WTF Ledger? This is a disaster waiting to happen… The new Ledger Nano X Firmware introduces an option to let them backup your seed.

E-currency exchange

Ledger firmware

I can't actually believe what I`m reading, this seems absolutely crazy for a hardware wallet provider to encourage you to backup your seed phrase online AND give them your Passport/ID – especially one that has previously suffered a data breach! But, with todays latest Ledger Nano X firmware (2.2.1) update, they're introducing a service/feature called “Ledger Recover”. Strangely at the point of posting this, the firmware release notes are not yet available on their website, but it is very real (see attached screenshot).

The release notes state:

Starting today, you can subscribe to Ledger Recover.

Ledger Recover is an ID-based key recovery service that provides a backup for your Secret Recovery Phrase.

Ledger Recover is currently compatible with Ledger Nano X and available on Android and iOS running the latest Ledger Live version.

At the moment, a passport/national identity card issued by the European Union, the United Kingdom, Canada, or the United States is required to subscribe to the service. We will be covering more countries and adding support for more documents in the coming months. Stay tuned.

Again, I`m in disbelief about this. Apart from the risks that they're hacked again, apart from it flying in the face of never sharing your seed, and never storing it online, it opens the door to a whole new level of crypto scammers!

Ledger, please reconsider this.

Ledger Recover

//edit to add more information

More information from a wired article. The confounder also confirmed on the ledger forum that the seed leaves the device. This sounds like a form of multi sig, but still…. Nope!

Ledger is preparing to launch a new service called Ledger Recover that splits a wallet recovery phrase—basically, a human-readable form of the private key—into three encrypted shards and distributes them to three custodians: Ledger, crypto custody firm Coincover, and code escrow company EscrowTech. If somebody loses their recovery phrase, two of the three shards can be combined—pending an ID check—to regain access to the locked funds. Essentially, Ledger Recover is an additional safety net; for the price of $9.99 a month, it takes the jeopardy out of crypto’s version of stuffing dollars under the mattress. It’ll be available in the UK, EU, US, and Canada and come to other territories later in the year.

50 thoughts on “WTF Ledger? This is a disaster waiting to happen… The new Ledger Nano X Firmware introduces an option to let them backup your seed.”

  1. Sounds farmilliar to Reddit allowing cloud backups of seed phrases. If there’s one thing you shouldn’t do with these things it’s a cloud backup.

    That’s like cybersecurity 101

  2. Whaaaaaaaat? doesnt it defeats the whole purpose of a cold wallet? What is the point damnit

  3. I don’t understand why any sane company would think it was a good idea to store your seed phrase for you. There’s a reason why people are engraving metal plates and burying it in their backyard!

  4. Doesn’t it say that you “can” subscribe to Ledger Recover? So I assume it is not mandatory.

  5. >Starting today, you can subscribe to Ledger Recover.

    No thank you, I won’t subscribe bye.

  6. Yeah, that’s gonna be a no from me, dog. Have to send a picture of your ID as well? Hard nope.

  7. That… defeats the entire purpose of a wallet, doesn’t it? What were they thinking?

  8. What’s particularly alarming is they require a scan of your passport or driving license to use this service. Therefore, a database containing peoples’ ID documents and private keys will exist in the same space.

    Oof


    Update: here is the relevant information from a Wired article:

    > Ledger is preparing to launch a new service called Ledger Recover that splits a wallet recovery phrase—basically, a human-readable form of the private key—into three encrypted shards and distributes them to three custodians: Ledger, crypto custody firm Coincover, and code escrow company EscrowTech.  If somebody loses their recovery phrase, two of the three shards can be combined—pending an ID check—to regain access to the locked funds. Essentially, Ledger Recover is an additional safety net; for the price of $9.99 a month, it takes the jeopardy out of crypto’s version of stuffing dollars under the mattress. It’ll be available in the UK, EU, US, and Canada and come to other territories later in the year.

  9. It’s pretty ridiculous honestly. There should be no scenario where you ever need to put your seed phrase on a computer. Everything should be done on the hardware.

  10. You need to give them your ID which makes it even worse

    Goodluck finding your documents in the darknet

  11. Wtf is the point of having a hardware wallet if your keys are in someone else possession?! And you need a passport to subscribe?! So just KYC your whole wallet while they’re at it.

    I’ve not been one to buy into all the ledger FUD, mostly because I know a majority of the time it’s not the arrow, it’s the indian, but this is just dumb as fuck.

    Might as well just use a free wallet for an app store at this point…

    Glad it’s user choice to subscribe but the fact they even offer this is shady AF.

  12. This is wrong in so many ways I’m starting to question there decisions in general and tech

  13. Why switch to cryptocurrency if you can’t keep or write down your recovery keys? Go invest in traditional markets or leave your money in the bank.lol

  14. Guys, it’s ok. I will offer the alternative. For just $9.95 a month, I will personally engrave your seed phrase into a metal plate and save it in my backyard.

  15. It basically lets governments seize peoples crypto if the seed + identification are released by court order or any request Ledger complies with. At the very least it lets them identify who owns Ledgers and probably indicates Ledger has been getting requests for user info.

  16. Question for someone smarter than me. I have been using a Nano X for the last few years, is the fact that it is even possible for them to recover the seed cause for concern? Is it possible that even if you do not enroll in the recovery feature that my seed phrase could be compromised?

  17. Where did you get this information from? Current ledger OS version is 2.1.0

    I see no mention of 2.2.1 anywhere? This also wouldn’t follow their version numbering history, this firmware number is a significant jump in version order

    Are you certain you have a legitimate version of ledger live installed? I can’t find anywhere to sign up to this service. Sounds like a scam or malware to me tbh.

    ledger website updated as of March 2023

    Ledger does not store your private key and we will never ask you for your recovery phrase.

    OP Are you absolutely sure you’re using a legitimate version of ledger live? I cannot find any information about this update.

    Edit: It’s real.

    >Ledger is preparing to launch a new service called Ledger Recover that splits a wallet recovery phrase—basically, a human-readable form of the private key—into three encrypted shards and distributes them to three custodians: Ledger, crypto custody firm Coincover, and code escrow company EscrowTech. If somebody loses their recovery phrase, two of the three shards can be combined—pending an ID check—to regain access to the locked funds. Essentially, Ledger Recover is an additional safety net; for the price of $9.99 a month.

  18. Yeah, this shouldn’t be possible.. Not because it’s hard, but it’s just bad practice. It’s like a lock manufacturer making front door mats with a slot to hide your key. It just normalizes hiding a key under the mat. Which of course you can choose not to do, but there’s always someone who will.

  19. Firmware update or OS ledger live update? Don’t add more confusion with this Ledger.

    Never share your seed phrase. That means even with YOU LEDGER. NOT EVEN YOU SHOULD BE ABLE TO HELP RECOVER ANYTHING!

    So do I just never update the firmware on the ledger or what? If the device dies I guess I just get something else and use my seed phrase for it to recover my old wallet they want the seed phrase for…

  20. I thought cold/hard wallet was suppose to be safe but Ledger kept adding stuff that makes it NOT safe.

  21. I wonder if you opt in, do you have to enter the seed or does it just say “thanks, you’re all set”. Id hope you would have to enter it.

  22. From this article link. It seems like this is a real incoming service. I guess they will make 3 social recovery phrases and distribute them to 3 independent custodians.
    It’s still a “No thank you” for me. Not only it is a paid subscription that cost $10 a month, but also if I would like to use social recovery, I would rather generate the recovery phrases offline by myself and give them to the friend and family I trust instead of some suspicious online custodians that even requires KYC.

  23. Everyone is missing the point here. It doesn’t matter that it’s opt-in. The fact that this is even possible is a major cause for concern.

    Sure if you opt in you would essentially KYC , but the real problem is these firmware updates are usually related to security and feature additions. To me, I would be highly concerned if Ledger, the company, were to become compromised and our seed phrases accessible because of said firmware update, despite not opting in.

    They just revealed a door, while although locked, shouldn’t exist in the first place.

  24. Do NOT trust Ledger! Their loss of my data has led to a never ending line of cold calls, scammers and threats in my life. I even wound up selling my house and moving, largely due to threats of physical visits if I didn’t send the caller some Bitcoin.

    Fuck Ledger with a cactus!

  25. What the * I bought a ledger to prevent this. You’ve just made it open to social engineering. Not secure at all.

  26. I’m still getting hounded by scam artists and receiving spam post from HEX since that data breach… Ledger’s response at the time was tell everyone their Ledger devices remained secure BECAUSE the seed phrase wasn’t accessible online… Well… This would break that logic.

  27. Company that had a database leak now wants a government issued identification to subscribe to a service they’re providing which turns your cold wallet into a hot wallet. What could go wrong?

  28. It is bullshit. Dump your ledger ASAP. Opt in open-source alternative like Seedsigner or Blockstream Jade before you get fucked. Imagine recovery now needs a permission. If they don’t like you or your government doesn’t like you, you can’t recover.

Comments are closed.