Users under laser fire for allegedly uncovering seed phrases

Crypto hardware wallet provider Ledger is facing huge backlash from its online user base after releasing a controversial update that many fear exposes major security flaws with the manufacturer.

Ledger claims the new functionality is both secure and completely optional, but security experts and crypto holders are already distancing themselves from the company.

Ledger’s controversial recovery service

Concerns began to grow late Monday after Reddit user Joe_Smith _Reddit posted Post The official is asking for a “yes or no” answer on whether Ledger has a built-in backdoor to access users’ private keys. A private key is the secret alphanumeric string that lets users access their crypto on the blockchain.

Smith’s question relates specifically to Ledger’s new “Ledger Recover” service – a subscription service For Nano X device holders that lets them recover their crypto even if they’ve lost both their wallet device and the recovery phrase. The recovery phrase is a user’s private key expressed in mnemonic form.

According to Ledger, the service – enabled in firmware update 2.2.1 – works by duplicating the device’s recovery phrase on the device, encrypting the copy, splitting it into three parts, and securing it with Ledger, Coincover and a third unnamed provider. Does To use the service, users must verify their identity using an ID document and recording a selfie.

in follow up twitter thread On Tuesday, Ledger clarified that the service is completely “optional” and not automatically enabled by any firmware update. “Your secret recovery phrase is generated securely on your device. We have no access to it,” the company said.

Can the Ledger “rug” be the user’s private key?

Despite Ledger’s reassurances, community concerns continued to center around one major consideration: the update proved that Ledger devices do not protect their users’ private keys from all outside access, despite manufacturer claims.

“Relying on a proprietary secure element to do its part was the only thread holding this company together and now it’s broken,” wrote Reddit user StPinkie in response to Ledger on Tuesday. “I can no longer recommend Ledger to anyone who gives a damn about their digital sovereignty.”

Popular crypto developer, author and auditor “foobar” echoed this response on Twitter, urging followers to move away from Ledger Wallet immediately.

Stop using the Ledger hardware wallet. Get away from them immediately. He has shown nothing but gross incompetence and a wild misunderstanding of his purpose. And now they have publicly admitted to intentionally backdooring their own proprietary hardware. stop using ledger pic.twitter.com/LLFFusOW4y

— foobar (@0xfoobar) May 16, 2023

“The obvious issue with this update is that it could spoof your private key at any time with a malicious or incorrect firmware update,” he said. couple,

other users noted According to CEO Pascal Gauthier, there is a contradiction between Ledger’s claim on its website that users’ keys “never leave the device”, versus its Ledger recovery service, which “distributes” users’ private keys to three different providers. Is.

This is a masterclass of killing your core business trying to “innovate”.

I kept recommending you guys even after you harassed your customers, but this is the last straw.

— Chris Dunn (@ChrisDunnTV) May 16, 2023

Many in the community recommended that Ledger launch a separate wallet that offers a seed-recovery service, rather than rolling it out as a firmware update for existing customers who expect maximum security from their devices.

does the bookkeeping tampered with user security in the past by accidentally leaking personal information about over 270,000 customers in July 2020, who were later victims of email and SMS phishing campaigns. The leak did not affect the security of users’ private keys.

book sales spiked After the collapse of FTX in November, just as investors sought to safely own crypto without having to rely on centralized intermediaries.