Ledger

“We don’t want it” CT Responds To Ledger Recover

Summary:

  • Ledger’s latest update touted as an “additional safety net” received backlash from customers and crypto Twitter commentators.
  • The company’s response on social media left users unconvinced and seemingly did little to address security concerns regarding private keys and a new attack vector that the recovery firmware could unearth.
  • Ledger Recover will allow users to opt-in for a monthly subscription to back up their seed phrase with another seed phrase stored at three custodians, two of which are third-party.

Crypto Twitter brimmed with opposition to Ledger’s latest firmware feature that will back up customers’ seed phrase if they choose to opt-in to a monthly subscription for custody services.

Ledger Recover was announced on May 16 much to the sock of customers thanks to a supposed turnaround on the company’s so-called dedication to security. The firmware update will give wallet users the option to back up their seed phrase with three custodians, a feature meant as a safeguard should any user lose their private keys.

Ledger Defends Recover Subscription

The hardware wallet maker clarified – after heavy community backlash – that the seed phrase sent to custodians is generated as an additional private key of sorts. A Twitter thread was released explaining the mechanics, although the post seems to have raised more questions than answers.

Ledger Recover encrypts a version of your private key, splits it into three parts, and sends each part or shard to one of three custodians if a customer chooses to subscribe. The feature is currently only available on the company’s Nano X wallet. Although, customers raised concerns that an update could expose their seed phrase to anyone but themselves, a thing that was previously thought impossible on any Ledger device.

Security expert and Polygon Labs CISO Mudit Gupta noted that private keys could be reconstructed using 2/3 of the shards, a problem that leaves wallet users open to a new attack vector.

Other users on Twitter completely rejected the update and asked the wallet maker to bin the idea or release a separate wallet product line for the recovery feature.

“We don’t want it” CT Responds To Ledger Recover 15