Ledger, the manufacturer of hardware crypto wallets, faces criticism for an update that lets its devices send coded parts of users’ seed phrases to others.
The company says it will help users recover their seed phrases, which function like passwords, but some critics say the update may open up security vulnerabilities.
Hardware wallets — also called cold wallets — are physical devices that store private keys to crypto offline. They’re typically considered more secure than alternatives that store keys on computers or mobile devices with internet access, also known as hot wallets. Cold wallets including Ledger are designed to empower users with complete authority over their digital assets.
Ledger broke “the number-one security rule for hardware wallets: never ever expose the private key in some way — encrypted, unencrypted, or in any other form” Pascal Caversaccio, an independent security researcher, told DL News.
There is now “a communication channel between the device and the outside,” which presents a security vulnerability, he said, adding that his assessment is based on public information, “which is very short on details.”
The Recover feature would let the device share an encrypted and compressed version of a user’s private key with three companies, Ledger, Coincover, and EscrowTech.
Mudit Gupta, chief information security officer at Polygon Labs behind the Polygon blockchain, told DL News his main concern is that “the encrypted shards of the key are shared with three centralised entities” since “only two of them need to collude or be compromised to reconstruct the key.”
“This is a big risk,” Gupta said. He added he has no “concerns about Ledger’s current offering or the features.”
‘No backdoor, no security vulnerability’
“Lots of inaccuracies,” a spokesperson for Ledger told DL News, referring to the mounting criticism. “There is no backdoor at all, there is no security vulnerability.”
“If you want more peace of mind, or find recovery phrase management a barrier, you now have a highly secure service, tested by our Donjon team which exposed breaches in TrustWallet and many other wallets, both software and hardware,” the Ledger spokesperson said.
“They have validated it, we have tested it, it’s completely secure,” they added.
Ledger maintains that it’s a matter of opt-in. If a user doesn’t like the new feature, then they don’t need to enable it.
“For those that don’t want to use Recover, their experience doesn’t change — they’re as secure as they have been over the last nine years with six million devices sold and none hacked,” the Ledger spokesperson said.
And for those who want to use Recover, Ledger said the feature needs users to undergo an approval process using the secure display of their Ledger device.
“And it requires the Ledger’s secure element to do all encryption, fragmentation and decryption on the device,” Ledger said. “There’s also a full identity verification process including live-ness detection.”
NOW READ: How hackers turn stolen crypto into cash
“Again, the backups can only be created by your Ledger if you approve it from your Ledger. There’s no software way around it,” Ledger added.
Gupta said that going through identity verification is not fool-proof, since “identity theft is rampant and relatively insecure.”
“There are thousands of sim jacking incidents every year due to identity theft,” Gupta said.
Ledger said it’s “ultimately it’s about user choice — this is the ethos of self custody.”
“You can continue using your Ledger as you always have, rest assured that your private keys are safe on the secure element which has never been hacked,” Ledger said.
Ledger, the company, suffered a data breach in 2020, which leaked the personal information — phone numbers and physical addresses — of its 300,000 customers. It has also previously come under fire for promoting the use of Ledger wallets as an accessory.
In May 2022, rapper Gunna sported a 20-Carat diamond chain at the Met Gala with a diamond Ledger pendant.
Caversaccio said that another, wider concern is that the ability to send “encrypted pieces of private keys out of the device, which was previously claimed could never happen” may have already been a built-in feature for Ledger devices.
“There is only [one] way for Ledger to prove that they haven’t enabled this backdoor previously: by open-sourcing the firmware,” Caversaccio said.
Ledger did not immediately respond to a question about the possibility of a built-in feature or possible plans to open-source its code.