Ledger, the leading Bitcoin & Cryptocurrency hardware wallet manufacturer launched their new Recover product last week. It’s a subscription backup service that offers users a different way to protect against lost funds in the event that their Ledger hardware signing device is lost, stolen or destroyed. Ledger Recover does this by splitting up their key into three shares which are uploaded to and stored by Ledger and two other custodians. Rather than having a Seed Word as backup in a disaster, with Recover you upload proof of ID to the custodians, to convince them to send your shares back to you.

This announcement… didn’t exactly go down well on Twitter. People started freaking out, having previously understood that their private key was permanently locked within their Ledger – yet here was Ledger themselves proudly announcing a feature that’d extract it and upload it to the internet. Ledger has been forced into damage-control mode, and has paused the roll-out for Recover while the atmosphere is hot.

Let’s back up for a second.

Seed Words

The industry has standardised around seed words Bitcoin Improvement Proposal BIP-39 provides a list of 2049 possible ‘seed’ words, from which the private key of a wallet can be derived. These words are easier to back up or remember than a long string of digits.
They correspond to the private key but technically aren’t quite the same thing.as the way to back up Bitcoin and crypto wallets. These are usually 12 or 24 words that you write down and hide safely, to be able to load them into a new wallet if you ever lose access to the original. When you set up basically any new wallet, it’ll prompt you to write down these words as a backup.

Yet many people have fallen victim to lost or wrong seed phrases: forgetting where they put the backup; realising they wrote it down wrong years ago, or having their mum run it through the wash. New users can struggle to grasp the significance of the seed words, not understanding that the backup is literally the same thing as their wallet’s private key, and having the seed is the same as having their coins – so they set everything up correctly, doing everything right up until the moment they type the seed into a Google Doc; not understanding how that last step has just irreparably compromised the wallet.

Peter McCormack 🏴‍☠️ @PeterMcCormack

Met a new bitcoiner today:
- Proud they bought a whole coin
- Proud they bought a hardware device
- Proud they moved coin to device
- Proud they secured device
- Proud they backed up seed phrase in a Google Doc

Where did they go wrong?

01:02 AM · Jan 18, 2023

Ledger believes Recover fixes this. Instead of a user taking the responsibility upon themselves to safely and securely store a seed phrase, all they have to do is be able to identify themselves to the Recover custodians, who handle the hard part of storing a seed for them. As Ledger puts it, you become the key to your wallet.

The seed is split into three pieces, or shares, where each of these on its own not enough to know what the original is. At-least two shares are required to recover it, and Recover splits all the shares up geographically and jurisdictionally between three custodians: themselves in France, CoinCover in the UK and EscrowTech in the USA. Per Ledger documentation and Privacy Policy

So, none of the custodians on their own are able to access the private key, meaning they are unable to see or steal any of a user’s funds without colluding That is, for your funds to be seized or stolen through Ledger Recover, two or more of the custodians need to come together and combine their separate shares of the backup. Or, two or more of them need to succumb to a hacking attack. with another.

The tech underpinning this is a 2-of-3 Shamir’s Secret Share of the private key, which isn’t something Ledger have just invented, and has already been used extensively by cryptographers since its invention in 1979. Each of the shares are also encrypted as a protection against loss or theft, but with encryption keys known to the custodians not the Recover user.

When you initiate a wallet recovery, you first authenticate yourself to the custodians using a Passport or National ID through a ‘KYC’ process, then each sends the share they have to your new Ledger device where they are recombined, revealing the private key and reconstructing the wallet on the device itself.

Maybe it’s just not for you?

Depending on who you are, you might absolutely hate this idea; or you might quite like it and be wondering what all the drama is about.

I’ll be honest, I don’t like it at all, but here’s the thing: there a number of different Hardware Signing Devices (aka Wallets) available, and each is trying to be the best to a different user. This necessitates making different design choices, and making different trade-offs, and these choices aren’t for me. But maybe they are for you?

What matters is whether adding this feature inherently makes Ledger’s devices less secure for those that don’t want to use Recover.

We’ve seen similar controversy before, four years ago when Ledger launched the Nano X adding Bluetooth connectivity. Many then were worried about this broadcasting that there was a Ledger nearby to any other devices with Bluetooth, or thinking that the private key would leave the device over the connection whilst signing transactions (it doesn’t). Today this controversy has largely been forgotten, and the Nano X has gone on to be a popular device.

Sure, there are Signing Device puritans for whom Ledger’s design choices are unacceptable, and only the ColdCard and those with similar principles like the Passport and SeedSigner will do. And they’re right, Bluetooth is an attack vector, as is ever conncting it to a computer via USB as you do with all Ledger models, as well as the Trezor, BitBox02 and others – even the ColdCard can be used over USB, though this is discouraged.

The ColdCard Hardware wallet, by Coinkite.

The ColdCard is perhaps the high-water mark for key security, though that’s not a universally held opinion. It does many things right – it uses dual multi-vendor Secure Elements (SEs); encourages airgapped-use with disabled USB and NFC, only passing transactions to and from the device by physically moving a SD card around. It comes in a tamper-proof bag; you have to get it direct from Coinkite; focussing on Bitcoin-only keeps it simpler; the firmware is on GitHub for anyone to view and verify; there are half a dozen or so decoy and trap security features you can use. Basically, there’s a laundry list of security features that add complexity, but bring with them extra protection.

But then, the ColdCard is also not for everyone. Its no-compromise approach to security does make it less forgiving, and easier to mess-up for yourself. A super-paranoid maximally secure ColdCard setup guide runs to around thirty separate steps (the list is in the afterword if you’re interested).

Maybe it is for you?

Fundamentally, Ledger Recover is an opt-in feature. If you don’t want to use it, you’re not going to be forced to, and your Ledger will never create these backup seed shares and export them without you initiating it on the device. This is the same level of trust you’ve already had in your Ledger that it isn’t going to approve a transaction and sign it until you’ve pressed the buttons to do so.

Nevertheless, the security trade-offs are substantially different between a classic Seed Word backup and this.

But, lots of people struggle with storing Seed Words safely and responsibly. According to Ledger’s CEO, lots of customers and potential customers they’ve talked to want this.

People online are saying our customers don’t want this.

A lot of our customers actually want it. A lot of future customers want it, and most of the people that say I don’t want to use a ledger are saying that because I don’t trust myself with the 24 words.

So actually we’re trying to solve one of the biggest pain points to onboard the next generation of users into self-custody. Self-custody is much safer than any other form of custody that you have in the market.

If you choose to use Recover, it’s important to recognise that you’re extending your trust beyond just Ledger and placing it in their two co-custodians too. The issue is not only that Ledger-the-company may turn out to be a malicious actor – that’s highly unlikely – but more whether a rogue employee, hostile state infiltrator (a spy) or more-generally another adversary (a court) can force Ledger into revealing your private key or circumvent their security, against both your and Ledger’s wishes. This too is improbable, but it can and has happened in the past. Coinkite’s NVK cited Gemalto on the What Bitcoin Did podcast Ep.661 as an example, where the NSA and GCHQ allegedly compromised their SIM card keys, revealed in Edward Snowden’s NSA leak.

The Great SIM Heist –How Spies Stole the Keys to the Encryption Castle
The Intercept
19^th Feb 2015

Again, the backup is split between three different companies, which can’t individually access your private key – so this isn’t just as bad as leaving your coins on an exchange.

But you may lose some privacy. Recover uses KYC to authenticate you when restoring a backup, so your face and ID are going to be stored alongside the Recover backup to make that possible. If you already accept KYC risk by buying coins from KYC exchanges like Kraken, Coinbase or Binance, then maybe this isn’t a concern for you. You’ll also have to be guarded against phishing and social-engineering attempts looking to get you to give an attacker KYC data so they can pretend to be you and steal your backups, an attack that doesn’t really apply to Seed Words.

Are you concerned about legal risk? If one or more of these backup companies is subpoenaed, Ledger acknowledge that they would have to comply and turn-over your backups, giving the authorities access to your funds and on-chain transaction history. Law enforcement agencies often have extensive criminal investigation powers including the ability to obtain production orders requiring information to be produced. It may result in a criminal offense for any entity supporting Ledger Recover to fail to comply with a production order, but [we] would always take all reasonable steps to verify a production order before complying with it. […] Since a minimum of two of three fragments would be required to gain access to your wallet, it is likely that an order would need to be obtained in at least two jurisdictions.
Ledger Recover FAQ

Ledger’s CEO, Pascal Gauthier, thinks this is highly unlikely to happen, and not a concern for the vast majority of Ledger’s customers.

It’s true that should be the case, but we only have to look a few years back to the Canadian Trucker protests of 2022 where the government of an ostensibly free country invoked an Emergencies Act and rapidly seized and froze the cryptoassets of protesters, as well as other financial assets. Canada Sanctions 34 Crypto Wallets Tied to Trucker ‘Freedom Convoy’
Coindesk
11^th May 2022 I’m sure most of them never thought that would happen to them.

Long before the crackdown on the Canadian protests, the IRS in the United States has used broad ‘John Doe’ summonses to force the Coinbase exchange to hand them the identities of U.S. Taxpayers who have used virtual currency Court Authorizes Service of John Doe Summons Seeking the Identities of U.S. Taxpayers Who Have Used Virtual Currency
Internal revenue Service, United States Department of Justice
30^th Nov 2016 . Your financial data may have already been requested and duly received by your Government. In fairness, Ledger’s CEO is correct to point out that they are distinct from Coinbase in that they are not an Exchange, so the IRS does not have the same ’legitimate’ interest in whatever data they may have.

The three backup custodians for Recover are based in France (Ledger), the UK (CoinCover) and the USA (EscrowTech). It’s fair to say these three have a good relationship, and frequently co-operate on enforcement matters and foreign policy. If you’re lucky enough to get put on the OFAC list, is it not likely that the French and British custodians will also comply with that American sanction?

Both Ledger Recover and Trezor’s new CoinJoin implementation that also recently attracted anger after announcing that it would be gated by Chain Analysis suggest a trend amongst some hardware manufacturers – they have a diminishing willingness to build products that could work for criminals. If you’re an ordinary Joe, don’t worry – but don’t expect your wallet manufacturer to take any heat to protect you.

Again, here’s a trade-off that manufactures make: Ledger have their companion software Ledger Live that provides an easy oven-ready setup with everything you need; whereas Coinkite doesn’t talk user numbers, deletes sales data as soon as they can, and doesn’t have a companion app with hosted Bitcoin Nodes to avoid the liability of knowing who you are or ever seeing your public key. You have to pick a wallet app like Sparrow made by someone else for yourself. Not as easy, but safer.

At the end of the day, the decision is yours, whether you prefer the risks and trade-offs of sticking with seed words as backup, or if you’d prefer to use Ledger Recover.

Should I worry about my Ledger?

Is this new feature a concern even if you don’t want to use Recover? Is the security of a Ledger inherently reduced by this feature?

Unfortunately, it seems many people have misunderstood how Signing Devices work. Whether they use Secure Element chips or not, they are basically all capable of extracting your private key from their enclave into the main microprocessor, with varying caveats To the best of my knowledge that there are no Secure Elements currently available that can do the secp256k1 cryptography on-device required to sign Bitcoin transactions, so this necessarily must happen in firmware.. Ledger can, even a ColdCard can! And if that’s possible, and the main microprocessor is also responsible for the display and interfaces like USB, then it follows that it’s possible to write malicious firmware for all of them that would extract the private key or seed, and hand it to an attacker over USB.

Don’t believe me? With a ColdCard, you can view the seed words on the device’s screen once it’s unlocked. Advanced Menu → Danger Zone → Seed Functions → View Seed Words. If they’re on the screen, they’re not just in the Secure Element. The difference between writing them to the screen and writing them out over USB is just a difference of software.

So, while it seems to come as an unwelcome surprise to many, yes, it has always been possible to write firmware that facilitates key extraction. You’ve always trusted Ledger not to deploy such firmware whether you knew it or not.

Moving to a different signing device is not going to change that fact – although, using a device that can be airgapped – that is, used without ever being directly connected to a computer does immediately allay most of this fear. Even if your device has been poisoned with private key extracting firmware, getting that key off the device over an airgap is really hard to do.

So, ditch Ledger if you want to – but please understand that the other devices aren’t different in this fundamental aspect.

The Recover code in the firmware is not a malicious code nor does it open a way to arbitrary extract the seed.

If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button.

Messaging Matters

The crux of this whole fiasco may then just be a matter of messed-up messaging. Ledger have previously claimed that it was impossible to issue a firmware update that could extract the private key, which as we’ve seen now is clearly incorrect:

Ledger @Ledger

Hi - your private keys never leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards. A firmware update cannot extract the private keys from the Secure Element.

04:12 PM · Nov 15, 2022

Contrast this with the reality that hit in this tweet that’s since been deleted by Ledger Support:

Ledger Support @Ledger_Support

(1/2) technically speaking it is and has always been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not.

06:49 PM · May 17, 2023

This kind of sloppiness with detail has clearly led many people to believe their relationship with Ledger is trustless, as Éric Larchevêque, Ledger co-founder phrased it on Reddit. That trust has been broken as Ledger users realise their relationship to the company isn’t as secure as they believed it to be. It doesn’t matter that the trust was misguided, it matters that it was broken.

My mistake as a CEO during my tenure was probably not be relentless enough about explaining the security model, but at some point you just give up as people don’t care at all. Until they care again, like now.

The hard truth, which has been confirmed by many experts who took the time to actually deep dive on the subject, is that nothing changed. Absolutely nothing happened. The security model is the same than before you knew Ledger Recover existed.

What changed is the perspective some of you had on the trustlessness, which appeared to be much more nuanced than you thought, and as this is a very sensible subject, many became extremely angered because they felt lied to.

This is a sequencing and communication fuckup, not a technical one. Just enough info to freak people out was pushed out on Twitter, but not enough to understand what was actually happening, what the risks and protections were.

Credit @cb7da12 on Twitter

Naturally the reaction to this is negative, with confused and angry users posting about their concerns and many others including big names in the space dogpiling on to accelerate the fire. A Twitter search for bye ledger yields a stream of images of new wallets from other makers and even some Ledgers being smashed and binned.

Duo Nine ⚡ @DU09BTC

Yo @Ledger, does this mean you can access my #BTC?

OR

Does it mean you can access my #BTC only if I subscribe to your Ledger Recover service?

Which one is true? Or are they both? 👀

08:58 AM · May 16, 2023

The concern above isn’t valid, but how was the poster supposed to know?

You have to wonder how this new feature went down when internally circulated. To their credit, Ledger’s DonJon security research program has spent millions supporting Bitcoin and cryptocurrency custody relentlessly, and has made Ledger’s own devices and many of their competitors’ safer as a result. So, surely that team might’ve had a similar initial scepticism (or ick) towards the idea before seeing detail?

As a result of this self-inflicted hailstorm, Ledger have damaged their reputation and handed their competitors free marketing and users.

So, can Ledger recover?

In the end, this is about trust. Treating the manufacturer of your hardware signing device as an adversary in every way is a non-sequitur. You have to have a degree of trust in them to produce and deliver to you a product that does what it says.

Ledger have acknowledged the mess and the miscommunication, and are taking steps to be more transparent in the future – open-sourcing more of their code, responding to criticism and apologising for the upset.

Despite the controversy, I think Ledger will be fine, and even that Recover will be a successful product. But rebuilding lost trust and reputation is going to take them a while.

If you have been using a Ledger and it’s worked well for you, I don’t think this is a reason to drop it and switch to a new wallet. It’s not for me, but it might be for you – it’s a great piece of hardware, and one I think I’ll still recommend to people that might have a hard time with a ColdCard.

We believe wholeheartedly in the need for a service like Ledger Recover—those of us who have been in the space for a long time, over a decade in my case, have a responsibility to ensure everyone can be self-sovereign and can have self-custody over their digital value. This is the ethos of crypto. The main pain point for crypto self-custody adoption is precisely the problem of seed phrase recovery. The majority of users in crypto today either don’t own their private keys and/or are putting their private keys at risk using less secure forms of self-custody, and hard-to-use forms of storing and securing their seed phrase.

Afterword

Maybe this is for you?!

The ultra-paranoid guide for the ColdCard goes something like this:

1. You got the ColdCard delivered to a fake name and not your home address, paid with no-KYC anon Bitcoin using a burner email, right?
2. Windowless room, no cameras, phones, computers or microphones.
3. Check the tamper evident bag isn’t void or tampered with.
4. Check the case has not been tampered with, and electronics have glue blobs on them. Remember what the blobs look like.
5. Power up the device with an isolated power supply like a battery (Never a computer USB port!)
6. Check the bag number matches the device’s burnt-in number.
7. Disable the USB port in the ColdCard’s settings.
8. Download latest firmware image.
9. Check and verify the PGP signature for the firmware image’s sha256sum.
10. Put the firmware on an industrial-grade SD card, and update the ColdCard’s firmware.
11. Set up the device using a 12 digit PIN, remembering the anti-phishing words.
12. Get some dice and get ready to roll them 100 times or more.
13. Generate a throw-away seed using dice rolls and verify it on a computer just to check the ColdCard isn’t lying to you.
14. Generate your actual seed on the ColdCard with 100+ dice throws.
15. Write this seed down on paper to get through initial set-up.
16. Split the seed into three parts or more using SeedXOR. Write each of these down separately.
17. Get the SeedXOR worksheet and manually reconstruct the initial seed from your XOR parts, checking it matches the original seed.
18. Still reading? Why?
19. Now eat/set fire to the original seed, keeping only the XOR seeds. (I’m serious.)
20. Wipe the ColdCard and restore the seed onto it using the XOR seeds. Check that the restored seed/master fingerprint is correct.
21. Make two to three copies of each of these XOR seeds, optionally using metal backup plates (IMHO these are a scam) or coming up with clever stenographic techniques to make them hard to identify as seed backups.
22. Distribute your XOR seeds geographically in places that you trust to be secure. Think of very clever hiding places.
23. Come up with a passphrase to use in addition to the seed stored on the ColdCard. Back this up separately to your seeds, or really trust yourself to not forget it
24. Set at least one trick PIN to destroy the device or trick a physical attacker.
25. Repeat all of the above with the two or more other ColdCards (or other comparably paranoid Signing Devices) you also bought for a multisig setup, right?
26. Coordinate an air-gapped multisig setup. Import this into Sparrow (because all other wallet software sucks). You’re already running your own Full Node over Tor, right?
27. Never tell anyone you have a ColdCard, never talk about your stack, throw the free stickers away.
28. Work out how to explain to your relatives how to recover your funds in the event of your death later.

That’s… not a trivial list of things to do. How many people understand, or frankly care for why each of these steps is necessary, and what threat it is protecting against?

Me? I love this, and it’s exactly the amount of tinfoil paranoia I want in a Signing Device. ColdCard’s security model is tight, and covers as many bases as it can.

But my Dad? Sorry, no chance. To him, this is a massive roadblock that’s going to deter him from using a ColdCard and getting off zero Bitcoin in the first place – but using any half-decent hardware signing device like a Ledger or Trezor is still leaps and bounds better than buying Bitcoin and leaving it on a custodial exchange, or having none at all.

So that is the problem Ledger solves, aiming for accessibility and a large addressable market, rather than making the most-secure Signing Device possible.