š§ Reevaluating Ledger: Security Concerns of Ledger Recover
Ledger, the largest cryptocurrency hardware wallet provider, announced a new feature this past week called Ledger Recover.
Ledger Recover aims to make self custody easier for your mom and dad who already can't remember the passwords to their iPhones and who certainly can't be made responsible for a 12 word seed phrase.
Ledger Recover does this by using Shamir's Secret Sharing to split your seed phrase into three hashed shards that, when any two are combined and decrypted by your Ledger, recreates your seed phrase.
After you KYC with Ledger (by giving them your passport information) these three encrypted shards are held by Ledger and two other companies: Coincover and EscrowTech and can be used to recover your funds in the case that you lose your seed phrase or your Ledger device.
Ledger Recover costs $9.99 / month and doesn't work on the original Ledger Nano S.
Like everything else in privacy and security, this is a tradeoff. In this case you're trading off both privacy and security for convenience.
You give your passport information to Ledger (-privacy), you're trusting these three companies to hold your information for you (-security), and in return they will restore your seed phrase for you if you lose it (+convenience).
Unfortunately for the rest of us it doesn't end there.
This feature is being rolled out as part of a firmware update to all Ledger Nano X and later (S+, Stax) devices.
So what's the big deal? Just don't sign up for the service.
The fact that the service exists and can be activated via software means that your Ledger device will have the capability to send seed phrase information to these three companies once you update the firmware.
Ledger's response when this is brought up is basically: "Yeah but you'd still need to press a button to confirm this on the physical device so it's safe enough"
And that response is probably good enough for most people.
In my opinion there is no bad and good in the security space there are only trade offs
Ledger is not better than COLDCARD. Ledger is more convenient and cheaper than COLDCARD but Ledger is less secure.
I compared the two devices in detail here:
Ledger for Cold Storage?
This is a great reason to use a multisig for your cold storage. Today it's Ledger, maybe tomorrow it's Trezor. Trusting a single device manufacturer will always be riskier than spreading your funds across multiple device manufacturers.
If you are going to use a single device, it's probably best to use a wallet with verifiable source code.
For Bitcoin only users looking for alternatives I suggest a COLDCARD and for altcoin holders looking for alternatives I suggest using a Trezor.
I'm in the middle of migrating my cold storage anyway and will be removing my Ledger Nano X from the setup.
That being said I'll probably stick with Ledger for little spending account wallets because I think the UX is still my favorite.
Learn More
Andreas and Jameson Lopp talk more about Ledger Recover here:
As always, Andreas has some of the clearest thoughts on the topic and it's great to see him making content again.
I've been traveling a lot the last few weeks and put out a Ledger tutorial today that was filmed over a month ago (bad timing) but I'll have more content talking about this topic coming out soon.
Wanted to get this blog post out there before I release this Ledger tutorial and everyone loses their goddamn minds
Let me know your thoughts here or over on Twitter
Talk soon.