en
Back to the list

Is There a Backdoor on Ledger Wallet? Here Are the Facts

source-logo  coincodex.com 07 September 2023 14:57, UTC

Ledger claims that there is no backdoor on its devices, and that the new Recovery feature is entirely opt-in. This means that users must explicitly consent to have their seed phrase backed up by a third party. However, some security experts have argued that the mere existence of the Recovery feature could create a security risk, even if users do not opt-in.

In May 2023, Ledger, the leading manufacturer of cryptocurrency hardware wallets, announced that it would be launching a new feature called Ledger Recover. The new subscription-based service is meant to help users who lose their Secret Recovery Phrase or don’t have access to it, making it possible to restore their private keys.

In this article, we are going to examine whether there is a backdoor on Ledger wallets, how Ledger Recover works, and what its implications are for the security of Ledger devices.

How does Ledger Recover work?

The Recovery feature works by dividing the user's seed phrase into three parts and storing each part with a different third party (Coincover, Ledger, and EscrowTech). If the user loses their Ledger device or if their Ledger is stolen, they can recover their funds by providing their identity to the third parties and having them reassemble the seed phrase. Here’s how Ledger explains their key recovery service:

Ledger Recover is an ID-based key recovery service that provides a backup for your Secret Recovery Phrase. If you lose or don't have access to your Secret Recovery Phrase, the service allows you to securely restore your private keys using a Ledger device.

You need 2 of the 3 fragments to reassemble your private key. Before you can receive the fragments, you must complete an extensive identity verification process carried out by Coincover, a blockchain security company. In the event that something does go wrong and the process is compromised, Coincover is committed to paying out up to $50,000 as compensation.

The full technical details and the inner workings of Ledger Recover are beyond the scope of this article. If you want to dive deeper into the mechanics of the Ledger feature, check the comprehensive X thread by Ledger CTO Charles Guillemet.

It is worth noting that Ledger Recover is currently not available, with the service marked as “Coming soon” on the Ledger webpage. At launch, the Recover service will support the Ledger Nano X exclusively, with support for the Nano S Plus and Ledger Stax coming later down the line. Meanwhile, the older Ledger Nano S isn’t compatible with the new feature.

The recovery process overview. Image source: Ledger

Is there a backdoor on Ledger?

Ledger has repeatedly assured users that there is no backdoor on Ledger devices. According to the company’s co-founder, Nicolas Bacca, the Recover feature “is not a backdoor at all, because nothing will happen without your consent on your device.” He also added that the feature doesn’t increase the possibility of hardware wallets’ security being compromised.

However, some experts have pointed out the feature does increase the chances of hackers breaching Ledger’s security. In a now-deleted post on the X platform, a user by the name of oxfoobar summarized his thoughts on the topic:

"The code path to send private key material over the internet will be on your device, whether you opt-in or not. Hackers can take advantage of this, and software bugs are more likely to leak.”

Whether that’s true or not, the reality is that the broader crypto community was extremely concerned when the feature was first announced.

Meanwhile, Solana co-founder Anatoly Yakovenko expressed his view of the whole situation in a post in May, saying that the update doesn’t really change anything about the security of Ledger devices.

"If you trusted them [Ledger] before not to exfiltrate your keys, you can trust them now not to do it when that feature is off. I think the attack surface is about the same."

Is it possible to hack a Ledger wallet?

Any piece of software and hardware is susceptible to attacks, no matter how secure. However, it is worth noting that the occurrences of Ledger hacks have been almost nonexistent so far, despite the company being founded nearly a decade ago. Ledger customers who fell victim to attacks in the past were mostly targeted in phishing scams and user database breaches and did not have their hardware devices compromised.

There have been a few cases of Ledger wallets being hacked, but these cases have all involved social engineering attacks. In these attacks, the hacker tricked the victim into revealing their seed phrase. If you take proper security measures, such as keeping your seed phrase safe and not clicking on suspicious links, your Ledger wallet is very secure.

Is Ledger wallet still safe?

Yes, Ledger wallets are still safe. They use a secure element chip that is designed to resist physical attacks. The chip is tamper-proof and cannot be read by unauthorized devices. Additionally, the Ledger wallet uses a 24-word seed phrase that is generated randomly and never leaves the device. The phrase is required to access the funds stored on the wallet, so even if the device is hacked, the hacker would not be able to access the funds without the seed phrase.

If you are concerned about the safety of your Ledger, you can consider switching to some other cryptocurrency wallet. Companies like Trezor, Blockstream, and NGRAGE are considered as some of the best Ledger alternatives.

The bottom line: So, is there a backdoor on Ledger wallets?

The quick answer is “no”, there is no backdoor on Ledger wallets. The longer answer, as you might have guessed, is that it’s complicated. Ledger Recover does connect your wallet to the internet, which by default, makes it more susceptible to attack vectors. On the other hand, the company has assured that the new feature doesn't compromise the security of Ledger wallets in any way.

In our opinion, the security of your crypto assets shouldn’t really be impacted in any significant way due to the Recover feature. If you take care of your seed phrase, don’t click on random links, and take the necessary precautions, a Ledger wallet should still be one of the safest ways of managing your crypto.

If you want to explore some other options, check out our selection of the best cryptocurrency hardware wallets.

coincodex.com