGLE PERSON ASKED FOR THIS. Totally annihilates the entire purpose of owning a Ledger

26. The question you’re all not answering is, how is it possible for the secure element chip to be told to give up its secret key, in any fashion?

    We bought Ledger because we were assured repeatedly and with audits that such a thing wasn’t possible.

    How you store it doesn’t matter, please stop deflecting. Opt in doesn’t matter. How you encrypt it doesn’t matter.

    What matters is, how can the secure element possibly give up any reconstructible form of the root key?

    Edit: just want to point out, if you go to the Ledger CTO’s reddit account (sidebar) and look at his last post 3 years ago, it ends with this:

    > => If ever, you use a wallet on which mnemonics extraction is possible, my recommandation is to maintain the mnemonics’ level of security and using a 256-bit entropy passphrase: ~36 random characters passphrase

    Oh really guy? Tell me more about wallets with extractable mnemonics.

27. “Ledger Recover is an optional subscription for users who want a backup of their secret recovery phrase”

    Any user who wants an “online” backup of their offline recovery phrase doesn’t really understand the purpose of a cold wallet and Ledger should not have compromised the security of their devices for everyone else by offering to do so!

    “These encrypted fragments are stored by 3 different parties…”

    And how do they get to these different parties? Not by osmosis!! They’re sent over the internet!!

    The next time I connect my ledger to my computer, it will be to send to send my crypto to a more secure cold wallet.

28. Hello, I have one unused Ledger I’d like to update to the latest firmware version WITHOUT Ledger Recover or other features which allow the device to send my seed somewhere else.

    Which is the latest version which doesn’t include these “features”?

    How can I update the device to that firmware version avoiding the new one?

    Of course I’m not going to buy any new Ledger device from now on, I’d just like to know how to configure the one I already have.

29. This feature was a HUGE mistake no matter how secure you say it is. People who buy ledgers want to be fully in control of their seed phrase. Know your market, know your users. If we wanted KYC we’d keep our crypto on exchanges. Are you that desperate for monthly subscriptions that you’re willing to risk it all for it. Our trust? Bad bad move.

30. What’s stopping government entities from going to the companies who store the shards and demanding you hand them over?

31. It’s sad to see when a “trustworthy” company insults people’s intelligence.

32. So you’re trading millions of loyal users for a handful that “might” be willing to throw 10$ at you. Where did your team go to business school again?

    My 10$ says nobody on your staff would even trust this service.

33. Trezor must be wondering why the enormous increase in sales all of a sudden.

34. Guys in trezor are now drinking beer celebrating 🍻😂

35. Old point of failure: We lost our recovery phrase AND ledger is damaged/lost.

    New point of failure: 2/3 companies face a data breech at any point of time.

    ​

    I wonder was is ledger’s liability in case of fragments leaks ….

36. Cold wallet company storing private keys on their servers (and already had a data breach in 2020). What could possibly go wrong?

37. Ledger, you need to stop this.

38. Got 4 nano s. I want a refund for all of them. Fucking bull shit. These things were not cheap.

39. Let’s clear up some misconceptions in this thread…

    • The secure element chip in the device is a little computer that is completely programmable. The program that runs on this chip can access and manipulate your seed, so obviously the security surrounding this code is very very important.
    • There are strong security mechanisms in place that ensure that only code that is written by Ledger can run on your device, and that any code with access to the seed cannot be modified by an attacker.
    • There are also mechanisms in place to ensure a rogue actor inside of Ledger cannot push firmware updates without buy-in from all key stakeholders within the company.
    • Ledger designs what the code can and cannot do with the seed, and this has always been the case. As always, we design this code meticulously and with true security in mind every step of the way.
    • The new 2.2.1 firmware contains new code that can manipulate the seed in order to split it into 3 separate encrypted shards.
    • This new sharding feature, as with every other interaction that touches your seed, requires your consent with a physical button press in order to create the encrypted shards of your seed. If you’re worried about this feature, you could choose to never trigger or accept the seed sharding operation.
    • It’s worth repeating: No sharding can happen without your explicit consent. It requires a physical confirmation on the device itself.
    • The rest of the Ledger Recover service, where the shards are transported to and held by 3 separate and independent companies, the KYC, and the rest, are all upstream of this. If you are not the kind of person to want a secure backup of your seed phrase, then it’s totally your choice to never use this service and ignore that it exists.
    • When you see us saying “it’s optional,” I want to be clear this is what they mean. If you never click the button to create the shards, then the rest of the service can be totally ignored, and you can be confident you’re not at all interacting with any of it.

    I’ll go through the comments here and address other points more specifically, but there are so many misconceptions here that I figured a pinned post would be best.

40. Guys – I don’t think we can be all that surprised. Take a look at the image they use on the order status page: https://my-order.ledger.com/build/images/my_order/my-order-login.png

    It’s literally an illustration of a back door to your Ledger wallets.

41. You guys will lose market share like crazy – well deserved you greedy folks!

42. You need to open source this immediately. Otherwise it’s just another case of “trust us”

43. It’s crazy because this is such a terrible move. Do you think I’m going to risk 6+ figures just waiting to see if someone finds out how to exploit this. Literally killed your business and go directly against the reason I’ve purchased multiple ledgers and used them over the years. Like why blanket roll It out to all devices when your customer base wants cold wallets where the srp never leaves the secure element in any fashion. The decision to not just make a separate product for the normies or more specifically “some people” is crazy, when going this route angers most users. Idk how ledger saves face on this, this will be a great study some day in the future.

44. On the off chance they actually answer:

    What we need answered in clear unambiguous terms is this: Is Ledger capable of writing firmware that can extract and read the seed. If they can write firmware that creates 3 shards surely they could theoretically write firmware that creates 1 shard (not really a shard if it’s the whole key obviously). They talk about needing to sign on the device to create these shards, is there anything enforcing this on a hardware level that you cannot overcome in software.

    In other words is there anything physically stopping you on a hardware level from distributing firmware that could extract and send the seed to you if you so desired or were compelled.

    Given they are more or less dancing around this almost certainly means they likely can do this. But they still need to unambiguously answer this question.

    There is a big difference between “Trust us we won’t do this” and “Trust us we can’t do this” and I think basically every customer you have ever had bought the device with the marketing and understanding that we were under the “can’t” condition.

45. Great, my once secure device no longer secure from 3rd parties. Or it has been the whole time?

    Time for a Trezor.

    Great work killing your brand for a subscription model. Microtrans scum

46. Optional or not, this allows the sharing of keys from the device to the outside world.

    This is not what your customers bought these devices for.

    Is it really surprising that many users feel violated by this announcement?

    This is so insane, it looks like you want to scare your customers away – a canary of sorts.

47. “While Ledger is using a dual chip system with an MCU as well, the important part is that your private keys remain inside the Secure Element. To process a transaction, the secure element lets you use the private key without allowing it to leave the chip. Equally the device’s firmware and all cryptographic operations reside within the chip too.”

    “Private keys are stored and remain within the chip”

    “Private keys ALWAYS remain within the Secure Element”

    https://www.ledger.com/academy/security/not-all-chips-are-born-equal

    ​

    “Always remember: not your keys, not your coins. “

    https://www.ledger.com/blog/manage-stake-your-osmosis-through-ledger-live

    I understand that you’re saying the Ledger recovery requires consent to enable. I understand that firmware is needed to enable it.

    But it appears we were led to believe that NO private key is to leave the device and they would remain in the secure element. Now they can be sharded and handed over to third parties?

48. Worst move ledger could have made. I’m out.

49. You not only destroyed your own reputation, but also the reputation of everyone who promoted your products to their friends, family, and other crypto users.

50. CEO basically just admitted he’s a captured operation. Bounce.

Comments are closed.