Ledger hardware wallet ‘hacks’ itself with latest update growing ‘backdoor’ concerns

Ledger hardware wallet ‘hacks’ itself with latest update growing ‘backdoor’ concerns

Hardware wallet maker Ledger has sparked an online fiasco by introducing a new seed phrase recovery feature called Ledger Recover, which critics say completely defeats the purpose of a hardware wallet.

Ledger has introduced an optional subscription for $9.99 a month, which allows owners of the Nano X wallet to store a backup of their seed phrase with three separate third-party entities.

CTO Charles Guillemet assures users that this is entirely voluntary and will never be forced on any customers, now or in the future.

He also stated that many won’t need it, and self-custody maxis will definitely prefer to look after their seed phrases themselves.

However, the thought process behind the move is that as digital assets become more mainstream, newer customers will want to outsource some of their security rather than take on all the responsibility themselves.

The feature works by splitting the recovery phrase into three segments, cryptographically encrypting them within the Secure Element Chip within the wallet, and then sending each segment to a different third party.

“Your private key is never at risk,” Charles assures customers.

“There is no backdoor for anyone… even for a very gifted hacker.”

Ledger was established in 2014 and is estimated to have sold around 4.5 million wallets and has introduced six wallet models.

Despite being such a mainstay of the digital asset self-custody industry, users have concerns about the security of this new feature.

Mudit Gupta, chief information security officer at Polygon Labs, stated on Twitter:

“It’s a horrendous idea, DON’T enable this feature.”

“Anything secured by ID verification is inherently insecure.”

“I still recommend [Ledger’s hardware wallets] to everyone. Just don’t enable this feature.”

Bitcoin investor and entrepreneur Alistair Milne questioned whether or not the feature made cold storage completely redundant.

“Sure, you *could* use Ledger’s new ‘Recover’ service and give them your private keys controlling your assets as well as a copy of your ID and other personal information… but why then bother with a hardware wallet in the first place?”

Ledger has hit back at the criticisms, suggesting the issue is being blown out of proportion.

Ian Rogers, Ledger’s Chief Experience Officer, has suggested the fear is “perhaps unjustified.”

CEO Pascal Gauthier said, “I’m sorry, but the piece of paper is a thing of the past and Ledger Recover is a thing of the future… there is no compromise to security.”

In some countries, government-issued I.D. is required to use the feature, leaving many customers nervous about linking their personal identities to their seed phrases.

Ledger has a history of personal data leaks.

In 2020, the personal information of over 270,000 Ledger customers was exposed by a hacker, including phone numbers and physical addresses. One million email addresses were also exposed.

However, Charles Guillemet has assured customers, “There is no direct link between your seed and your identity.”

Time will tell if this turns out to be the security nightmare critics are suggesting or the way of the future, as Ledger seems to believe.

administrator

Related Articles