- KYC with full name, date of birth, location of birth both as in id document (Ledger has some experience with leaks, this is going to be some fun as such identity data needs to be kept safe by three companies involved, good luck with that)
- you have to identify yourself to every backup provider (not bad in terms of security as an attacker might not can fool every provider, but still leaves room to verification issues)
Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 10. (Read 5423 times)
June 23, 2023, 12:25:40 PM
June 21, 2023, 02:47:59 PM
A quick read over the whitepaper, by no means detailed inspection:
My immediate main concerns are:
- initial entropy is what's backed up (not sure if other possibly vital details are included, from first look I'd say no)
- entropy is encrypted before it is split and encoded in shards (encryption key is common to Ledger hardware devices; let's see how long it takes that this key gets disclosed or peeled out of firmware)
- sharding with something called Pedersen Verifiable Secret Sharing (sounds and looks better than simple Shamir Secret Sharing; I'm not yet familiar with this "new" scheme)
- KYC with full name, date of birth, location of birth both as in id document (Ledger has some experience with leaks, this is going to be some fun as such identity data needs to be kept safe by three companies involved, good luck with that)
- you have to identify yourself to every backup provider (not bad in terms of security as an attacker might not can fool every provider, but still leaves room to verification issues)
My immediate main concerns are:
- if you have used a mnemonic passphrase for your wallet (multiple for multiple resulting wallets) this seems not to get backed up as a mnemonic passphrase kicks in at a later derivation step; so if you don't want to rely on your own mnemonic words backup and be crazy enough to go for Ledger Recovery, you're still supposed to safely and reliably backup your mnemonic passphrase (the 25th thing), otherwise you're clearly screwed
- what if the owner of a Ledger hardware device dies and didn't leave enough details for the entitled heirs who at most know there's a Ledger Recover backup: I guess they will have a very hard time to prove they are the entitled heirs, and this has to be done with every backup provider (at least two of them of course are required)
- three Ledger employees with Ledger hardware hold vital keys to approve something: I smell a recipe for potential desaster knowing the "reliability" of Ledger hardware
June 21, 2023, 02:41:49 PM
I think the main issue is the fact that this API exists now is what concerns most people.
June 21, 2023, 11:15:36 AM
It seems that Christ is about to land on Earth. Ledger has just released the whitepaper for their Ledger Recovery procedure. You can find it in their GitHub page[1][2]. I didn't had the time to read it (probably will do it later) but just letting this out for users to be aware. Looking forward for more discussion within the community regarding it.
[1]https://github.com/LedgerHQ/recover-whitepaper/blob/main/Ledger%20Recover%20Technical%20White%20Paper.pdf
[2]https://github.com/LedgerHQ/recover-whitepaper
[1]https://github.com/LedgerHQ/recover-whitepaper/blob/main/Ledger%20Recover%20Technical%20White%20Paper.pdf
[2]https://github.com/LedgerHQ/recover-whitepaper
June 17, 2023, 08:24:21 AM
*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the libraries.
But the post says you can see it being used in Ledger Live, which is open source. A search of Ledger's GitHub provides zero matches for "gimme_da_seed".Quote
Yeah, Ledger put a method in their firmware like gimme_da_keys then allowed software (ledger live) to call gimme_da_keys. I can confirm that current Trezor firmware has no gimme_da_keys methods, or anything like that. So even if some software were to try to ask firmware for the keys, firmware isn't listening for any key requests, so won't respond.
I've taken a look at his profile and he doesn't seem to be a user that promotes other wallets or has any shady behaviour, so these claims are somewhat interesting to see. I'm sure we'll have more updates regarding this in the next hours.[1]https://safereddit.com/r/TREZOR/comments/14b6cfx/about_trezor_updates/joef8tz/
June 17, 2023, 08:07:44 AM
*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the libraries.
But the post says you can see it being used in Ledger Live, which is open source. A search of Ledger's GitHub provides zero matches for "gimme_da_seed". 
June 17, 2023, 07:58:58 AM
If this is true, Ledger's "hardware" wallet is now - once attached to a computer - literally less secure than a hot Electrum wallet on the same computer.
I would agree that your statement is correct, because I think that Ledger as a company has long lost credibility, and after this latest "achievement" anyone who still uses any of their models should ask themselves how much risk they are actually exposed to. On the other hand, Electrum is open source, and if it is properly verified and installed, and if we have a computer that is not exposed to the risks of malicious downloads, then there is no doubt that Electrum is a better option.
June 17, 2023, 07:26:24 AM
I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.
*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the libraries.
I'll take this update with a bit of caution. Ledger blantly lies to their customers, but I don't think they would enable the permission to push this kind naming in their software update, especially considering the backlash that they got. If there's one thing that they repeatedly told us is that they have a chain of command and deciders that have all to agree to the code before being released, meaning that it is hard for me to believe that this would pass those "quality" checks.*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the
I've seen a user on Reddit[1] that is also looking into the code of the program but so far it hasn't found anything related to such naming. I could be wrong, but I'll wait for more updates on this one.
On other news regarding Ledger Recover, their CEO continues to spread the basis that this is a great innovation in the crypto field. In a recent conversation[2] (just yesterday!!) he makes another set of bold claims:
Quote
(...)When you think about it (Ledger Recover) there's nothing wrong with it. It doesn't change the security.
Quote
(...)It's our rule to have convictions and to push the industry forward.
If this is pushing the industry forward, then I'm looking forward for the next batch of features from Ledger side that will keep bringing down fire at their products. I'll just leave this here from Ledger Live Terms of Use[3] for reference:Quote
4.6 No retrieval of Private Keys. The only existing backup is with you. Ledger operates non-custodial services, which means that we do not store, nor do we have access to your Crypto Assets nor your Private Keys. Ledger does not have access to or store passwords, 24-word Recovery Phrase, Private Keys, passphrases, transaction history, PIN, or other credentials associated with your use of the Services. We are not in a position to help you retrieve your credentials. You are solely responsible for remembering, storing, and keeping your credentials in a secure location, away from prying eyes. Any third party with knowledge of one or more of your 24-word Recovery Phrase or PIN can gain control of the Private Keys associated with your Ledger Device or of the 24-word Recovery Phrase, and therefore steal your Crypto Assets, without any possibility for you or Ledger to retrieve them.
[1]https://safereddit.com/r/CryptoCurrency/comments/14bdcw2/ledger_live_has_a_method_called_gimme_da_seed/jofevpq/
[2]https://nitter.it/TheBigWhale_/status/1669651433136832513
[3]https://shop.ledger.com/pages/ledger-live-terms-of-use
June 17, 2023, 07:03:49 AM
Quote
Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device. The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.
(Source)
June 17, 2023, 06:38:11 AM
Apparently, Ledger has not finished trolling us 
It has been revealed that the new ledger firmware has a method to extract the seed (old news) named gimme_da_seed (!!)
(Source)
I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.
*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the libraries.
It has been revealed that the new ledger firmware has a method to extract the seed (old news) named gimme_da_seed (!!)
Quote
Just the opposite. In order to enable the "Ledger Recover" feature, Ledger, did, indeed, write a gimme_da_seed function directly into firmware. It is clear because you can see Ledger Live, which is open sources, using the seed and sending off to the Ledger Recover servers.
Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device. The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.
What's more, I don't think Ledger supports downgrades. You MUST upgrade to the gimme_da_seed firmware, and once upgraded, I don't think you can downgrade. But like I said, they promise it is encrypted.
Trezor prone to physical hack since we basically cannot verify of the Trezor we receive is genuine
EVERYTHING shipped by a third party is prone to physical attacks. Ledger wrote the book on supply chain attacks. There was a huge rash of compromised Ledgers sold on Amazon about 4 years ago. Made a huge stink. Lots of users were duped.
Ledger and Trezor are equally hardened and equally vulnerable via supply chain. I'd put more trust in Trezor since you can upgrade, downgrade and independently flash the firmware and bootloader. Very hard to sustain a "fake" firmware if you have to emulate all those actions without detection.
Both Ledger Live and Ledger Firmware handle your complete seed, and prepare it for transport off of the device. The seed is encrypted, and Ledger has promised that the number of people who can decrypt the seed are small.
What's more, I don't think Ledger supports downgrades. You MUST upgrade to the gimme_da_seed firmware, and once upgraded, I don't think you can downgrade. But like I said, they promise it is encrypted.
Trezor prone to physical hack since we basically cannot verify of the Trezor we receive is genuine
EVERYTHING shipped by a third party is prone to physical attacks. Ledger wrote the book on supply chain attacks. There was a huge rash of compromised Ledgers sold on Amazon about 4 years ago. Made a huge stink. Lots of users were duped.
Ledger and Trezor are equally hardened and equally vulnerable via supply chain. I'd put more trust in Trezor since you can upgrade, downgrade and independently flash the firmware and bootloader. Very hard to sustain a "fake" firmware if you have to emulate all those actions without detection.
(Source)
I'm going to make the educated guess that Ledgers developers are a bunch of juveniles because there's no way you're a senior engineer and you get away with this stunt especially after a PR storm.
*Note: it is hard to verify exactly whether it is true that they really named the method as such, because Ledger firmware is closed source and it's possible that obfuscation of exported function names is being used by the
June 16, 2023, 11:14:03 AM
Or did they just a slap some random bullshit timeline together with no intention of sticking even to the bare minimum?
They probably did just that, and they are hoping that everything will calm down and people will gradually forget about this issue.It could be possible they are working on open sourcing partially, but I think now it's to late for that and it wont be genuine.
I don't trust ledger and their ''car'' is going down the hill.
~snip
If all the Ledger talk about the open source and the rest began before the incident with the ledger recovery, I could believe (I guess many others too). But now all their actions look fake and insincere. Whatever they do now, I will only have additional questions and doubts about them.
Confidence in this "car" is undermined not only with you.
June 16, 2023, 10:32:23 AM
Or did they just a slap some random bullshit timeline together with no intention of sticking even to the bare minimum?
They probably did just that, and they are hoping that everything will calm down and people will gradually forget about this issue.It could be possible they are working on open sourcing partially, but I think now it's to late for that and it wont be genuine.
I don't trust ledger and their ''car'' is going down the hill.
I also disliked the "Attach to PIN" feature, and I've spoken before about why I don't think people should use it. As you say it reduces the security of your passphrase to a simple PIN, and it also means that your passphrase is stored on the device rather than wiped after use when using a temporary passphrase.
I was thinking the same thing like you when I was considering of using ledger few years ago.Attaching PIN also adds extra complexity since it is totally different from all other solutions used in different manufacturers of hardware wallets.
Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves
This guy is totally lost in space... only ledger character that is worse than him, is probably ledger co-founder aka reddit moderator clown called btchip.It's very important thing that he put a bunch of flashy rings on his fingers...
During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.
Sounds like a bunch of BS that can't be verified at all by regular users. June 16, 2023, 06:00:24 AM
https://youtu.be/M3VjQUcyZSY?t=1285 - Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves, making it even easier than thought to compromise the set up.
I want to clarify a little.
Shards aren't encrypted, but as tenant48 pointed out in the post above are transmitted over an encrypted channel using ephimeral symmetric key.
Quote
During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments.
Ephemeral keys are negotiated by both parties using asymmetric cryptography:Quote
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.
In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message.
For asymmetric crypto to work, each Ledger wallet must have a unique private/public key pair, which was also mentioned earlier in this thread. Ledger does not need to store databases with these keys or do intermediate re-encryptions.In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message.
Thus, it is absolutely safe to transfer the seed to a completely new wallet.
June 15, 2023, 11:32:58 AM
@RickDeckard, regarding the video that caught your attention, I posted it on page 9 and had a little discussion with @Synchronice about it. I don't want to repeat myself, but I'll just say that Pascal's performance in that video reflects quite well the way Ledger as a company treats its users.
June 15, 2023, 04:23:29 AM
Would your private data be sent to the seed storage partners who all have to make their own judgement, or would Ledger just say: "this guy needs to recover his Ledger, send the seed"?
The former, it seems:Let me guess: they haven't shared the contracts yet?
Not that I can find. Although in my digging I did find Ledger's privacy policy states they will store your seed phrase shard for a full year and your other personal data for 7 years after you terminate your Ledger Recover subscription. Although Coincover and Escrowtech both have privacy policies you can find and read, neither make any mention of Ledger Recover or seed shards, so who knows what they are doing with your data. June 15, 2023, 04:11:55 AM
there is nothing stopping Ledger turning to these two partners and asking them to hand over their shards as well.
That sounds a lot like a single point of failure. And it makes me wonder: how would a real seed phrase recovery work? Would your private data be sent to the seed storage partners who all have to make their own judgement, or would Ledger just say: "this guy needs to recover his Ledger, send the seed"?Quote
Gauthier replies that the other companies wouldn't have to comply, and that Ledger would be happy to open source their legal contracts with these companies to prove as such.
Let me guess: they haven't shared the contracts yet? June 15, 2023, 03:55:31 AM
Wait, they previously announced a government could subpoeana them. I'm guessing all of them will cooperate when the government of one country subphoeanas them, so the different countries don't matter.
In the video above, Harry Sudock makes the point that if Ledger are subpoenaed for a particular user's seed phrase/private keys, there is nothing stopping Ledger turning to these two partners and asking them to hand over their shards as well. They may in fact be legally forced to do exactly this. Gauthier replies that the other companies wouldn't have to comply, and that Ledger would be happy to open source their legal contracts with these companies to prove as such.I won't hold my breath for that actually happening though.
Link with timestamp: https://youtu.be/M3VjQUcyZSY?t=2360
June 15, 2023, 03:43:39 AM
These encrypted fragments will be sent through 3 independent secure channels
I find it hard to believe 3 channels that start from the same USB cable on the same computer and go through the same Ledger Live software can truely be independent.No single company has access to the entire backup, and each single fragment is completely useless by itself.
Great! We knew that already of course.But here's the kicker:
Quote
This ensures the highest level of security
(source)
So they're literally saying you can't have better security than sharing your encrypted seed phrase online. How about not sharing it? That is by definition more secure, so they're obviously lying.Quote
and removes a single point of failure.
Great. Now there are multiple points of failure. How about A+B? Or B+C? Or A+C? Or one of them gets completely compromised, and some employees at the other storage locations start cherry picking lambos?Quote
Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.
I remember the days the secure element inside the hardware wallet was supposed to be the tamper-resistant part. June 15, 2023, 03:38:22 AM
I've just found this[1] video
Some interesting snippets:https://youtu.be/M3VjQUcyZSY?t=1285 - Apparently the shards aren't encrypted at all, despite Ledger previously stating this. It's literally just Shamir's. So there is no decryption key to be stored on the device or by Ledger themselves, making it even easier than thought to compromise the set up.
https://youtu.be/M3VjQUcyZSY?t=2342 - The quote you shared regarding privacy.
https://youtu.be/M3VjQUcyZSY?t=2700 - "So basically we're off-boarding loss of key risk, and on-boarding state actor risk." "Correct."
June 15, 2023, 03:26:09 AM
Here's what else I found at Ledger Academy.
Encryption
When you subscribe to Ledger Recover, the secure element encrypts and splits the Secret Recovery Phrase into three fragments. These encrypted fragments will be sent through 3 independent secure channels to these fragments backup provider. The secure channel allows mutual authentication and avoids man in the middle attack. During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments. Each fragment is then secured by a separate and independent company in different countries: Coincover, Ledger and Escrowtech.
No single company has access to the entire backup, and each single fragment is completely useless by itself. This ensures the highest level of security and removes a single point of failure. Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.
The decryption process is also described there, but exactly how the keys for decrypting the seed will be transferred to the new wallet is not described there.
Encryption
When you subscribe to Ledger Recover, the secure element encrypts and splits the Secret Recovery Phrase into three fragments. These encrypted fragments will be sent through 3 independent secure channels to these fragments backup provider. The secure channel allows mutual authentication and avoids man in the middle attack. During the process, the secure channel uses an ephemeral symmetric key to securely transport the fragments. Each fragment is then secured by a separate and independent company in different countries: Coincover, Ledger and Escrowtech.
No single company has access to the entire backup, and each single fragment is completely useless by itself. This ensures the highest level of security and removes a single point of failure. Additionally, each fragment backup provider uses a hardened, tamper-resistant server called a Hardware Security Module (HSM) to securely store these encrypted fragments.
The decryption process is also described there, but exactly how the keys for decrypting the seed will be transferred to the new wallet is not described there.
Jump to: