Ledger Nano X: The possible security issues

Yesterday, Ledger announced the addition of a new feature to its Nano X hardware wallet. 

The new feature is called Ledger Recover and it allows for seed recovery even in the case of loss. 

For now it appears to have been made available only to those who carry out the latest firmware update to their Nano X, but it cannot be ruled out that it will be extended to the company’s other devices in the future. 

Ledger Recover arrives on the Ledger Nano X

This new feature is designed to enable seed recovery even in case of loss. 

The seed, also called a “recovery phrase,” is a list of words that allows to recover the wallet. 

Since anyone who owns that list can retrieve the wallet freely, it is absolutely necessary to store it safely to ensure that it does not fall into the hands of anyone else. 

It is generally preferred to keep it on paper in a safe, so that it can possibly be retrieved very easily at any time, but at the same time preventing it from falling into the hands of others. 

Better yet, it is generally recommended to keep it divided into two or three parts, kept in different places, such as different safes. 

However, it often happens that the person who wants to recover his wallet has lost the seed, either because he cannot remember where he is keeping it, or because the sheets of paper on which he wrote the list of words have been lost or destroyed, or have been rendered illegible by, for example, water. 

In the event that the seed has been lost, the user who needs to retrieve a wallet has no chance of recovering it. Therefore, the optional additional functionality of seed recovery has been added to the Ledger Nano X. 

The risks of enabling Ledger Recover

The problem is that in order for the user’s seed to be retrieved even if it is lost, the new feature sends it to a third party, split into three encrypted fragments. 

How it works was described yesterday by the company’s CTO, Charles Guillemet, in a video posted on Ledger‘s official Twitter profile. 

Thus, those who would activate the new Ledger Recover feature on their Nano X, after performing the firmware update, would in fact start the process of segmenting, encrypting and sending their seed to third parties unknown to them. 

The risk is that, in this way, the user’s seed could fall into the hands of others. 

How to defend against the new feature?

First of all, since it is an optional feature that is not automatically activated even by installing the Nano X firmware update, it is sufficient not to activate it to prevent seed sending. 

This way you do not authorize the hardware wallet to send the seed to anyone. 

The alternative might be to simply avoid installing the new firmware, but it is not recommended not to update the software that runs the device because an outdated firmware might contain vulnerabilities later fixed. 

Furthermore, since it is a feature present only on the Ledger Nano X, those who want to avoid the problem altogether at this time could use other devices, such as the Nano S. 

However, it is possible that a similar functionality will be introduced in future firmware updates of other devices as well, although there will most likely always exist hardware wallets on the market without any similar functionality. 

Therefore, this problem seemingly would appear not to exist, because there is a way to avoid it altogether. 

Suspicions about the new Ledger Nano X feature

But there is more. 

First, it must be said that firmware updates for devices with such high levels of security are highly recommended. 

Also, it is entirely possible that a similar feature will be introduced in other devices in the future. 

However, if this was all there was to it, the problem might be so marginal that it could be easily solved anyway. 

The thing is that the firmware code of Ledger hardware wallets is not open source. Which is to say, it is not public, so no one can examine it to understand how it really works except those who created it. 

This is generating a wave of suspicions, many of them probably overblown if not outright fabricated, that are impossible to erase through clear and sharp evidence. In other words, users of Ledger devices to date can only trust what the company claims and hope that it is true. 

Indeed, according to the numerous statements made by Ledger yesterday, the problem would indeed seem to be so marginal as to be considered negligible, but this is all based solely and exclusively on the trust that can be placed in the company’s honesty. 

Ledger Nano X: The possible security issues

Many users, not knowing the firmware code of Ledger devices, have begun to speculate on a variety of security issues. 

The most important issue that has been raised is the possible presence of a so-called “backdoor,” which is a function of the firmware that allows access to the seed. 

The point is that if someone somehow managed to hack the device, in the event that such a backdoor was present they could retrieve the seed of the wallet, and thus effectively steal all the tokens stored in it. 

Then again, if the firmware can break the seed into 3 parts, encrypt them, and send them, then it must necessarily have access to the seed. And if it has access to the seed it means that in case of hacking it could perhaps be forced to send it complete and unencrypted to someone. 

Not knowing the computer code of the firmware makes it impossible to say whether such a thing is possible or not, and the company’s verbal assurance that it is not possible does not seem to be enough to eliminate this doubt entirely. 

But there is also another problem. 

In fact, if it were enough to put the three encrypted segments together to reconstruct the seed, anyone who could recover them could steal the wallet from the rightful owner. 

Thus, some wonder whether the storage of the three segments will always be done properly so as to prevent anyone from retrieving them, perhaps even en masse. 

Some more fanciful speculation even imagines that the three companies to which the different seed segments are sent could in the future agree to pool users’ seed fragments to steal their funds.

Transparency

As things stand at present, the real problem with this issue is probably not one of security, but of transparency. 

Since the computer code of the firmware of Ledger devices is not public, it is absolutely inevitable that it generates all sorts of doubts about how it works, as well as various conspiracy hypotheses. 

While most likely the vast majority of those doubts in the current state of affairs are not true, they will continue to remain forever if the code continues to be non-transparent. 

On the other hand, however, it is easy to understand why the company does not want to make public a code that has probably cost them a lot of work, and a lot of money, and which they certainly would not want to give away for free to their competitors. 

The issue therefore does not seem likely to be resolved any time soon, unless the company’s strategy on software development changes.

Source: https://en.cryptonomist.ch/2023/05/17/ledger-nano-x-possible-security-issues/