Ledger, hardware wallet manufacturer, introduces new feature: a backdoor

[Urke145]

Summary

 

Legder, one of the largest crypto wallet manufacturers, has sparked outrage from its users by announcing a new feature, Ledger Recover. Introduced as a way to safely recover the user's seed phrase, the $10 subscription requires ID verification and shares encrypted parts of the user's seed phrase with third parties. Because a seed phrase is used to generate all of the private keys, sharing it with third parties is a massive security concern. Even though the feature is opt-in, users are concerned that introducing a piece of code that can access user's most important information and share it online will become a backdoor for malicious users to exploit.

 

Quotes

 

Ledger co-founder commented on a reddit discussion on the existence of a back door

Quote

The device sends encrypted shards of your seed to different companies if you decide to use the service. You can of course still choose to backup it yourself.

 

Additionally, Ledger has had data breaches in the past and requiring ID verification has users worried that the company would share even more of your personal information along with your private keys.

Quote

Users took particular issue with the requirement that Ledger Recover customers provide a government-issued ID to the company should they wish to use the service. For some in the crypto community, this step violates core crypto tenets around privacy.

 

My thoughts

This feature completely defeats the purpose of a hardware wallet. Any possibility for a third party to access your seed phrase makes the wallet obsolete, since the reason I'd buy a hardware wallet in the first place would be to not have it connected to outside software and accessible by third parties.

 

Sources

Axios - Crypto harware maker's recovery feature draws ire

https://www.axios.com/2023/05/16/crypto-hardware-recovery-wallet-cold-storage

 

Coindesk - Ledger Bats Back Criticism of New Wallet Recovery Service
https://www.coindesk.com/tech/2023/05/16/ledger-bats-back-criticism-of-new-wallet-recovery-service/

 

[Sauron]

The entire crypto ecosystem is riddled with huge security problems of which this is likely the least harmful example. it turns out that the idea of decentralization is meaningless if in practice you rely on centralized third parties to handle your wallets, your transactions and your trades and give them access to your keys. IIRC one of the more popular wallet aggregators just asks that you tie all your keys to an unsecure piece of software, kind of like storing all your passwords on a post-it note on your desk. At this point if you're into crypto in any capacity you're just begging to be scammed, robbed or otherwise swindled out of your money.

[05032-Mendicant-Bias]

It's standard practice in the crypto industry to follow none of the IT security practices. FTX had an unencrypted spreadsheet in a shared folder with all wallet addresses and private keys. The net effect of adding a way to recover passphrases might be to let some forgetful customers to recover their fake money wallet keys.

People in crypto are almost guaranteed to lose all their money from their exchange of choice suddenly deciding to stop conversion: fake money->real money, I expect this change in this private key storage service to have almost zero effect. Even if this change leads to hundred of millions in fake dollar being stolen, it's still a drop in the bucket. FTX squandered tens of billions of dollars years ago, and printed FTT and Tether out of thin air to cover the hole. Binance is likely going to be revealed that tens of billions of dollars disappeared years ago and they has been printing BUSD(BNB), BNB and Tether out of thin air to cover their hole.

[Avocado Diaboli]

The idea is obviously asinine. But what really made me perk up my ears is that price. It's given in USD, not any crypto currency. Their FAQ even states that they only take real currency, not glorified monopoly money. As if you'd need any more proof of how serious crypto grifters are.

[Fasterthannothing]

if you thought crypto was secure ask yourselves how the government managed to get back all the crypto taken in the pipeline ransomware attack a year or so ago. Crypto that supposedly was sent to offline wallets.

[Beskamir]

11 hours ago, Fasterthannothing said:

if you thought crypto was secure ask yourselves how the government managed to get back all the crypto taken in the pipeline ransomware attack a year or so ago. Crypto that supposedly was sent to offline wallets.

The idiots didn't demand to be paid in Monero. But then a 5 dollar wrench also works wonders for breaking unbreakable encryption as long as you get your hands on the owner.

[Quackers101]

so I can't have arbitrary currency on a physical item (not phone wallet duh), that will hold some sort of value that can be loaded and off-loaded with any type of value. then when going to use it, it checks and takes the needed to charge. but you will never know how much value you hold.

say hello to the brain chip wallet, charge it up by using your brain processor and physical activity like work.

 

just dont backdoor my CBDC money!!! its not fake!!! :U

Edited May 18, 2023 by Quackers101