Online buzz continues around Ledger’s new firmware update for its crypto hardware wallet, which experts claim could put users’ private keys at risk.
Ledger published a Twitter thread on Wednesday attempting to allay concerns about the security of users’ assets, but published a self-contradictory and confusing tweet that further fanned the flames of controversy.
Ledger’s worrying tweet
In a now-deleted tweet, Ledger from Wednesday backed up verified criticisms by highlighting one troubling reality of using its product: The manufacturer could, technically, release firmware that would store users’ private keys to their wallets. extracts from
“You have always trusted Ledger not to deploy such firmware, whether you knew it or not,” the company wrote.
Ledger’s deleted tweet. 05/17/23
This is contrary to the claim of the company main account Last November, in which Ledger claimed that users’ private keys could not be extracted from the wallet’s secure element chip through a firmware update.
At the time, Ledger and other wallet makers were posting record sales following the collapse of FTX, as crypto investors sought the security of self-custody and cold storage for their crypto assets.
Thursday, Ledger Said It decided to remove his Wednesday tweet because of its “confusing wording”. However, Charles Guillemette, CTO of Ledger, published a follow-up thread explaining that in general, there are “multiple ways” to implement the backdoor, and that some level of trust is required with any third-party wallet purchase. is required.
22/ If you want to be completely trustworthy, you need to learn electronics to build your own computer, learn ASM to build your own compiler, then wallet stack, build your own nodes and synchronizers, you need to learn cryptography to build your own Have to learn stack signature.
“Open source doesn’t really solve it,” he said. “It is impossible to guarantee that the electronic itself is not a backdoor, nor is the firmware running inside the wallet the one you audited.”
recovery of ledger
Criticism of Ledger intensified on Wednesday after the company announced its new hardware wallet service, “Ledger Recover.” With user permission, the service breaks the private keys of the wallet into three pieces, encrypts them, and stores them with three different centralized providers – one of which is Ledger.
Users are required to provide personally identifiable information prior to using the Subscription Service. In return, users are given a way to recover their private keys if they lose both their hardware device and the seed phrase paper backup.
The crypto community blasted the service and its associated firmware update for adding a code path that could send private keys to third parties. Several experts, including developer and auditor “foobar”, recommended that followers stop using the company’s tools.
If you have a ledger, your keys haven’t been compromised (yet). But if you upgrade to the latest firmware, it will remain in a code path that can send your private key to third parties. Given that the ledgers were given to their own clients in the past, it is unlikely that they would keep this information secure.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
