In the Ledger sub tonight, a user posted a question to ask about how hardware wallets can get attacked.
This was my reply, which has been shadowbanned by Ledger:
“I understand the ledger holds the private key on the secure chip”
Sadly, that's not true anymore. Ledger wrote API code to extract keys from the device and send them over the internet to Ledger and their partner companies for their Ledger Recover service. In theory, that only happens if you subscribe, but since Ledger's code isn't open, there's no way for any of us to prove what it does or doesn't do.
Don't trust. Verify. Right? Well, you can't verify Ledger's code, so you have to decide whether or not you trust them.
Any hardware wallet can possibly get rogue firmware to extract keys, but Ledger actually put key extraction in their own firmware. I can't trust that.
“You now have an API in your firmware to extract seeds”
HERE'S A LINK to the user's question. Notice my reply isn't there. Here is a direct link to my reply, which I assume you can see.
The user is asking about how Ledger wallets can be attacked. The fact that his wallet now features key extraction code seems important, especially since he's specifically asking about safety and hacks, but Ledger is shadowbanning anyone who tries to give him that information.
If anybody is working on a class action lawsuit against Ledger, I hope you're keeping track of what they're doing.
This is what Ledger told customers:
“Private data, such as your private keys will be protected and never leave the device due to the combination of BOLOS and the Secure Element.”
Then Ledger wrote firmware to extract keys from our devices and send them over the internet to Ledger and their “partner companies.”
Ledger can't even promise those companies won't share your seed:
“These companies are not slaves to Ledger. We just have commercial agreement.”
— Ledger CEO Pascal Gauthier
But if you mention any of this on Ledger's sub, you'll be shadowbanned.
I'll give Ledger's CEO the last word here:
“If, for you, your privacy is of the utmost importance, please do not use our product, for sure.”