Dear Bankless Nation,
The fire alarms were sounding on Twitter yesterday as Ledger users worried that their hardware wallet-held funds were no longer safe.
Ledger went on a full-court press to reassure users and while most are breathing easy now, there are still some lingering questions. In today's newsletter, we dig in.
- Bankless team
Bankless Writer: Jack Inabinet
Ledger has had a rough 24 hours.
The world’s best-known hardware wallet manufacturer released a feature to attract new users to their products and now everyone seems mad at them!
So, what actually happened? Let’s dive into the drama.
Want to hear more from Ledger's POV? We already talked to Ledger CTO Charles Guillemet about the scandal. Check it out below! 👀
🥊 The Drama
This week, Ledger launched a new product called Ledger Recover, a convenient key recovery service that essentially aims to help users recover their funds if they lose their seed phrase or lose their actual Ledger hardware device. An encrypted version of your seed phrase is split up and sent to Ledger and two of its partners to be held securely onsite. Users can retrieve their seed phrase by confirming their identity with a National ID even if they lose their original Ledger.
In the aftermath of the FTX implosion, keeping your coins off centralized exchanges while still having a user-friendly way to stave off financial ruin if you lose your seed phrase seems like a good thing, right?
But it wasn’t long after the update, that users began to surface concerns. A Reddit post late-Monday raised alarms as users read through the text of the latest firmware updates to their Nano X devices.
The opt-in nature of the service was one thing, but for many users it was news that this functionality was even possible for the device, given that… Ledger has emphatically said this wasn’t possible.
Unique to Ledgers among most other hardware wallets is its Secure Element chip, a feature Ledger claims keeps private keys completely isolated inside it. For many, it was thought of as the hardware wallet equivalent of the iPhone’s Secure Enclave where a hash of your unlock passcode is stored and theoretically can’t be exposed even when the Feds come knocking.
But Ledger fractured that impression when this feature update showcased that the keys can leave the Secure Element in encrypted form following a firmware update. While Recover remains a 100% opt-in service, many are more concerned with whether Ledger has been overpromising the security of its Secure Element and has broken user trust as a result.
✨ The New Feature
Back in February, Ledger Recover was teased in a Wired article as a private key management solution for the less technically inclined. CEO Pascal Gauthier saw Ledger Recover as an alternative to “geeky” approaches, like account abstraction, which he believes are not ready to serve an “industry [that is] ready to evolve and go to the mass market.”
Ledger Recover is an optional subscription service included in the latest Ledger Nano X firmware update. It allows users to back up their Secret Recovery Phrase and restore their wallet wherever and whenever, even if their original Ledger device is lost, damaged, or stolen, for $9.99 per month.
The service lets your government-issued ID be the only tool you need to recover your wallet. Complicated op-sec is no longer a requirement for ordinary crypto users looking to secure their hardware wallets!
To prevent a single entity from accessing user private keys, the Secure Element shards and encrypts keys into three pieces, with one retained by Ledger itself and the other two distributed to third-party entities. On its own, one shard is useless and must be combined with others to reveal the private keys.
Users must physically enter their device passcode and confirm any firmware updates or enable Recover features like backing up the seed phrase.
🤬 The Criticism
Much of the outrage on CT and Reddit has centered around users saying they feel misled by the company’s past marketing and communications.
Again, prior to Ledger Recover’s launch, many in the crypto space believed that it was impossible for the Secure Element to reveal the seed, be it in plain text or encrypted, and that no firmware upgrade could change this assumption.
While Ledger has since offered some clarifications and has tried to streamline its messaging, it’s fair to say that they were not expecting the pushback they received from a user base that has long viewed them as one of the most trusted names in self-custody.
Even CZ got in on the roasting, highlighting juxtaposition between past statements maintaining keys never leave the hardware device to the ugly alternative reality unveiled by Ledger Recover.
🏴 The Bottom Line
Ledger’s core defenders argue that every hardware wallet relies on software and that trusting the manufacturer of any product that you use is a bit of a baseline expectation. The only true alternative would be to use a product that could somehow never receive updates, something that would not be ideal for many reasons.
While I am not a hardware engineer, I am sympathetic to the idea that using a Ledger in the first place implies a certain level of trust in the company. But that almost makes the company’s efforts to have it both ways less forgivable, with them now arguing that users’ devices “have always been this way” after the release of a feature that violates some core tenets of what it had previously marketed its Secure Element was capable of.
At the end of the day, Ledger is still likely a much more secure place to hold your keys than other alternatives, and if you are not concerned about nation-state-level coordination against your keys, you are probably still in the clear based on the core ways this product works. But this launch undoubtedly broke some trust with users and will color how Ledger’s community views future product claims.
Action steps
- 📘 Read ansgar.eth's or Haseeb Qureshi's take on how hardware wallets work
- 📺 Watch our interview with Ledger CTO Charles Guillemet