Seth for Privacy about Ledger Recover: “It's as bad as we thought”

Original post on Twitter: https://twitter.com/sethforprivacy/status/1671532777441841158

The hardwallet's company, Ledger, published this last week the whitepaper of the controversial Ledger Recover feature. The document is part of an effort by the company to regain the trust of its users, after the controversy involving security concerns with the announcement of the Ledger Recover update.

But the reaction was not what was expected. On Wednesday (21), security expert Seth for Privacy published a thread on Twitter addressing the information, risks, positives, and negatives of the backup service of one of the most popular physical wallets in the cryptocurrency industry. And he wasn't smooth at all:

It confirms it's as bad as we thought, and still completely unverifiable in practice.

The also Head of Content at FOUNDATIONdvcs — open source cold wallet for Bitcoin (BTC) and Monero (XMR) — found points in the documentation that he says pose risks to users.

“The bombshell here is the explicit confirmation that Ledger themselves hold the master decryption key for all Ledger Recover users”, says Seth. “Your seed is encrypted using their key and not your own, so they always hold the ability to decrypt your seed from shards.”

https://preview.redd.it/bgwpzk5ej78b1.png?1200&format=png&auto=webp&s=731561e47b31f1a348c00d82deee2b6ccf13ca79

In this, Seth for Privacy comments that there are two “massive risks”:

Ledger may collaborate with another custodian and steal/seize funds at will without user consent;
If a hacker steals this master key, he could decrypt any seed fragments obtained from hacks against custodians (low probability).

Seed is how the encryption of the private key is known, capable of signing cryptocurrency transactions. It is the basis of all crypto technology that guarantees the security of funds and allows only those who have this information to be able to send their crypto assets.

Normally, the cryptocurrency wallets most recommended by experts do not store this data (the seed) on the company's servers, or on third-party servers. The seed storage takes place only on the user's device (client-side) — it is the wallet owner's sole responsibility to keep his keys safe and avoid the need to trust third parties.

Until then, these risks were just speculations about a possible security breach in the Ledger Recover protocol, but they were confirmed with the publication of the whitepaper.

The expert also points to the risk of confiscation by government entities, which could force Ledger to give up access to its customers' funds.

The scariest risk is now seizure by a state/law enforcement as a simple subpoena (a very low bar in the US at least) could force Ledger and another custodian to seize funds.

Pascal Gauthier, CEO of Ledger, had already commented on this possibility. Confirming that a court order from a government could cause Ledger to reveal the passwords of the cold wallets of its customers who use the Ledger Recover system.

The third point of attention raised by Seth for Privacy is about the creation of a dependency on Ledger by users. That they would be unable to access their funds stored with Ledger Recover, without the company's intermediary.

As the guarantee of ownership over cryptocurrencies is given through the seed/private-key and not through a specific application or device; users have the security of being able to access their funds through any other service, if they want or need to. Which would not happen on this Ledger service.

“This also opens up a strange 'walled garden' dependence on Ledger as their master key is only present on Ledger devices, locking you in to only recovering your funds onto another Ledger”, says Seth.

Want to just get your seed phrase and move funds? Not gonna happen.

Concluding the content on the topic, he also points to the fact that nothing written in the document is verifiable, as the software remains closed for code auditing.

The bright side

Not everything is thorns, however. Seth for Privacy praises the variant of the Shamir’s Secret Sharing method, applied by Ledger. Responsible for sharing the three shards of the users' access key, with the partner companies that will be responsible for storing this data and enabling the recovery of access in case of need.

According to the expert, the method prevents data from being intercepted by attackers while it is being sent to partners in Ledger Recover.

submitted by /u/vinibarbosa
[link] [comments]

You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.

Bitcoin.com

	The Riveting World of Bombay Club
	SOCIAL GOOD 100$ free sign up bonus + 100% Cashback on daily purchases
	Ethereum Expected to Thrive in 2023
	How To Get Started On Cryptocurrency Gaming
	5 Important Features of White Label NFT Marketplace
	How to get started with crypto gambling
	Best 7 Web3 Apps That Pay You Crypto
	6 Must-Have Tools For Crypto Traders
	Can Ethereum 2.0 Be Converted to Cash?
	Cryptocurrency in Gambling: Features and Benefits
	What are the Core Facets of a Successful Cryptocurrency?
	Cost to Develop Your Own Cryptocurrency Website
	EgldRush - The best Elrond NFT project Farming, Staking, Rewarding
	Choosing a Safe Cryptocurrency Exchange 2022
	Let's Talk About Security in Crypto

Seth for Privacy about Ledger Recover: “It's as bad as we thought”

In this, Seth for Privacy comments that there are two “massive risks”:

The bright side

Comments

Categories

Tags

Subscribe

In this, Seth for Privacy comments that there are two “massive risks”:

The bright side

Related Posts

Comments