In a recent turn of events, crypto hardware wallet provider Ledger found itself at the center of a heated debate over the security of its firmware. The controversy stemmed from a now-deleted tweet by a Ledger customer support agent.
The tweet claimed that Ledger could potentially create firmware capable of extracting users’ private keys. This statement immediately drew backlash and accusations that Ledger had misrepresented the security of its wallets.
In response, The company’s chief technology officer, Charles Guillemet, took to Twitter to clarify how Ledger’s firmware works and address the concerns raised by users. He emphasized that Ledger’s operating system (OS) requires explicit user consent whenever a private key is accessed by the OS.
According to Guillemet, the OS cannot copy the device’s private key without the user’s approval. However, he did acknowledge that using a Ledger wallet necessitates a certain level of trust.
The deleted tweet further ignited the controversy, but the underlying issue had surfaced earlier. On May 16, Ledger introduced a new service called “Ledger Recover,” enabling users to back up their secret recovery phrase by splitting it into three shards and storing them with different data custody services. It was in response to this release that the now-deleted tweet emerged.
Guillemet clarified that Ledger’s firmware, or OS, is an open platform, allowing anyone to develop and load their own apps onto the device. However, Ledger’s team thoroughly evaluates these apps before they are permitted on the Ledger Manager software, ensuring they are not malicious and free from security flaws.
Additionally, Ledger maintains strict control over the usage of private keys by apps. The OS prevents an app from using a private key for a network it is not intended for. Guillemet provided the example that Bitcoin apps cannot access Ethereum private keys and vice versa.
Furthermore, whenever an app requires the use of a private key, the OS prompts users to confirm their consent. This implies that third-party apps installed on Ledger cannot utilize a person’s private key without explicit user permission.
However, Guillemet acknowledged the theoretical possibility of Ledger changing its OS if the company were to act dishonestly or if an attacker gained control of its computers. He cautioned that wallets inherently require a certain level of trust and asserted that users would be in a precarious position if their wallet provider were the attacker.
Guillemet suggested that building one’s own computer, compiler, wallet stack, node, and synchronizer could be the only way to protect against a dishonest wallet developer—a process he referred to as “a lifetime journey.” He argued that users would have no way of verifying whether the published code was actually running on the device, implying that it might not provide the desired level of protection against a dishonest wallet provider.
The debate surrounding Ledger’s firmware highlights the significance of trust and transparency in the realm of crypto wallets. As users become increasingly concerned about the security of their digital assets, hardware wallet providers must navigate the delicate balance between user convenience and maintaining trust.
