The Breakdown - Ledger Recover Announcement Leads to Massive Crypto Uproar
Episode Date: May 17, 2023Ledger announced a new program yesterday called "Ledger Recover" that has people feeling confused, betrayed, and angry. NLW explores what the uproar is about and what it says about the start of self-c...ustody and self-sovereign values in the crypto industry. Enjoying this content? SUBSCRIBE to the Podcast: https://pod.link/1438693620 Watch on YouTube: https://www.youtube.com/nathanielwhittemorecrypto Subscribeto the newsletter: https://breakdown.beehiiv.com/ Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
What's going on, guys? It is Wednesday, May 17th, and today we're discussing ledger, ledger, ledger, ledger.
Before we get into that, a quick note.
The Breakdown is, of course, now the Breakdown Network, and one of the shows that we have launched is Bitcoin Builders.
It's a show all about the creative and entrepreneurial energy, swirling.
around Bitcoin, and I am excited to share a new episode today with Corey Clipsden from Swan.
We go a little deeper into the Swan story in how Corey decided to build and what he decided to
build. So if you are interested in that, check out the Bitcoin Builders podcast and then come
join the discussion on the Breakers Discord. You can, as always, find a link in the show notes or go
to bit.ly slash breakdown pod. As for today, for the last 24 hours, all anyone has been talking about
is Ledger. It's a story that hits from so many angles. It's a story of technical challenges and tradeoffs
in crypto-U-X. It's a story of, let's call them, challenges of corporate communications and marketing.
And it's a story about the fundamental principles of self-sovereignty that underlie the industry.
So let's try to parse through it, shall we? On Tuesday, Ledger announced a social recovery feature
called Ledger Recovery for their popular line of hardware wallets. Now, this feature sent crypto Twitter
into a frenzy as we will see. Security experts warned that this feature was unsafe in its fundamental
design and potentially revealed previously unknown security design flaws for all ledger users.
So first, let's do a quick definitional explanation of what social recovery actually means.
Social recovery is a design feature that's common in lots of crypto storage setups. It's offered by a
range of companies in the industry. Now, there are a multitude of different security designs for this
feature. One low-tech version, for example, would be splitting your seed phrase into multiple
sections and handing single parts to a group of trusted friends and family members. This would
allow you to recover the entire seed phrase if you ever needed to. More complex implementations,
use multi-sig wallets and trust a group of different people or companies with the individual
keys to the multi-sig. This setup allows a group of these trusted key custodians to collaborate and
recover your wallet, even if you've lost the keys. Now, importantly, all social recovery setups
carry some amount of trust and risk alongside. Primarily, you're trusting that your social recovery
delegates won't collaborate without your instruction to recover the wallet and steal your crypto.
With growing crypto adoption, many believe that social recovery is a potentially important way to
allow less technical users who don't trust themselves to store a seed phrase to access non-custodial
crypto storage solutions. And by the way, this idea of them not trusting themselves is a common
thing for crypto-newbies to feel. It's certainly one of the biggest things that I've heard from
older relatives and friends who are considering getting into Bitcoin. This sort of social recovery
also has important use cases for estate management, allowing heirs to recover your wallet
with the help of trusted partners after someone passes away. The point of all this is to say at the
outset that while there is plenty of acrimony going around, it's worth remembering that the reason a company
could be interested in providing this type of service isn't insane. So to Ledger, what they introduced
on Tuesday is a variation on social recovery. Once the feature is live, users will be able to instruct
their device to create a backup of their private key using the onboard encryption. This backup is then
fragmented into three shards, each encrypted separately, with one shard sent to three different
companies, Ledger, Crypto Insurance firm CoinCover, and Software Audit Firm Escrow Tech. Alongside the backup
process, users would share personal information with identity verification firm on Fido.
This identity information can then be used to trigger the recovery process at a later date,
allowing a user to recover their wallet even if they've forgotten their seed phrase.
The entire encryption and recovery process is run internally on the ledger hardware,
so theoretically, there shouldn't be any unencrypted data being sent out by the device.
Each encrypted shard is useless on its own, with two out of three required to recover the
private key. The feature will be a subscription service costing $999 per month. Ledger announced a new feature
in a thread. Exciting update, they write. Ledger has a new product Ledger Recovery that's launching soon.
Self-custody is at the core of our offering, and your secret recovery phrase is securely generated
on your device. We have no access to it. This will never change. We are uncompromising about security.
Ledger Recovery is an optional subscription for users who want a backup of their secret recovery phrase.
You don't have to use it and can continue managing your recovery phrase yourself if that's why you bought a ledger.
This is not automatically enabled by any firmware updates. This is your choice.
If you choose to subscribe, ledger recover encrypts a version of your private key and splits it into three fragments using Shamir's secret sharing.
All of this happens on the secure element chip, so your secret recovery phrase is not at risk.
Now, almost immediately the question started to pour in.
Jan Wustonfield wrote,
I thought it would be impossible for a private key to leave the device. If a software update allows
fragments to leave the hardware wallet, who guarantees that a malicious software update wouldn't
expose your private keys to a hot device? Or am I understanding it wrong? Anonymous account I099T
says yes, it's a backdoor and vulnerability, and it shows the backdoor was always in place to be
used. Don Crypto Draper writes, I understand you guys try to innovate, but nobody finds this
social recovery safe. Read the room, guys, this is bad. You can't guarantee no hacker or employee
can hack into this and clients will lose their funds. Please pause this, roll it back.
Vanessa Harris tweets Ledger last year. Your private keys never leave your hardware device.
Ledger today. Pay us $999 to copy your private keys to our servers. Soon every device will have
firmware capable of sending your seed phrase off device. This is just begging to be exploited.
Now Ledger claims that this backup will require user consent to be generated and won't be
automatically performed by any firmware update so there isn't any data to leak. That is, of course,
what people are nervous about. Ledger claimed that there is no inherent weakness in their security design,
stating in a Twitter thread, quote, there's no backdoor to a backup. Self-custody remains and will always
be the core principle of ledger. The ethos of self-custody is that it's your choice. You can choose
to manage all your assets yourself, or you can have a backup with ledger recovery. It's up to you,
and that won't change. Now, a big part of the controversy is focused on how this design feature
appears to breach the fundamental promise and value proposition of Ledger's devices. Back in November of
last year, Ledger described that under their security model, quote,
your private keys never leave the secure element chip, which has never been hacked.
The secure element is third-party certified and is the same technology as used in passports and
credit cards. A firmware update cannot extract the private keys from the secure element.
Of course, this new feature seems to violate that premise, with private keys able to be
transmitted to third-party companies, albeit only in an encrypted and sharded format.
Independent security researcher Pascal Cavarsaccio explained that in introducing
this feature, Ledger had broken, quote, the number one security rule for hardware wallets.
Never ever exposed the private key in some way, encrypted, unencrypted, or in any other form.
He said that there is now a, quote, communication channel between the device and the outside,
although he also added that his understanding was only based on public information, which, quote,
is very short on details. Indeed, these lack of details is one of the issues surrounding the feature.
Ledger's code is proprietary rather than open source, so researchers are,
unable to verify the security design claims put forward by ledger. The primary concern is that this
method of communication from the secure key storage could be hijacked by malicious firmware. In other
words, that the functionality being present at all represents a backdoor into the private key storage
on the device. Another other really complicated things is just how technologically dense these
issues are. Ethereum Foundation researcher Angsar says this ledger backup situation makes me realize
I am a bit fuzzy on exactly what properties of my hardware wallet I am actually trusting.
The seed not physically being able to leave the SE, or just the firmware not allowing that?
What then are my trust assumptions around firmware upgrades?
Investor Haseeb Qureshi wrote,
Every ledger app for any blockchain you run can in principle extract the private key on your device.
Of course it can, because ledger apps often have to derive a key for another blockchain,
which originates from the master's secret on the device.
There's no way around this.
So yes, you're trusting Ledger, although you only need to trust them once since you are never forced to upgrade firmware.
This was always true. Either you throw away your device every time a new blockchain ships, or you
embrace this trust model. Can't be both. The important thing is, every major hardware wallet works this
way. That said, Ledger did some terrible corporate comms and freaked everyone out. But the more
I reflect on this, the main reason was people don't understand how hardware wallets actually work,
myself included. That opinion, I will say, was in the minority, however. Another of the big
concerns was about the need to trust third-party companies. Seth for Privy.
the head of content at Foundation devices, which is notably a rival open source hardware
wallet provider, spelled out his concerns that the recovery system could be hijacked during
a hypothetical government seizure scenario.
The trusted companies are domiciled in the U.S. and the UK, with Ledger being a French
company, so his fear was that these governments could coordinate to seize crypto using this feature.
Quote, the government can easily come knocking and request all holder IDs information and
then seize funds at will.
Mudit Gupta, the chief information security officer at Polygon Labs, explained his
worries that personal information sharing is not safe in this context. Muddit writes,
it's a horrible idea, don't enable this feature. Oh, but it is secured by ID verification.
You know what else is secured by ID verification? Mobile number porting. Do you know how many
high-profile sim jacking cases happen every day? Too many. Anything secured by ID verification
is inherently insecure. Too easy to fake. The problem here is not splitting the key in three
parts. That's actually good. The problem here is that the encrypted key parts are sent
to three corporations and they can reconstruct your keys. Additionally, they use ID verification
to confirm your request for key construction. Identity theft is relatively easy and super common.
It's not a secure method at all. Now, it's worth noting that Gupta did reiterate that he has no
issue with Ledger's existing services. He simply warned people not to use this new feature.
Seth for Privacy again also commented on this KYC concern. He writes,
All this KYC data is collected by a company called on Fedo, who handled the KYC onboarding. They
Keep your ID, pictures, video, sounds from your selfie video, and a holistic picture of your
device in current activity when you upload and verify identity.
OnFito has a complete picture of your identity and the fact that you are a ledger user and
thus that you hold a reasonably large amount of cryptocurrency.
They also have a holistic picture of the device you use for authorization.
So now, not only are you trusting Ledger and, quote, authorized third parties with your identity
data, you're trusting Enfito with that and much more, along with the knowledge that you
hold and use large amounts of cryptocurrency.
nightmare fuel that easily enables new threats. Now, one additional important piece of context
about why people are so ready to not give Ledger the benefit of the doubt is that there was a
previous security failing by the company in 2020. In that year, the company suffered a data breach
in which 300,000 customers had their names, phone numbers, and physical addresses leaked.
Crypto developer Fubar recounted this incident in his scathing indictment of the new feature.
If you have a ledger, your keys are not compromised yet, but if you upgrade to the latest firmware,
it'll stick in a code path that can send your private key to third parties.
Given Ledger docs their own customers in the past, it's unlikely that they'll keep this info safe.
The code path to send private key material over the internet will be on your device whether you opt in or not.
Hackers can take advantage of this and software bugs more likely to leak.
Ledger's business trajectory is one of wanton disregard for customer safety, switch wallets.
Ledger has of course denied that this will be the case, but the issue, again, with proprietary
firmware is that no one can know for sure exactly what the functionality is. Still, Ledger pushed
back hard on this criticism, asserting that their new feature would not introduce security
concerns for existing users. Ian Rogers, Ledger's chief experience officer said,
people have had a lot of fear, which is perhaps unjustified. As a consumer, you have a choice,
and you should know who it is that you're trusting. Ledger co-founder Nicholas Baca rejected
the notion of a back door into the private key storage.
It's not a backdoor at all, he said. You stay in control. Nothing will happen without your consent on device.
He added that the ledger team plans to open source its code in the future so users can see how the service is designed.
Another point brought up by the ledger management team during the fallout was that this recovery feature is important for onboarding less technical people into safe self-custody with fail-safe recoveries.
They argued that a big lesson learned over the past year is that far too many people who are new to crypto use centralized custodians because they've used self-custic.
custody is too complicated or too risky. And the primary risk that keeps people up at night is the
loss of their recovery phrase. There is a meaningful portion of the industry, they argue, that believes
that wallet recovery needs to be more user-friendly and foolproof, with these sorts of features
being one avenue to solving that pain point. Noss, the former chief information security officer
at A16C agrees. On LinkedIn, he wrote, most people complaining about the new ledger recovery
feature evidently lack understanding of wallet security or security in the real world in general.
The solution, if implemented properly, will be a step in the right direction.
When I say in the right direction, I imply that it would meet the expectation of 95% of humanity,
who already place faith in ID-based recovery for their bank accounts, loans, credits, and more.
After all, KYC procedures at all leading financial institutions utilize similar mechanisms.
We should not be in a rush to reinvent the wheel until we have more seamless tools,
primed and ready for wider adoption.
What users need is transparency on what type of institution participates in this partner.
and what efforts are put in place for the utmost security of the encrypted shards, as well as prevention
of ID fraud. The entire feature boils down to checks and balances and the implementation of layered
defenses. Reducing that down even further, Nass is basically saying that, look, for 95% of people,
they are comfortable with an ID-based solution. And ultimately, this was the key point of Ledger CEO
Pascal Gauthier as well. During a Twitter space, as he said,
you're saying this is not what customers want. Actually, this is what future customers want.
This is the way that the next hundreds of millions of people will actually on board to crypto.
I'm sorry, but the piece of paper is the thing of the past, and ledger recovery is a thing of the future.
There is no compromise to security. Responding to the criticism that the feature opened up new vulnerabilities,
Pascal said, quote, I've seen a lot of people on Twitter saying like, oh, I'm sure this will be hacked in the next 12 months.
Okay, let's see. Now, the tone of that Twitter spaces today did not impress.
press people. Hudson Jameson wrote, was just in a chat room with the ledger co-founder, and I am now
1,000% more concerned that they don't know what they are doing from a marketing comms perspective
and from a security and best practices perspective. Scary how they are handling themselves and the
lack of seriousness they have. Now, he did later go on to delete that and said, went ahead and
deleted a tweet from earlier, but put a screenshot of it below. I was very angry at the responses from
some of the ledger team, but ultimately, they are under a ton of pressure today to provide answers
to everyone, so statements like the one I made won't help.
Ethereum community member Ryan Beckermans tried to come up with a solution.
He wrote,
Ledger Recovery was a huge project.
For many people, it might be a good solution.
However, the community invested in Ledgers based on the firmware
having no backdoor of any kind.
I have a starter proposal for us to put away the pitchforks.
I'd prefer that you kill Ledger Recovery entirely.
I'd prefer that recovery be solved downstream in smart contract wallets.
If you don't kill it, I'd prefer that Recovery be only available
on a new dedicated kind of device.
Unfortunately, we're in a situation where we've all trusted and invested in your company and
devices for years, and now you've betrayed us.
Betrayed is harsh, but it is what it is.
You probably won't kill Ledger Recovery.
We need an immediate path forward.
Here's a proposal.
One, in perpetuity, offer two parallel version tracks of the firmware, one with recover
and one without.
Key extraction is not just disabled, but omitted.
In Ledger Live, clearly show both firmware upgrade options, default to no recover for
existing devices.
Two, today, ledger recover doesn't support the nano-S device. Never change this. Completely omit
recover from all present and future nano-S firmware. Publicly state it's excluded and not just disabled.
Let NanoS be the fully secure ledger. Ledger, this proposal seems reasonable, given that you've
walked back on your primary mandate to air gap private keys. At the moment, I'd join a class-action
lawsuit against you guys on the basis that you're recommending an insecure firmware update for NanoX.
So let's again try to sum up here. We have, of course, a comms issue.
And one additional important note that I didn't even mention is that this feature was not intended
to be pushed yesterday. Some amount of the feature was contained in their firmware update notes,
which someone noticed, forcing them to push the announcement instead of waiting for next Monday
as they had originally planned. We have trust issues with Ledger with an expectation that customers
feel like has been broken. We've got concerns about new attack vectors introduced through KYC.
We have reasonably big questions about the tradeoffs for mainstreaming,
and we have fundamentally another context to have the discussion about self-sovereignty.
Now, as for me, a couple things.
One, I certainly don't envy Ledger's communications team right now.
This would not be a fun position for anyone to be in.
Second, it's entirely possible to me that Ledger's CEO is correct
in that most people in the future will want a solution that's different
than having a passphrase written down on a piece of paper.
I've seen far too many people who are completely uncomfortable
with the norms of self-sovereign crypto
to not believe that that's at least a little bit true. I think an entirely new generation of
experiences will need to be designed and that there will be a spectrum of custody options all the way
from complete self-custody on the one end to complete custodial custody on the other end,
with everything in between being filled out. But three, I also understand and agree with the set of
folks who feel like a new attack vector has been introduced that hasn't yet adequately been explained
away or reassured. I think in some ways the second part of this discussion, the idea that this
might be good for future users, ignores the reality of the relationship that Ledger has with their
existing users. I think, for example, this would have felt very different to people if they were
introducing a new device that had this possibility from the beginning. Now, maybe they felt like
this would introduce another type of critique of forcing people who wanted this type of service to buy
a new device, but by and large, I think that would have been a lot less noisy than what actually
happened. Trust, as they say, is built over years and lost in minutes, and we have another
example of that right here. I don't at all think it's impossible for Ledger to win trust back for a large
number of the users who are upset right now, but it's going to take work, it's going to take
clear communication, and it might take more openness in the actual codebase. For now, it's a great
reminder of just how important questions of self-sovereignty remain to this community, and that
companies operating in this space, even if they're excited about the next set of people coming in,
have to understand and respect that right now. Until tomorrow, guys, be safe and take care of each other.
Peace.