Jun 21, 2023

Breaking Down the Latest Response to Ledger Recover

Read an analysis of the latest response to the outcry over the approach being taken with Ledger Recover and the risks of closed-source devices and firmware. Learn how the protocol works and why it is completely unverifiable in practice.

CRYPTOCURRENCY TECHNOLOGY

Seth For Privacy

Freedom maximalist || Privacy advocate || Head of Content for @FOUNDATIONdvcs || Host of @optoutpod, a privacy-focused podcast.

Member of Monero

1/ Time to break down the latest response to the rightful outcry over the approach being taken with Ledger Recover and the risks of closed-source devices and firmware.

tl;dr - it confirms it's as bad as we thought, and still completely unverifiable in practice.

Strap in, anon. https://t.co/Br0ZeZHUJr
— Seth For Privacy (@sethforprivacy) June 21, 2023
2/ The overall architecture is laid out clearly at the beginning of the document under the "Design Goals" section.

We'll break this down bit by bit, as it aligns exactly with how I and others speculated the protocol actually worked.https://t.co/ZiWtaBAIj4 pic.twitter.com/tRTLVpHweC
— Seth For Privacy (@sethforprivacy) June 21, 2023
3/ Ledger confirmed that this is a variant of Shamir's Secret Sharing, an established and well-understood way to split a secret up and remove trust in any individual party.

They actually use a very interesting variant of this, but we'll get to that later. pic.twitter.com/l3DKdli0N5
— Seth For Privacy (@sethforprivacy) June 21, 2023
4/ The bombshell here is the explicit confirmation that *Ledger themselves* hold the master decryption key for *all Ledger Recover users*.

Your seed is encrypted using their key and not your own, so they always hold the ability to decrypt your seed from shards. pic.twitter.com/Hwp0ISx1Fo
— Seth For Privacy (@sethforprivacy) June 21, 2023
5/ This opens up two massive risks we've discussed before:

1) Ledger can collaborate with one other custodian and steal/seize funds at will w/o user consent
2) If a hacker stole this master key they could decrypt any seed shards they got from custodian hacks (low probability) pic.twitter.com/IxeLcJWzh7
— Seth For Privacy (@sethforprivacy) June 21, 2023
6/ While the risk of a hacker breaching Ledger and another custodian is relatively low, it is a risk.

The scariest risk is now seizure by a state/law enforcement as a simple subpoena (a very low bar in the US at least) could force Ledger and another custodian to seize funds.
— Seth For Privacy (@sethforprivacy) June 21, 2023
7/ Ledger has a financial relationship with their custodian partners, and have a fiscal incentive to abide by the law in their jurisdictions as a massive company.

Don't think for a second they'll fight a subpoena for your $5k in Bitcoin and $10 a month.
— Seth For Privacy (@sethforprivacy) June 21, 2023
8/ If, for example, anyone involved in the "Freedom Convoy" protests had stored their donated Bitcoin using Ledger Recover it 100% would have been seized under pressure of the Canadian and US governments.

Recover means "not your keys, not your coins".
— Seth For Privacy (@sethforprivacy) June 21, 2023
9/ This also opens up a strange "walled garden" dependence on Ledger as their master key is only present on Ledger devices, locking you in to *only* recovering your funds onto another Ledger.

Want to just get your seed phrase and move funds? Not gonna happen.
— Seth For Privacy (@sethforprivacy) June 21, 2023
10/ On a positive note, they seem to take a reasonable and solid approach to end-to-end encrypting the shards so that an attacker can't easily intercept them in transit.

See, I can be positive! pic.twitter.com/suJ7kjtV6A
— Seth For Privacy (@sethforprivacy) June 21, 2023
11/ While not necessarily a big issue, the entirety of the restore flows security, seed shard storage, etc. relies on hardware security modules. While this can be a good add for security, HSMs are not invulnerable to hacks, as Ledger themselves demonstrated with research in 2019. pic.twitter.com/XzHHXs2XIE
— Seth For Privacy (@sethforprivacy) June 21, 2023
12/ You can read a good article on Ledger's own research on HSM vulnerabilities here:https://t.co/AgRzYcTEhZ
— Seth For Privacy (@sethforprivacy) June 21, 2023
13/ An interesting small note in the whitepaper is that "expert" Ledger users will supposedly be able to act as the custodian, opening up the potential for community custody or similar in the future. pic.twitter.com/O0PEV9nZew
— Seth For Privacy (@sethforprivacy) June 21, 2023
14/ One really cool approach taken here is the use of a zero-knowledge proof based variant of Shamir's, leveraging Pedersen commitments (like those used in Monero's Confidential Amounts) so that custodians can prove they hold the right shards w/o revealing them. pic.twitter.com/zewux0SZdP
— Seth For Privacy (@sethforprivacy) June 21, 2023
15/ The actual backup flow is as we expected, and involves share computation and encryption happening on-device (assuming the actual protocol works as described here, impossible to verify as it's closed-source). pic.twitter.com/3GctAL1ueo
— Seth For Privacy (@sethforprivacy) June 21, 2023
16/ Ledger actually revealed something big here, in that yet another identity broker is used in addition to OnFido -- Tessi.

You can read details on OnFido here:https://t.co/uxZV4Fa05l pic.twitter.com/NbPBqQWAcN
— Seth For Privacy (@sethforprivacy) June 21, 2023
17/ Ledger also is asking their backup providers to do *yet another independent identity verification* on restoration, and rightly outlines two major attacks they're trying to prevent.

So, so much potential for leaks of your personally identifiable information. pic.twitter.com/qy5wX0di5d
— Seth For Privacy (@sethforprivacy) June 21, 2023
18/ It will be very interesting to see how resistant their recovery/verification flow is to AI-based deep fake identification videos, as AI is driving an entirely new threat to identity verification.

AFAICT this relies purely on a 2D selfie video + pic of ID, could be faked.
— Seth For Privacy (@sethforprivacy) June 21, 2023
19/ This identity verification could also be abused by $5 wrench attackers in theory through breaking in, killing/harming you, stealing ID, and faking ID verification using deep fake AI-generated videos using images of you.

Feels like theory but could be reality soon.
— Seth For Privacy (@sethforprivacy) June 21, 2023
20/ All in all this follows closely with how we guessed the protocol would work, but brings us no closer to actual verification of what runs on your Ledger device itself.

Gives off a bit of "just trust us" 2017 ICO whitepaper vibes as a result.
— Seth For Privacy (@sethforprivacy) June 21, 2023
21/21 If you missed the original thread on Ledger recover, I covered a lot of the risks and dangers here in that thread in even more detail:https://t.co/ZiWtaBAIj4
— Seth For Privacy (@sethforprivacy) June 21, 2023