Ledger Criticized for Reportedly Revealing User Seed Phrases

Ledger, a provider of crypto hardware wallets, is facing significant criticism from its online community following the launch of a contentious update that many believe reveals serious security vulnerabilities associated with the manufacturer.

The company asserts that the new feature is both secure and completely optional; however, security professionals and cryptocurrency holders are already distancing themselves from Ledger.

Ledger’s Controversial Recovery Service

Concerns began to escalate late on Monday when Reddit user Joe_Smith_Reddit posted a query seeking a definitive “yes or no” regarding whether Ledger includes a backdoor for accessing users’ private keys. A private key is the confidential alphanumeric string that allows users to access their cryptocurrency on the blockchain.

Smith’s inquiry specifically related to Ledger’s new “Ledger Recover” service—a subscription offering for Nano X device users that enables them to retrieve their cryptocurrency even if they have lost both their wallet device and recovery phrase. A recovery phrase is a user’s private key represented in mnemonic format.

According to Ledger, the service—activated in firmware update 2.2.1—functions by duplicating the device’s recovery phrase on the device, encrypting the duplicate, splitting it into three segments, and securing it with Ledger, Coincover, and a third unnamed provider. To utilize the service, users must confirm their identity through an ID document and a selfie.

ADVERTISEMENT

In a subsequent Twitter thread on Tuesday, Ledger emphasized that the service is completely “optional” and is not automatically activated by any firmware update. “Your Secret Recovery Phrase is securely generated on your device. We have no access to it,” the company stated.

Can Ledger “Rug” Users’ Private Keys?

Despite Ledger’s reassurances, community apprehensions continued to grow around a central concern: the update demonstrated that Ledger devices do not, contrary to the manufacturer’s claims, safeguard users’ private keys from all external access.

“Trusting the proprietary secure element to do its part was the single thread that held this company together and now, that’s been severed,” commented Reddit user StPinkie in response to Ledger on Tuesday. “I can no longer recommend Ledger to anyone who values their digital sovereignty.”

Notable crypto developer, writer, and auditor “foobar” on Twitter echoed this sentiment, urging followers to transition away from Ledger wallets immediately.

“The glaring issue with this update is that it exposes your private key can be compromised at any time with a malicious or erroneous firmware update,” he remarked.

Other users pointed out the inconsistency between Ledger’s claims on its website that users’ keys “never leave the device,” and its Ledger Recover service, which “distributes” users’ private keys to three different providers in fragments, as stated by CEO Pascal Gauthier.

Many in the community suggested that Ledger should introduce a separate wallet that provides a seed-recovery service, rather than implementing it as a firmware update for existing customers who anticipated maximum security from their devices.

In the past, Ledger has jeopardized user security by inadvertently exposing personal information of over 270,000 customers in July 2020, who subsequently fell victim to email and SMS phishing schemes. This breach did not affect the security of users’ private keys.

Following the collapse of FTX in November, Ledger experienced a surge in sales as investors sought to secure their cryptocurrency independently without relying on centralized intermediaries.

SPECIAL OFFER (Sponsored) Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO50 code to receive up to $7,000 on your deposits.