Ledger causes a scandal. A founder reveals a de facto backdoor in the Nano X device. Along with demands made as part of a new service, this creates a tremendous outcry in the scene.
Developers Reveal Backdoor
Ledger is one of the largest producers of hardware wallets. So far, the devices from the French company have enjoyed great popularity. Now some critics believe in the decline of the company. The Ledger scandal stems from a fresh update and questions related to wallet security.
The manufacturer Ledger recently introduced a new product called Ledger Recover , which is provided in cooperation with the crypto insurance company Coincover . Users of the hardware wallet Nano X want to be offered more security. This is to be done by securing the user’s key phrase – not manually by the user himself, but by Ledger, Coincover and a third party whose name is unknown.
Again and again, users lost access to their cryptocurrencies, the keys of which they kept in the ledger. Thanks to the new offer, this should finally be over. The necessary security is to be achieved by dividing the key phrase.
Three fragments are transmitted to three different providers. Access can only be restored if all three fractions are used together. However, the new offer raises big questions among users.
“Is there a backdoor in Ledger devices, yes or no?” A user on Reddit confronted the company with this question . One of the company’s founders answered the question, at least indirectly, with “yes.” Specifically, he wrote;
“The device sends encrypted snippets of your key phrase to different companies when you subscribe to the service. Of course you can also create a backup yourself.”
This response came as a shock to the user community. Because: Ledger devices are technically able to transmit the key phrase over the Internet. Many users fear the risk of abuse at this point.
“I thought the whole point of a Ledger hardware wallet was that the seed is locked in the secure element of the device and cannot be sent out of the device, ensuring no hacker has access.” Writes a user on Reddit.
Ledger requires identification
The response of the company founder led to further heating up of an already bad mood. Users complained about the requirements of Ledger Recover ‘s offering . The service, which costs EUR 9.99 per month, requires the user to be identified.
However, this is not about identification with arbitrary data, but with clear names. In order for a person to be able to use Ledger Recover, they must first reveal themselves with an identification document.
This approach alone triggered an outcry in the scene. Users usually attach great importance to privacy, as cryptocurrencies are intended to minimize the necessary trust in government institutions and third parties.
However, if a user identifies himself in connection with a key phrase, there is a risk of state surveillance. If the data gets into the hands of authorities, they could determine exactly what assets the respective user has in cryptocurrencies.
In order for a user to be able to recover their key phrase with Ledger Recover in the event of a loss, they must of course provide unique information so that the service can even trace whether the person is the rightful owner. Identification documents are used for this.
Critics, on the other hand, fear that an ID card is not secure enough to allow access to the crypto assets.