Topic: Ledger Nano X Battery Pandemic - page 2. (Read 1778 times)

As long as those Ledger crap customers have the decency to replace their "parisian" electro-shit with any other decent hardware wallet, I'm fine with the circus tour. Under my proposed premises, gimme more of this circus, popcorn just got ready.   

I'm pretty sure their so-called QC only exists when they're making promotional videos for YouTube and the fact that the following page still exists after a year clearly shows they only care about finding workarounds, as opposed to resolving the issue in question: HOW TO TROUBLESHOOT LEDGER NANO X BATTERY ISSUES

Considering some of their users have started to warm up the batteries to jump-start it, a part of me thinks this might be a direct result of the following things before he attempted to charge his/her Nano X

• someone said they held the nano over a flame for a little bit just to warm the battery inside so that it could be charged when plugging it in
• heated it up by leaving close to open oven, this brought the battery back

Ledger nono X battery circus is back in town for season 2024, and they never stop to amaze me with their special quality control for batteries they are using.

One user of ledger X reported on twitter that his ledger device was melted during charging, but on good side at least it didn't exploded like it happens with EV vehicles


https://twitter.com/magic_degen/status/1752713548164395362

LOL.  I've been following the Ledger subreddit, and although I've never visited it before I have to think that previously there was a lot of discussion about new coins, new devices, and all sorts of threads that were about actually using a Ledger.  Now every other thread is from someone who's switched HW wallets, and 99% of the discussion is about the recovery service.

And boy, for a subreddit devoted to a single HW wallet you'd think most of the participants would know exactly what the danger is if they continue to use Ledger devices.  But judging by the posts being made that is not the case, and they're not shill posts either, just Ledger users who don't realize that their coins aren't safe on any of the devices and who fundamentally don't see what the problem is.  And Jesus, I'm pretty tech-ignorant (as many of you know) and from everything I've read even I know Ledger users are potentially fucked if either Ledger or a government or a hacker or rogue employee decides it's time to gain access to private keys.

It really is a circus.  At this point I'm just wondering what Ledger as a company is going to look like in 6 months to a year.

I was bribed by the fact that the ledger works with many coins out of the box and authentication also works out of the box.
The first Ledger S models were low on memory and had security issues.

15-Year-Old Exposes Vulnerabilities In Ledger’s Nano S Cryptocurrency Wallet
https://fossbytes.com/ledger-cryptocurrency-wallet-hacked/

You didn't miss out much, it's just a regular cheap circus show
I don't think patching ledger live is possible, blocking ledger servers is certainly possible, but than I think device wont work correctly.
From my understanding it's not only ledger that are going to receive data from customer wallets, they are only one of 3 companies, other two companies are located in United Kingdom and United States.
Now imagine any of this three governments wanting to do mass seizure of coins, they won't have any problem doing that, since user controls nothing if they applied for Recover.
Even in case if they didn't apply for anything there is a chance keys could be exposed somehow.

Let me look from the bright side of this incident... I think ledger nono X eternal battery problem will not exist anymore  

EDIT:
I found one interesting ledger commercial driving down the Internet Highway 101 

Not that I know of, no. Trezors are shipped with no firmware installed, so the original buyer installs either a bitcoin-only or an all-crypto firmware. Ledger ships its products with already installed firmware. Usually, the latest version. So you might not need to do anything on that end. But you need Ledger Live to install the apps you want to use, and those can only be found in the Ledger Account Manager.

You could get blockchain data from your own node and configure Ledger Live to connect to it. But again, you are going to need apps, app updates, and the firmware from their servers.

Well, there's a chance that the wallet is not maliciously 'pre-seeded' such that they know every customer's seeds and addresses in advance, while at the same time they may be able to extract 'deleted' seeds from a returned device.

Ideally, they should not be able to know customers' seeds, no matter whether they send it in or not. But since we have no code, there's no way to verify whether this is the case.

In my opinion, it's more likely that erased memory can be recovered when people send in the wallet for a refund, than Ledger actually using deterministic seeds. But it's mostly a gut-feeling type of thing for me.

I see; so there's no alternative client for initial setup / updates / app installs and so forth, like on Trezor with trezorctl command-line client?
Somehow I thought a similar thing existed for Ledger, as well. Maybe that was a thing in the past which got killed. Or my memory simply tricked me. Then I guess Ledger users are SOL no matter what.

It may be possible to clone https://github.com/LedgerHQ/ledger-live and patch out all the connections to Ledger servers, or even just do it through your firewall. Someone may even have done it before, not sure about that. It should be evident that I'm not too knowledgeable or experienced with Ledger products myself.

I wasn't talking about seed phrases. I don't think they have those either. Knowing Ledger, they would have lost or leaked them by now. But with the knowledge that keys can leave the secure element, who knows what else is possible. Today, it's supposedly 3 encrypted shards sent to 3 separate companies. What if it becomes just one company or remote sharing of seeds in unencrypted form next year?

It's not a secret that servers can log and store information about your wallets when you interact with them. I am going back to my Electrum example. Connect your wallet to a server and it will know your IP address, OS, balance of all funded addresses, and complete list of all other addresses that are part of that wallet. Connecting to Ledger's servers can work exactly the same.

Only a genuine Ledger HW can connect to Ledger Live. For all we know, each device they have ever sold could have an identifier pairing it to the name of the person who purchased it. When you connect your HW to Ledger Live, the software checks if the device is genuine and it could very well check that identifier and compare it with its database. That would provide them with enough data about your balances and activities. Couple that with Ledger Recover and any information they share with government agencies, and there is now a method for freezing your assets if you are suspected of money laundering, not paying your taxes, etc.     

I think you missed the point here, I (I am sure so is Pmalek) did not assume the wallet comes with a pre-loaded seed, the point is, IF they can extract the seed phrase outside of the secure element and send it to a third party it simply means there is NOTHING in the hardware design that stops seeds and private keys from leaving the device, contrary to what ledger have always said.

So based on their own words (not mine), they were always able to gather every bit of information we never thought possible, now since the firmware is closed and nobody has a clue about what is inside it (at least for anything released after version 1.5.1 (2019) since that was approved by ANSSI), for all we know they could have been logging from/to addresses used, private keys and even seed phrase, of course, if you created a seed and did not connect your wallet to the app then it would be hardly unlikely for them to know the seed, but the moment you install those apps which reside on the SE and have direct access to the PK (also their words, not mine) they could start logging everything they want.

All that information is directly attached to the unique serial number of your wallet which doesn't disappear by formatting it or anything else, so this leads to another assumption that your real identity/home address/ credit card or whatever you used to purchase from them (since they only accept KYC payments) are all linked and could be stored in a database somewhere.

Of course, we are probably being a bit harsh on Ledger here, I don't claim they did or are doing all of this, I am simply stating the fact that based on THEIR own words, every assumption made here is technically valid, I wouldn't have the audacity to put forward these assumptions if they did not implement this cloud seed backup shit, but alas, it happened, we already know what are they capable of doing with their hardware wallets, it would be plain stupid to think that any of the assumptions people have about them now are not true.

Despite all recent issue with Ledger, I'm not convinced this is how it works. I don't think they know the public addresses associated with the delivery or purchase, as otherwise this would imply they know the seed phrase of the device that was sent in the first place - in order to have access to those public keys. I mean, I'd like to assume they don't have a database of all the seed phrases at least!

I also thought the seed phrase was generated once you setup the device if not mistaken, using True Random Number Generator (TRNG) (as it's apparently build into the chip, therefore can be generated at any point in the future). Therefore, it'd be impossible for Ledger to have access to public keys based on delivery/purchase information, as they would be created post-purchase. Instead, it'd have to be based on IP addresses at best. Also to note is that you can reset to factory setting and create a new seed phrase, so it stands up to scrutiny the idea that the seed phrase is generated after purchase, as opposed to "pre-loaded" as it were.

Of course, this is if we still trust Ledger to be telling the truth about how these "random" seed phrases are generated... which I don't. Just countering some misconceptions here.

Think of it this way: If you use Ledger Live, and you have to at least once to install the firmware and the needed crypto apps, they can get information about your public keys, addresses, and the balances you connect to their servers. Something similar that Electrum does when you connect your wallet to an Electrum server.

Even if you purchased your HW anonymously and had it delivered to a PO box or company where you work, they would still be able to connect your name to the wallets that were connected to their servers in the past if you decide to send the HW back. I doubt you can ship a package anonymously, unless you get someone else to do it for you.   

That is true, but I would move all funds and double check everything before sending anything back to ledger.
Most they can get from returned device would than be only history of transactions, and that is if they are hiding something.
This option is only if you want to get money back from ledger, I personally prefer optional destruction and total demolition

 

What I meant is, there is nothing more they would be able to know just by receiving your hardware wallet again, they already know everything that they could reveal about you when you send it back.

The second part of the post is just a speculation of "what they might know" and that's based on the fact that in order to buy a ledger you have to undergo a KYC process, you need to use your credit card or KYCed crypto.com, and your home/work address, every wallet has a unique serial number, so they know person A who lives at B owns ledger wallet with a serial number of 123456.

in theory, they could know that person A's wallet generated seed x, and signed a transaction to move 0.1BTC to some address, used a certain address to receive funds, since there is no limitation on what could and could not leave the secure element, we certainly have no way of knowing what information were they collecting from the apps when they are connected to the ledger wallet.

Of course, all this is nothing but speculation, but in theory, they could know about everything that you worry about when sending them the hardware wallet back, so by spending your coins and sending it back -- there is nothing left to risk in that process, the risk has already been fully taken the moment you trusted their closed source firmware.

How do they already know the addresses that a person used? I mean, I guess there's still the risk that seeds aren't generated truly randomly (since - again - closed source firmware). But besides that, I'm not sure how you come to this conclusion.

Moving your coins to somewhere else will be enough, there is nothing they don't already know in regards to the buyer's identity and the addresses they used, I just hope they won't make things even worse and sell the info that links the user identity/email/credit card/address to on-chain data (assuming they have not already done so).

But ya, overall, there is no harm in returning it and use that money to buy another proper wallet.

Wow, thanks for the update. This sets a new low from Ledger.

Although I'd like to recommend people not to send back their device - no matter what - since without open-source firmware, there is no way to tell whether a reset fully erases everything.
At this point, I could even imagine that a device reset just 'hides' your old seed, but keeps it in storage, so when you send back the device they can recover it and fully deanonymize you.

For sure, you (Cricktor, or any other "so inclined" forum member) gotta make sure to wear a condom.

That's bad advice^** dkbit98.


Bad dkbit98!!!!!!

 



**Otherwise, I agree with your (5) "What to do next" points.. plus the optional extra suggestion for the seemingly "Ledger not haters."

Your advice is much worse (doing nothing), but go ahead update and have sex with your ledger wallet if you think it's safu to do it  

They are literally preparing to receive class action lawsuit for false advertisement and you are asking me this question  

For fun and for better security.
People are doing it already and recording videos,like in this example:
https://www.youtube.com/watch?v=N6SoLaOF8uI

Someone should register them for Guinness World Records book for this  

Will do the second and won't waste any time complaining to a company who would do something so mind-bendingly dumb that they've probably won the world record for losing the most customers in the shortest period of time.  One complains to a company usually if they want them to do something better or correct a wrong.  In this case, I don't think there's anything Ledger can do to walk back this blunder.

I'm still shaking my head over this one.  And dkbit98, you were right in your criticisms all along.  The closed/open-source thing is enormously important when it comes to any sort of crypto software, and it doesn't matter if a HW wallet is sold by a well-known company that's been reputable for years, because shit like this can happen if everything isn't transparent.