Rethinking Hardware Wallet Security in the Wake of Ledger Recover
Ensuring the safety and security of digital assets is the foundation of self-custody. When Ledger, a widely recognized leader in hardware wallets, unveiled a feature called Ledger Recover last week, they intended to add an extra layer of protection for their users. The opt-in feature allowed a user's seed phrase to be divided into three encrypted parts, each stored by a different third-party entity.
Imagined as an insurance policy against losing a Ledger or as an alternative to storing a seed phrase, Ledger Recover was supposed to make users feel more secure. Instead, Ledger’s customers met the new feature with deep skepticism and backlash, raising intense debates around privacy and security.
Interestingly, the outcry was not focused on the update itself but rather on the fact that such an update was even possible. For those not steeped in the chatter of 'Crypto Twitter,' we offer a brief rundown on the recent debate and shed light on the realities of hardware wallets that continue to perplex (and frustrate) the crypto community.
What happened?
The intense reaction to Ledger Recover can be traced back partly to Ledger's past security lapses. In 2020, Ledger was embroiled in a substantial security breach where customers' private information - including mailing addresses, phone numbers, and email addresses - was exposed. Still fresh in the community's collective memory, this incident heightened scrutiny of Ledger Recover. Critics began to draw parallels between the potential privacy issues of the new feature and the data breach, amplifying concerns about Ledger's handling of sensitive user information.
As word about Ledger Recover spread, Twitter exploded with speculation and disappointment, serving as a public barometer of the crypto community's sentiment. Mudit Gupta, the Chief Information Security Officer at Polygon Labs, was among the first to express his criticism publicly. Gupta called the feature a "horrendous idea" and warned his followers against enabling it. Changpeng Zhao, founder and CEO of Binance, was one of many replies questioning Ledger's commitment to the principles of self-custody: absolute user control over their keys.
On the other side of the debate, Ledger stood their ground. The company took to Twitter to address concerns and reiterate its commitment to self-custody, assuring users that their private keys are securely generated and stored on their devices. They emphasized that firmware updates do not automatically enable Ledger Recover, and that it's an optional feature. However, this message was buried under other tweets that many in the crypto community felt were dismissive:
Ledger's statements have sparked ongoing debates about balancing innovation in security with preserving the core principles of decentralization.
Beyond the noise: What did Ledger actually do?
Ledger Recover was conceived as a safety net to protect users who lose their Ledger device or their 24-word recovery phrase. The process requires users to verify their identity, then upload their recovery phrase to the system. While the very idea of uploading the recovery phrase online appears to undermine the basic premise of a hardware wallet – keeping the private keys offline and secure – the feature in and of itself is not what caused the most controversy. It was the possibility that this feature could be offered that shocked and upset the crypto community.
Haseeb Qureshi, Managing Partner at Dragonfly, summarized the confusion perfectly with two diagrams. The first image below is how Ledger users thought their device worked:
When in reality, the following diagram is more accurate:
The subtle difference? The firmware inside the secure element – the part that generates and stores a user’s private keys – can be updated. Furthermore, the firmware can be updated to allow the private key to leave the Ledger hardware wallet.
This key fact, that the seed can leave the hardware wallet, was a revelation to most people and shifted how they understood hardware wallet security. While Ledger’s initial response pointed out that this was possible the whole time, they have not always been so straightforward. Ledger’s tweet below from November 2022 appears to actually play into the misperception about their wallets’ security:
The reality is that hardware wallets need to upgrade the firmware that manages the private key because the Ledger’s job is to use the private key to sign transactions. That signing process inevitably changes over time. As Haseeb went on to explain in his tweet thread:
“If a Ledger were an un-upgradeable box with a private key inside, then it would need every algorithm that every blockchain will ever use already available inside the box. And if they didn't think to include a newer algorithm, you'd have to throw it away and buy a newer model. But Ledgers upgrade to support evolving blockchains."
We have always needed, and will continue to need, firmware updates to our hardware wallets. The only difference is that we are now aware of a risk that few previously understood. The possibility of a compromised Ledger firmware update enabling a bad actor to extract our private keys is slight – but real.
Are Ledger hardware wallets still safer than browser plug-ins? Almost certainly. Do they eliminate the need for trust in crypto self-custody? The (now) clear answer is: no.
Where do we go from here?
While some users undoubtedly appreciate the added layer of security that Ledger Recover offers, the Ledger Recovery controversy underscores the challenges in balancing user convenience and enhanced security with crypto’s core values of self-sovereignty and decentralization. The immediate impact has been a wave of confusion and disappointment, now followed by the sober realization that hardware wallets cannot deliver 100% on these core values. As the dust settles, the long-term impacts on Ledger and the wider crypto community remain to be seen. However, this incident has brought essential questions about hardware wallets, self-custody, and decentralization back to the forefront of the crypto conversation.
An alternative solution: Locksmith Wallet
One of the hallmark features of Locksmith Wallet is trustless recovery. The Locksmith system allows users to deposit their crypto in a token-gated smart contract that only they can access because only they hold the corresponding ERC-1155 semi-fungible token (SFT). Furthermore, Locksmith Wallet allows users to mint additional SFTs, each carrying specific permissions over the smart contract.
By managing and tracking the permissions of SFT holders, Locksmith Wallet effectively separates private keys from assets. This process unlocks the potential to move assets under specific conditions, to designated addresses, by authorized holders. This means that recovery could take many different forms; for example, giving a back-up wallet the ability to transfer funds to a cold storage address after a certain period of inactivity. Instead of relying on a third party to determine your level of trust, you're empowered to choose for yourself with Locksmith Wallet.
Checkout the Locksmith Wallet whitepaper to learn more.