Crypto wallet Ledger clarifies its firmware

Ledger, the famous crypto hardware wallet, has had to clarify how its firmware works after some confusing tweets were deleted.

Ledger: crypto wallet deletes tweets and clarifies how its firmware works

Ledger, the crypto hardware wallet par excellence, has clarified the operation of its firmware after deleting a confusing and controversial tweet by a customer support representative.

[2/3] We’ve deleted it because we don’t want people to continue to be confused by this, and are replacing it with Tweet threads which address all frequently asked questions and concerns in the most understandable and accurate way possible.
— Ledger Support (@Ledger_Support) May 18, 2023

In essence, the deleted tweet stated that it was “possible” for Ledger to write firmware that could extract users’ private keys. This sentence sparked controversy among users, who sought to emphasise its importance by tweeting the following

Nov 2022: A firmware update cannot extract the private keys from the Secure Element — Ledger
May 2023: Technically speaking it is and always has been possible to write firmware that facilitates key extraction — Ledger@Ledger, do you now understand the problem? pic.twitter.com/czG53SuCOu
— olimpio (@OlimpioCrypto) May 17, 2023

Charles Guillemet, Ledger’s Chief Technology Officer, clarified the confusing situation in a series of tweets.

Ledger: the crypto hardware wallet’s CTO clarifies the firmware issue

In no fewer than 29 tweets, Ledger’s CTO Charles Guillemet attempted to clarify matters, describing how the wallet’s firmware, or operating system (OS), requires the user’s consent whenever “a private key is touched by the OS”.

In other words, the OS should not be able to copy the device’s private key without the user’s consent, although Guillemet also explained that using Ledger requires “a minimum level of trust”.

Here’s part of the tweet:

5/
This number can be put into human readable form (24 words) using BIP-39 standard.
That is your Secret Recovery Phrase.
This is what you write down and should NEVER share with ANYONE, including Ledger.
Ledger does not have access to it, including if you use Ledger Recover.
— Charles Guillemet (@P3b7_) May 18, 2023

Guillemet adds that the wallet’s firmware, or OS, is an “open platform”, meaning that “anyone can write their own app and upload it to the device”.

However, before apps are added to the Ledger Manager software, they are evaluated by the team to make sure they are not malicious and do not have security vulnerabilities.

The new Ledger Recover feature

The first suspicions about the Ledger firmware came with the recent introduction of a new feature for the Nano X, Ledger Recover.

Basically, users allow the company to activate the ‘recovery phrase’ that allows the wallet to be recovered.

Those wishing to access Ledger Recover would have to proceed with a firmware update on their Ledger Nano X, which would effectively start the process of segmenting, encrypting and sending their seed to unknown third parties.

With this feature, early users have raised suspicions about the security of the hardware crypto wallet, since if access to the backdoor of the seed can be opened to it, it also becomes vulnerable to hacking.

Guillemet’s current clarification should also address these concerns about the security of the hardware crypto wallet.

Source: https://en.cryptonomist.ch/2023/05/19/crypto-wallet-ledger-clarifies-firmware/