Ledger postpones hardware wallet key-recovery service

Published on:

  • Ledger announced a service called Ledger Recover, which enables users to store encrypted backups of their seed phrases with three custodians.
  • The cryptocurrency industry has seen significant losses from the loss of hardware wallets.
  • The recent developments surrounding Ledger and Trezor highlight the importance of security and user trust in the cryptocurrency hardware wallet industry.

Ledger CEO Pascal Gauthier addressed users in a letter, stating that the company would not introduce the new feature until its code was available. Ledger Recover is set to allow recovery of lost passwords and cryptocurrency hardware wallets by giving Ledger access to the user seed phrases. However, Ledger experienced major backlash with concerns over their code not being open source and how that impacts security. During a recent Twitter Space session, Ledger’s Chief Technology Officer, Charles Guillemet, outlined the company’s open-source roadmap, revealing plans to expedite the process by open-sourcing the white paper of the Ledger Recover protocol and the firmware that implements the feature.

Ledger Recover

Ledger announced a service called Ledger Recover, which enables users to store encrypted backups of their seed phrases with three custodians. This feature would allow Ledger owners to recover their private keys in case of seed phrase loss or forgetfulness. The optional service requires users to undergo know-your-customer (KYC) verification.

The announcement immediately drew criticism from members of the cryptocurrency community, who voiced concerns about sharing seed phrases with custodians. Many users expressed disappointment and betrayal on social media platforms like Twitter and Reddit. Ledger had previously assured users that private keys would never leave the device.

Critics highlighted potential risks, such as custodian hacks, KYC provider data leaks, and law enforcement gaining access to Ledger users’ data. Furthermore, the lack of open-source code for the Recover feature prevented independent audits of its security.

While some competitors publish their code openly, Ledger relies on a selected team of security researchers to test its product.

Ledger acknowledges concerns

In his letter, Gauthier acknowledged the lessons learned by the company. Ledger has previously open-sourced parts of its code, and Gauthier confirmed that more code would be made available soon.

“We have decided to expedite the open-sourcing process! We will include as much of the Ledger operating system as possible, starting with core components of the OS and Ledger Recover, which will not be released until this work is complete,” Gauthier stated.

Gauthier also emphasized the importance of offering key recovery services to attract a new wave of crypto users who may find self-custody challenging.

“The majority of users in crypto today either do not own their private keys or put their private keys at risk by using less secure self-custody methods and complicated ways to store and secure their seed phrase,” the letter explained.

Losses due to hardware wallets

The cryptocurrency industry has seen significant losses from the loss of hardware wallets. While specific data on the “biggest” losses may vary, there have been notable incidents where substantial amounts of cryptocurrency have been inaccessible due to lost or misplaced hardware wallets. Some notable examples include:

James Howells’ Hard Drive

In 2013, James Howells, an IT worker from the United Kingdom, accidentally discarded a hard drive containing his Bitcoin wallet. This hard drive, which ended up in a landfill, reportedly held around 7,500 Bitcoins, worth millions of dollars. Despite efforts to locate and retrieve the hard drive, it remains lost, making it one of the most well-known cases of substantial loss.

Stefan Thomas’ Lost Password

In 2021, Stefan Thomas, a programmer and early Bitcoin adopter, revealed that he had misplaced his IronKey hardware wallet password. This wallet reportedly holds over 7,000 Bitcoins, worth hundreds of millions of dollars due to the surge in Bitcoin’s value. Thomas has made multiple attempts to recover the password, and the lost funds have become inaccessible.

QuadrigaCX Exchange Incident

In 2019, the Canadian cryptocurrency exchange QuadrigaCX suffered a major setback following the unexpected death of its CEO, Gerald Cotten. It was later revealed that Cotten had sole control over the exchange’s cold wallets, which held substantial amounts of cryptocurrencies. Unfortunately, Cotten did not leave behind clear instructions or access to these wallets, resulting in the loss of approximately $190 million worth of cryptocurrencies belonging to QuadrigaCX users.

These incidents highlight the risks associated with hardware wallets and the need for proper security measures, such as securely storing backups and maintaining access to wallet passwords or recovery seeds. Users must be vigilant and take necessary precautions to prevent the loss of their cryptocurrency holdings.

Trezor Experiences 900% Surge in Sales Amidst Ledger’s Seed Recovery Controversy

Hardware wallet provider Trezor has reported a remarkable 900% increase in sales volume compared to the previous week, as stated in a press release shared with CryptoSlate on May 25. This surge in sales follows the controversy surrounding Ledger’s seed recovery feature, which faced strong opposition from the cryptocurrency community. Trezor’s CEO, Matěj Žák, emphasized the company’s belief in hardware wallets as cold storage that ensure 100% self-custody, with the seed phrase accessible only to the user at all times.

Being a fully open-source company, Trezor undergoes independent audits and scrutiny from technical experts to ensure the impossibility of remote seed phrase extraction or implementation.

Capitalizing on Ledger’s Troubles

Ledger’s controversial Ledger Recover feature has left users concerned about the online storage of their seed phrases and the requirement of a know-your-customer process. The 2020 data breach incident involving Ledger has already raised doubts about the company’s data handling practices. Users have expressed scepticism regarding the security of their devices and seed phrases, even if they choose not to use Ledger Recover.

Trezor Addresses Vulnerability Concerns

Meanwhile, a security firm named Unciphered claims to have found a method to hack into Trezor T’s hardware wallet, raising concerns about the security of the wallet service provider. In an email shared with CryptoSlate on May 25, Trezor’s CTO, Tomáš Sušánka, acknowledged the RDP downgrade attack vulnerability mentioned in a 2020 blog post.

Sušánka clarified that this attack requires physical theft of the device, highly sophisticated technical knowledge, and advanced equipment. To mitigate this vulnerability, Sušánka emphasized the importance of using a strong passphrase, which adds an extra layer of security that renders an RDP downgrade useless.

Furthermore, Trezor has taken significant steps to address the issue by developing the world’s first auditable and transparent secure element through its sister company, Tropic Square.

 Clear message on remote access to hardware wallets

The recent developments surrounding Ledger and Trezor highlight the importance of security and user trust in the cryptocurrency hardware wallet industry. Ledger’s decision to postpone the release of its key-recovery feature in response to community backlash demonstrates the significance of addressing user concerns and prioritizing transparency. The surge in Trezor’s sales amidst Ledger’s controversy underscores the demand for hardware wallets prioritizing self-custody and user control over their digital assets.

The incidents of substantial losses resulting from lost hardware wallets serve as cautionary tales for cryptocurrency holders. Whether it’s the accidental discarding of a hard drive or the misplacement of passwords, these cases emphasize the need for proper security practices and backups to safeguard digital assets. The QuadrigaCX exchange incident further highlights the risks of relying solely on a single individual’s control over cold wallets.

These events call for continuous improvements in hardware wallet security, adopting open-source practices, and increased user education on best practices for safeguarding cryptocurrency. By prioritizing security, transparency, and user-centric features, the hardware wallet industry can foster trust and provide a reliable solution for individuals seeking secure storage of their digital assets.


Leave a Reply

Please enter your comment!
Please enter your name here

Kudzai G Changunda
Kudzai G Changundahttp://www.about.me/kgchangunda
Finance guy with a considerable interest in the adoption of web 3.0 technologies in the financial landscape. Both technology and regulation focused but, of course, people first.