The recent “Ledger Recover” feature launched by Ledger has caused a great deal of controversy and concern among its community. This feature allows users to recover their seed phrase in the event of loss by splitting it into 3 encrypted parts. However, Ledger’s communication regarding this new feature has been heavily criticised.
Ledger Recover creates controversy
Since the introduction of its new “Ledger Recover” feature, the eponymous company has been struggling to reassure its community about how it works. And for good reason: this feature essentially extracts the user’s seed phrase, then splits it into 3 separate, encrypted parts so that it can be reconstructed if necessary. An extraction that worries some.
Available exclusively on the Nano X model (for the time being), Ledger Recover enables users to recover their seed phrase if they lose it. As explained in Ledger’s documentation on the subject, users need to verify their identity with the service providers chosen by Ledger, namely Onfido and Electronic IDentification, in order to access this service. For its part, Ledger states that it does not keep any identity information on its customers using this solution.
Once their identity has been verified, users will have to manually approve the process via their Ledger Nano X, and that’s all there is to it. If the user in question ever wants to recover their seed, they simply need to have their identity verified and connect their Nano X to Ledger Recover from their computer.
Ledger assures that this process is ultra-secure, and that the cut-out parts of the seed (via the Shamir algorithm) are fully encrypted at Ledger’s service providers. Above all, they are transmitted completely independently of each other.
A clear lack of communication
Clearly, Ledger should have communicated better about the release of Ledger Recover, and the negative comments that continue to rain down on social networks are proof of that. One of the reasons for the controversy was a tweet from Ledger in November 2022 stating that users’ private keys could not be extracted from “Secure Elements”, the chip designed by Ledger and manufactured by STMicroelectronics.
Nov 2022: A firmware update cannot extract the private keys from the Secure Element – Ledger
May 2023: Technically speaking it is and always has been possible to write firmware that facilitates key extraction – Ledger@Ledger, do you now understand the problem? pic.twitter.com/czG53SuCOu
– olimpio (@OlimpioCrypto) May 17, 2023
The networks quickly went wild, as evidenced by a Reddit post (over 1,000 upvotes and 800 comments) by an angry user:
“I can’t believe what I’m reading, it seems absolutely crazy for a hardware wallet provider to encourage you to save your seed phrase online AND give them your passport/ID – especially one that has already suffered a data breach! […] Once again, I can’t believe it. Apart from the risk of being hacked again, apart from the fact that it flies in the face of never sharing your seed and never storing it online, it opens the door to a whole new level of cryptocurrency scammers!”
Ledger’s May 17 tweet stating “it had always been possible to code firmware that enabled key mining” has since been deleted. Instead, Ledger support is redirecting its community to a long thread by Charles Guillemet, Ledger’s CTO, aimed at explaining how a hardware wallet works
Eric Larchevêque wants to reassure users
Such is the controversy that Eric Larchevêque, Ledger’s co-founder and former CEO, had to give his own opinion (and confirm the company’s lack of communication) in a post on Reddit:
“I’m not sure I’m right.
“I’m devastated to come to this subreddit, which I created nine years ago, and see images of Ledger devices burning, insults and a lot of anger. Honestly, I’m on the verge of tears. […] My first step is to apologise as co-founder for the way the launch was handled. […] For me, this whole debacle is a total PR failure, but absolutely not a technical one. “
He also claims that Ledger’s security model has not changed at all:
The hard truth, which has been confirmed by many experts who have taken the time to look into the matter, is that nothing has changed. Absolutely nothing has changed. The security model is the same as it was before you knew about Ledger Recover. […] What has changed is the perspective that some of you had on untrustworthiness, which turned out to be much more nuanced than you thought, and because it’s such a sensitive topic, a lot of people got extremely angry because they felt they’d been lied to. “
Whatever the case, Ledger insists that its new feature is entirely optional, and that the seed of a user who has not subscribed to this service cannot leave the key in any way. Fractions of seeds cannot be transferred without the user’s manual consent. Charles Guillemet reiterated: “
“.
“In reality, inside a Ledger, there is a secure element, and it is this element that contains the keys, the operating system and the applications. The operating system still needs the key to perform transaction signatures, but this is all done with the user’s consent.”
