Ledger's New Recovery Update Prompts Security, Transparency Concerns

An optional firmware update for all Ledger devices has raised questions about the security of the popular hardware wallet.

Ledger Recover is a new service for users who do not have access to their private keys. It works by encrypting the Seed phrase on the device, splitting it into three fragments, and holding these on Hardware Security Modules with trusted providers.

To restore your phrase, you'll need two of those fragments. Recovery happens after ID verification, within the "secure enclave" of the Ledger chip. Neither Ledger nor the trusted providers have access to the full, unencrypted phrase. So what's the big deal?

Exciting update, Ledger has a new product, Ledger Recover, that’s launching soon: https://t.co/nT1VHnnSYz

🧵Here’s what Ledger Recover is and what it isn’t, explained by @P3b7_ & in the thread below. pic.twitter.com/RW1w07H6pK
— Ledger (@Ledger) May 16, 2023

Ledger's announcement video has gained over 2.4 million views.

The issue that has got the crypto community up in arms is not the potential point of weakness and centralization represented by the two-of-three trusted provider model; this is an opt-in service for those who want a safety net in case of losing their seed phrases, at the cost of $9.99 per month.

The problem is that there has been a lack of clarity over how this service has been built, and whether the fact that it even exists poses a security threat—whether or not the user chooses to access it. The company has, of course, sought to reassure users that there are no backdoors in the Ledger, and that users remain in full control. But there has been a lack of clear answers from the team, and the internet, like nature, abhors a vacuum.

Ledger Secure Enclave: Hotel California For Private Keys?

The idea behind hardware wallets—at least, what users understood was the idea—is that transactions are signed within the secure enclave, and this signed transaction (which is useless to a hacker) is broadcast. Private keys never leave the secure enclave on the device, ever.

Ledger Recovery introduces a way for that to happen, albeit in a supposedly safe way. Or, worse still, perhaps it has always been possible, and users never knew it.

Either way, that means of moving keys over the internet is present, and offers an attractive set of possibilities for hackers to exploit. You can read more about the update, and some criticisms, on Twitter.

You said my seed could never leave the device.

You lied.#ledger #crypto
— Sucellus crypto (@BTC_Sucellus) May 17, 2023

The issue is summarized in typically blunt Twitter style by one user.

Given the concern surrounding this update and the backlash from users, no doubt the Ledger team are crafting a carefully-thought-through response. For now, though, the sound of crickets is stoking the fears of customers who are, by definition, highly security conscious.

Ledger has stated that, as Web3 natives, they are security maxis. Whether that's true or not, with this rollout, they dropped the ball on transparency.

Subscribe to our newsletter and follow us on Twitter.