Crypto hardware wallet provider Ledger is facing severe backlash from its online user base following the release of a controversial update that has raised concerns about significant security flaws. Despite Ledger’s claims that the new functionality is safe and optional, security experts and cryptocurrency holders are expressing their dissatisfaction and distancing themselves from the company.
The discontent began to escalate when a Reddit user named Joe_Smith_Reddit posted a question demanding a clear answer on whether Ledger has a built-in backdoor for accessing users’ private keys.
Private keys are crucial alphanumeric strings that allow users to access their cryptocurrencies on the blockchain. The specific inquiry revolved around Ledger’s recently introduced “Ledger Recover” service, designed for Nano X device owners to recover their crypto assets even if they lose both their wallet device and recovery phrase. The recovery phrase represents a user’s private key in mnemonic form.
According to Ledger, the service enabled through firmware update 2.2.1, duplicates the recovery phrase on the device, encrypts the copy, fragments it into three parts, and secures it with Ledger, Coincover, and another unnamed provider. To utilize the service, users must verify their identity using an ID document and a selfie recording.
Attempting to address the growing concerns, Ledger took to Twitter to emphasize that the service is completely optional and not automatically enabled through any firmware update. They added that users’ secret recovery phrases are securely generated on their own devices, with no access granted to Ledger.
Despite these assurances from Ledger, the community’s worries persist around one central issue: the update appears to expose that Ledger devices do not provide absolute protection of users’ private keys against external access, contrary to the company’s claims. Reddit user StPinkie expressed disappointment, stating that trust in the proprietary secure element, which was a cornerstone of the company, has been shattered.
They announced that they can no longer recommend Ledger to anyone concerned about maintaining their digital sovereignty.
Notable crypto developer, writer, and auditor “foobar” echoed this sentiment on Twitter, urging followers to immediately transition away from Ledger wallets. They highlighted the update’s glaring problem of potentially exposing private keys to risk through malicious or accidental firmware updates.
Users also pointed out a contradiction between Ledger’s website claims that users’ keys “never leave the device” and the Ledger Recover service, which distributes users’ private keys to three different providers in shards, as explained by CEO Pascal Gauthier.
Within the community, many suggested that Ledger introduce a separate wallet dedicated to offering a seed-recovery service rather than rolling it out as a firmware update for existing customers who expected the highest level of security from their devices.
It is worth noting that Ledger has experienced previous security compromises, including when the personal information of over 270,000 customers was accidentally leaked in July 2020. However, this incident did not impact the security of users’ private keys.
Ledger saw a surge in sales following the collapse of FTX in November, as investors sought to secure their cryptocurrencies independently, avoiding reliance on centralized intermediaries.
Image Credit: Shutterstock
Keep in mind that we may receive commissions when you click our links and make purchases. However, this does not impact our reviews and comparisons. We try our best to keep things fair and balanced, in order to help you make the best choice for you.
