“We don’t want it” CT Responds To Ledger Recover

Summary:

• Ledger’s latest update touted as an “additional safety net” received backlash from customers and crypto Twitter commentators.
• The company’s response on social media left users unconvinced and seemingly did little to address security concerns regarding private keys and a new attack vector that the recovery firmware could unearth.
• Ledger Recover will allow users to opt-in for a monthly subscription to back up their seed phrase with another seed phrase stored at three custodians, two of which are third-party.

Crypto Twitter brimmed with opposition to Ledger’s latest firmware feature that will back up customers’ seed phrase if they choose to opt-in to a monthly subscription for custody services.

Ledger Recover was announced on May 16 much to the sock of customers thanks to a supposed turnaround on the company’s so-called dedication to security. The firmware update will give wallet users the option to back up their seed phrase with three custodians, a feature meant as a safeguard should any user lose their private keys.

Ledger Defends Recover Subscription

The hardware wallet maker clarified – after heavy community backlash – that the seed phrase sent to custodians is generated as an additional private key of sorts. A Twitter thread was released explaining the mechanics, although the post seems to have raised more questions than answers.

Individually, these encrypted fragments are completely useless. When you want to restore your keys, 2 of these 3rd parties will send back their fragments to your Ledger device (and not us as an organization), which will be able to reconstitute your Secret Recovery Phrase.

— Ledger (@Ledger) May 16, 2023

Ledger Recover encrypts a version of your private key, splits it into three parts, and sends each part or shard to one of three custodians if a customer chooses to subscribe. The feature is currently only available on the company’s Nano X wallet. Although, customers raised concerns that an update could expose their seed phrase to anyone but themselves, a thing that was previously thought impossible on any Ledger device.

Question: If you opt to use the service something needs to interact with our private keys to create a backup of the same obviously
Which means there is a way to interact with the private keys
This is the thing concerning everyone
Not that the service is optional or not

— SIUUUU🏎️ (@0xSiuuuu) May 16, 2023

Security expert and Polygon Labs CISO Mudit Gupta noted that private keys could be reconstructed using 2/3 of the shards, a problem that leaves wallet users open to a new attack vector.

Other users on Twitter completely rejected the update and asked the wallet maker to bin the idea or release a separate wallet product line for the recovery feature.

Additionally, they use ID verification to confirm your request for key construction.

Identity theft is relatively easy and super common. It's not a secure method at all.

— Mudit Gupta (@Mudit__Gupta) May 16, 2023