Reading 4 min Published Updated
On May 18, cryptocurrency hardware wallet provider Ledger clarified how its firmware works after the company deleted a controversial May 17 tweet. A deleted tweet, which Ledger said was written by a customer service agent, suggested that Ledger “may” write firmware that can extract users’ private keys.
[1/3] You may have seen a tweet from our Ledger Support account being shared regarding Ledger firmware updates.
Unfortunately, in our attempt to clarify how Ledger and all wallets work with the firmware, a customer support agent posted a tweet with confusing wording. https://t.co/cL6UrBzxWr
— Ledger Support (@Ledger_Support) May 18, 2023
Ledger CTO Charles Guillemet clarified in a new Twitter thread that the operating system (OS) of the wallet requires the user’s consent any time “the OS touches the private key.” In other words, the OS should not be able to copy the device’s private key without the user’s consent, although Guilleme also said that using the Ledger requires “minimal trust.”
The original Ledger customer support tweet stated: “Technically speaking, it has always been possible to write firmware to make key extraction easier. You always believed that Ledger would not install such firmware, whether you knew it or not.”
The tweet caused an uproar on Twitter as many users accused the company of misrepresenting the security of their wallet. Critics shared an alleged Ledger post from November that said, “Firmware update cannot retrieve private keys from Secure Element,” implying the company was contradicting itself.
While the deleted tweet caused controversy, the issue first came up on May 16 when the company introduced a new “Ledger Recover” service that allows users to back up their recovery passphrase by splitting it into three fragments and sending it to another data storage service. The deleted tweet was in response to the release of a new feature.
Nov 2022: A firmware update cannot extract the private keys from the Secure Element — Ledger
May 2023: Technically speaking it is and always has been possible to write firmware that facilitates key extraction — Ledger@Ledgerdo you now understand the problem? pic.twitter.com/czG53SuCOu
— olimpio (@olimpioCrypto) May 17, 2023
A new Twitter thread from Guillemet says that the wallet or OS firmware is an “open platform” in the sense that “anyone can write their own application and download it to the device.” Before allowing the Ledger Manager software to be used, the team first evaluates applications to ensure they are not malicious or have security flaws.
According to Ledger, even after an app is approved, the OS doesn’t allow it to use the private key for a network it’s not intended for. The company gave the example that Bitcoin apps are not allowed to use the device’s Ethereum private keys, and vice versa for Ethereum apps and Bitcoin keys. In addition, every time a private key is used by an application, Ledger says the OS requires users to confirm their consent to use the key. This seems to mean that third-party apps installed on the Ledger should not be able to use a person’s private key without the user’s prior consent to use it.
Guilleme also confirmed that this system is part of the current OS, which could theoretically be changed if Ledger becomes dishonest or if an attacker somehow gains control of the company’s computers:
“If a wallet wants to inject a backdoor, there are many ways to do it: random number generation, a crypto library, the hardware itself. It is even possible to create signatures so that the private key can only be obtained by monitoring the blockchain.”
Related: ‘Reliable’ Marketplace Sells Fake Trezor Hardware Wallets, Stealing Cryptocurrency
However, Ledger’s CTO dismissed these concerns, stating: “Using a wallet requires minimal trust. If your hypothesis is that your wallet provider is the perpetrator, you are doomed.” He went on to say that the only way a user can protect themselves from an unscrupulous wallet developer is to build their own computer, compiler, wallet stack, node, and synchronizer, which the CEO says is “the path of a lifetime.”
Rival hardware wallet provider GridPlus has offered to open-source its firmware in an attempt to attract Ledger users. On the other hand, Guilleme stated that open source firmware would not protect against a dishonest wallet provider, as there would be no way for the user to know if the published code actually works on the device.