Is Ledger Recover leaking my private key?
Hi frens,
Recently it’s been heating up that, Ledger, a crypto hardware wallet company, is accused to bring out private keys to third party recovery providers.
What is a hardware wallet? It’s a specialized hardware gadget to safely use the crypto wallet.
Sometimes it’s also referred to as a “cold” wallet, which means the private key of a crypto wallet is isolated from the internet, so it’s almost impossible for a thief to steal your crypto asset.
Ledger Recover, a new opt-in service from Ledger, is going to provide a subscription service to recover the crypto wallet through third parties.
The problem is: Your private key for the crypto wallet, will be in the hands of those third parties, which is not “cold” (or, not cool) anymore.
Ledger, the hardware wallet, is becoming a “hot” wallet, in some sense.
Let me split this issue into three parts:
Is Ledger Recover cryptographically safe?
Why is Ledger doing that?
Should I trust Ledger?
The first one will be the only long piece. Stick with me.
Is Ledger Recover cryptographically safe?
Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) - all of this happens on the Secure Element chip, so your Secret Recovery Phrase is not at risk.
So theoretically, it is still safe to go. Shamir Secret Sharing isn’t new. Trezor, the main competitor of Ledger, has Shamir backup for years. So it is a public relation issue, not really a technical one.
But practically, is it still safe? We haven’t seen the source code yet. FYI, Ledger Live, the companion app for using Ledger devices, is open source.
On the other hand, even if you’re using trusted open source software, do you personally compile the software from source code, or at least have third parties verify the executable binary? No, people don’t usually do that. That means people don’t really trust the source code, but the Ledger brand itself.
Now back to safety. People expect a hardware wallet to be a cold wallet.
But is Ledger really “cold”?
To use a Ledger device, you have to connect it to Ledger Live for installing apps or upgrading firmware, either through a USB cable or wireless communication (like Bluetooth or NFC). But Ledger Live is exposed to the Internet. So, is Ledger still a cold wallet?
You may say (as Ledger claimed), “The private key is safely kept in the Secure Element chip! The specific hardware would keep us from malicious hackers!” I do agree that raised the security level, but it isn’t that far reach between hardware and software.
In my opinion, people who are serious about choosing a “cold” wallet shouldn’t use Ledger at all, not even from the beginning.
There have been some “air-gapped” crypto wallets, which means completely offline. No USB cable. No Bluetooth or NFC communication. Only QR code scanning between devices. Really “cold”.
Why is Ledger doing that?
The web3 world is eager to get the next mass adoption. Some people believe that keeping the mnemonic phrase of a crypto wallet is the main hassle and barrier.
Ledger has been doing great with its streamlined product. Now it’s offering a recovery service, so people don’t have to keep mnemonic themselves (btw account abstraction wants that feature too).
Will it be more user-friendly? Absolutely.
Oftentimes, Ledger reminds me of 1Password. When 1Password made the transition from a standalone vault to an online vault with a subscription, people were as angry as this time.
Years later, 1Password stays as one of the most popular password managers.
Should I trust Ledger?
I’ve stated my points. Make your decision (or eat popcorn 🍿).
You may ask, “Just tell me: Do you trust Ledger? Do you use a Ledger device?” And my answer is:
“I won’t tell. Neither should you.”
(Why? I’ll leave that for the future ;)
Best wishes.
Your friend,
Denken.
P.S. Read more suggestions by Katya, another great overview for this incident.