Controversy over Ledger's mnemonic recovery feature | What are the potential risks? Was this feature introduced just to make money?
The cryptocurrency hardware wallet provider Ledger announced on the 16th that they will be launching a "Ledger Recover" feature for their cold wallet products, which is a mnemonic recovery service hosted by multiple third-party companies. While this feature may seem to provide an additional layer of security for users, it has sparked criticism within the crypto community. In Ledger's response, it is evident that they implemented this for the sake of the company's "bottom line."
Exciting update, Ledger has a new product, Ledger Recover, that’s launching soon: https://t.co/nT1VHnnSYz
🧵Here’s what Ledger Recover is and what it isn’t, explained by @P3b7_ & in the thread below. pic.twitter.com/RW1w07H6pK
— Ledger (@Ledger) May 16, 2023
Table of Contents
Introduction to Ledger Recovery Phrase Feature
The Ledger recovery phrase feature introduced this time is an optional subscription service. If users choose to use this feature, the recovery phrase of their cold wallet will be encrypted and divided into three segments, each of which will be held by different third-party institutions, namely the encrypted insurance company Coincover, Ledger, and an independent backup service provider.
If a user accidentally loses their wallet recovery phrase, as long as they pass the identity verification, two of the custodians will send the encrypted recovery phrase segments back to the user's Ledger device, allowing them to reassemble the original recovery phrase.
Criticism of the Ledger Recovery Phrase Feature
Although this feature seems to provide an extra layer of security for users, it also crosses the line for those who believe in the concept of "cold wallets should be kept cold". The reliability of identity verification and Ledger's cybersecurity risk control level have become the focus of community discussions, sparking considerable skepticism towards Ledger.
Mudit Gupta, the security chief of Polygon, stated on Twitter: "Anything protected by 'identity verification' is inherently insecure because it is too easy to fake."
He urged users not to use this feature and questioned whether Ledger introduced this subscription feature to generate revenue or due to regulatory requirements that allow regulatory authorities to access customer data for asset seizure purposes.
Furthermore, Binance CEO CZ asked Mudit whether this means that the recovery phrase of a cold wallet can be separated from the device, contradicting the concept supported by the crypto community that "your private key should never leave your device."
So the seed can leave the device now?
Sounds like a different direction than "your keys never leave the device". 🤷♂️
— CZ 🔶 Binance (@cz_binance) May 16, 2023
ChainLink's community ambassador ChainLinkGod specifically mentioned Ledger's past cybersecurity incidents, warning users that Ledger has experienced numerous security breaches leading to the leakage of a large amount of user personal information, and believed that the new feature introduced by Ledger seems insufficiently considered.
Ledger, the company that has experienced multiple security breaches that exposed the personal information of hundreds of thousands of its customers
Now wants you to export your private keys from your hardware wallet and give fragments to them, Coincover, and an unnamed third… https://t.co/PO7OGy4DLT
— ChainLinkGod.eth (@ChainLinkGod) May 16, 2023
Michael Ou, CEO of the well-known Taiwanese cold wallet manufacturer CoolWallet, also expressed his views on this incident today. He stated that if Ledger's new feature is adopted by a majority of wallet users, it could pose a serious threat to the resilience of the crypto ecosystem.
"Imagine if 50% of all crypto wallets use this service, it would mean that half of the world's crypto assets would be controlled by a few entities holding these wallet keys. In cases of internal mismanagement or external coercion, the security of these assets would be at serious risk," Ou said.
Ledger Responds to Extensive Criticism
Following the widespread criticism of the new feature, Ledger's CEO, CTO, and founder expressed their thoughts via Twitter Space yesterday evening. The introduction of this feature seems to be aimed at expanding their customer base.
Charles Guillemet, CTO of Ledger, stated that when he thinks about his mother using Ledger products, she would face two obstacles, namely unreadable addresses and how to manage private keys. The new Ledger feature is designed to provide convenience to these users because a recovery phrase consisting of 24 words is too complex for them.
Furthermore, Ledger CEO Pascal Gauthier also mentioned in the conversation: "Ledger Recover is what our future 100 million customers want. Through Ledger Recover, they will enter the crypto world securely." This statement indicates Ledger's determination to lower the entry barrier for new users and expand revenue sources.
Regarding cybersecurity issues, Ledger founder Nicolas Bacca stated that there are no backdoors, and nothing will happen during the recovery of the recovery phrase without the user's consent on the device.
As for regulatory concerns, Ledger's experience director Ian Rogers stated that they only comply with legal requirements and do not want to take on the responsibility of being a custodian. While offering services that may require KYC to users, it depends on whether users wish to use them.
"Technically, as soon as you opt in for the service, you'll be asked if you are happy to opt-in for Ledger Recover. If you are – then you sign a transaction on your Ledger to shard your private keys into 3 shards, then it's encrypted in the device, then a secure channel is…
— Ledger (@Ledger) May 16, 2023
Related
- Ripple CEO criticizes U.S. pressure on the crypto industry, personal account terminated by Citibank
- The Japanese Democratic Party election promises to separate cryptocurrency from the tax ceiling of 20%, promoting Japan as a Web3 powerhouse.
- Sui Foundation under scrutiny again for allegedly quietly selling off $400 million worth of SUI tokens.