- Ledger has a new “recover” mode that give a third party your seed phrase.
- Ledger’s decision to introduce a third party to your wallet seed phrase created an exploit that could appeal to both governments and hackers.
- This has made Ledgers customers skeptical of their wallet’s security. They now see a possible way of being exploited.
Self-custody is important in crypto, and security is essential to self-custody. Ledger, a notable hardware wallet manufacturer, has built its reputation on the secure storage of users’ private keys. Hardware wallets create a safe offline environment for storing and using keys to execute transactions.
The user’s private keys are generated and stored within the device and are supposed never to leave it. This “cold storage” provides an unrivaled level of security compared with “hot wallets” or online wallets. The problem is that lots of people lose their keys.
Ledger rolled out a seed phrase backup product this week called Ledger Recover. If you give the company your ID and personal information, you can pay for a service that takes your seed phrase within your device, encrypts it into three “shards,” and then shares them with various custodians.
Introducing a third party inherently centralizes control, creating a single point of failure that hackers could exploit or be subject to regulatory actions.
I don’t begrudge Ledger’s effort to grow as a business to reach non-OG and non-cypherpunk-ethos users. Millions of normies, like our skeptical baby boomer in-laws, will only ever be onboarded to crypto through this custodial backup approach. Its mistake may have been using the same product to appeal to crypto self-custody OGs and the broader future customer normies.
Ledger’s rollout of its backup product met with some strong reactions among its community of customers. Many were surprised that Ledger could always touch your secret key with its hardware updates. Many of us view our hardware devices as sacrosanct. I needed to be more knowledgeable about this device I trust to protect my crypto assets.
Haseeb Qureshi said that while he reacted negatively at first, he realized that this was always true about Ledger. We’ve always trusted it not to insert malware in its firmware updates to steal our seed phrases. He’s not wrong, but that’s not a comforting thought.
Ultimately, everything can happen on your hardware device if you sign a transaction. You retain the power. I don’t know about you, but I’m not a coder — I can’t tell a malicious update from a legitimate one, so I’m trusting Ledger on that too. And I don’t have the option not to approve the latest firmware update that includes Ledger Recover capability, as Ledger warns that failure to update your firmware is a security risk.
I do trust Ledger — it’s a great company. It has been the linchpin in the technology stack for crypto self-custody, at least in my crypto journey.
But the goal of a crypto self-custody tool should be to minimize trust requirements. And that could be improved at Ledger through open-sourcing more of its software and hardware. Ledger’s chief technology officer was asked about this on May 17’s Bankless podcast and responded that Ledger has signed nondisclosure agreements that preclude it from doing so and argued that people are unlikely to crowdsource security audits anyway.
Security researchers like Andrew Miller, who uncovered vulnerabilities in the Secret Network, would take up that task.
While Ledger’s communications regarding the rollout have been a disaster, its crisis communications have been enlightening. I had an insufficient understanding of how hardware wallets work. But “Sorry, we can’t open-source anything because of NDAs” is an inadequate answer to those in the community concerned that a malicious actor could use Ledger Recover to trick users with a fake update and steal their seed phrase.
Ledger could also allow me to continue to update my firmware without adding the Ledger Recover code to my device. But in the absence of open-sourcing its firmware, it will only do a little, as we won’t have any way to verify its claims.
This could be a branding win if Ledger pivoted to roll out a “cypherpunk”-branded dimension to its hardware and software that appeases the OG crypto community such that they might be willing to opt into it and lets existing hardware owners opt into it for their previously purchased hardware such that new updates are cypherpunk-branded and -approved, as open source as possible, with crowdsourced security audits — the whole package. All would be forgiven.
For now, it doesn’t seem Ledger plans to do that. So, the options are to use open-source hardware wallets, but those need Ledger’s wide-ranging interoperability with emerging blockchains. Or you could build your own or use the new refurbished Gameboy open-source hardware wallet.
For now, and for many coins, the safest option is to trust Ledger while staying open to competing developers of open-source hardware wallets.