Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Hardware wallets
Re: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities
by
Volgastallion
on 18/05/2023, 14:13:40 UTC
Quote from: NotATether on Today at 08:50:36 AM
Quote from: Pmalek on Today at 08:34:21 AM
Here is the problem. Ledger is one of many hardware wallet brands that use a secure element chip whose sole job was to keep your seed and private keys offline. Meaning, it was supposed to be impossible that sensitive information leaves the chip and gets transmitted online. Turns out, that's not the case at all. The Ledger Nano X secure element can change its behavior after a software update, allowing you to "voluntarily" share your keys online with 3rd-parties. Soon, the same thing will be possible for the Nano S Plus. Apparently, only the old Nano S can't implement this feature.

In theory, unless you update to the newest firmware that unlocks seed-share and approve it physically by pressing the buttons on your Nano, the feature won't work. That's just the theory. It's again a matter of trust. We have trusted Ledger to protect our keys and we trusted them when they said nothing can ever leave the safe enclosure of the secure element. That trust is now gone because the most valuable data can, in fact, leave the SE.

Now you have to make up your own mind. Are you going to trust that what they have said about Ledger Recover is accurate, and that they need your approval to share your seed? Or, can they just do it with or without your consent? They have already told us that data was always obtainable from secure element chips, they just didn't activate that feature before.   

You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.

Yes i agree, i dont know what kind of ARM chip Ledger use in their product, but we heard a lot of times after so many years about "back doors" on Intel and AMD chipsets, some of them put in porpuose and others dont. So like Notatether say until you dont have the whole information you never know.


I also read some Russians have made fakes Ledger and they sell on the russian market like original ones. Clearly this its other kind of leak and problem but its interesting to know. And yes they can acces and stole your coins.