Ledger’s PR Struggle Reveals Uncomfortable Trade-Offs for Crypto Storage
After a week of controversy around its new seed-recovery service, French wallet-maker Ledger has been on a PR offensive, including a Twitter Spaces event with Ledger CEO Pascal Gauthier on Tuesday afternoon and appearance by the same executive on CoinDesk TV Wednesday morning.
The message? Ledger has listened to its critics and is prepared to make changes to its approach.
“Everybody is very sad at Ledger when you yell at us. But it’s okay because we get better and we will always strive to be good servants of the community,” Ledger CEO Pascal Gauthier said during a Twitter Spaces session on Tuesday afternoon.
The yelling in question was the criticism Ledger faced after announcing its upcoming key recovery service. The service will allow users to keep an encrypted backup of their wallets with a set of three custodians, including Ledger itself. Many Ledger users and observers questioned the safety of the proposed service regarding potential hacks, user data leaks and abuse of trust by Ledger itself.
On Tuesday, Ledger published a letter saying that it heard its users’ concerns and decided to change course: it will open-source the Ledger Recover code before launching the service, Gauthier wrote.
In addition to that, Ledger will offer additional security feature to the Recover setup: while the encrypted backup will be stored by three custodians, users will have an option to also create a passphrase, so that even if the custodians collude and recover the private key, they still won’t be able to move funds without the passphrase.
Ultimately, nothing is 100% trust-less for an average user, Gauthier said in an interview with CoinDesk TV Wednesday morning.
“There is always a minimum of trust that you need to have in any hardware wallet that you’re going to use. And we are trying to make the part of the operating system as the one that you have to trust as small as possible and open everything else,” he said.
To open-source or not to open-source
The decision to open-source the code came as a response to the critics pointing that it’s impossible to audit Ledger’s new feature because the code is not public. However, the open-sourcing pledge comes with a caveat: Ledger will not publish code for all of its firmware for security reasons, the company’s CTO Charles Guillemet said in a Twitter thread.
The smartcard chip in the Ledger wallet, which is where all the operations happen and users’ private keys are stored, have built-in protections against physical tampering, Guillemet wrote. “Because this know-how is the IP of manufacturers, they don’t want it leaked, preventing Ledger’s firmware from being fully open source,” he added.
Ledger will “gradually open-source” most of its operating system, starting with the controversial Ledger Recover feature, Guillemet wrote, but “the other parts will take a little more time since it needs to be refactored to abstract the chip-specific characteristics under NDA from our OS.”
Ledger does not believe that open-source is a “silver bullet for security,” the firm’s co-founder Eric Larcheveque said during the Twitter Spaces. “We chose closed source because we believed it brings a higher level of security,” he added
Guillemet also said that ultimately, even with the open sourced code, users have to trust the wallet manufacturer – Ledger or else – with the safety of their crypto. Otherwise, users would have to build their devices from scratch, including all the physical parts, the code and the compilers turning that code into working apps, Guillemet said, and that’s obviously not an option for the “millions of users” Ledger wants to onboard in the coming years.
For the same reasons, Ledger did not choose to create a completely new product for the users interested in the key recovery functions, instead making it an opt-in upgrade for existing wallets. Some participants of the Twitter Spaces event said this could be a way to avoid the PR disaster Ledger went through over the new feature.
But making a new product for the new feature would be “a security theater,” Ledger’s chief experience officer Ian Rogers said: “I can take a Ledger and put it in a different box with a different name, but it would still have exactly the same sort of potential threat vector.”
That existing wallets can be upgraded for the new feature was the most controversial part of Ledger Recover. Many observers noted that Ledger’s main selling point has been that private keys never leave the device. And now it turns out that the same devices that are not supposed to reveal the private key actually can broadcast the backup to the outside world.
To add insult to injury, Ledger’s Twitter account responded to this saying that “it is and always has been possible to write firmware that facilitates key extraction” in a Monday tweet that caused outrage and was later deleted.
This should not be a shocker, Guillemet explained during the Twitter Spaces, because that’s the way Ledger works: to interact with different blockchains and smart contracts, the wallet’s operating system must access the private key. And the operating system needs to be upgradeable because blockchains themselves also upgrade and implement new features from time to time.
This means that the programs running on Ledger always could have been changed in a way that concerns private key handling – that’s something a user needs to accept by default, and the fact that users did not realize that came as a surprise for Ledger itself, Guillemet said.
The ghost of the subpoena
Another controversial part of the Ledger Recover is that the service, which is offered as a paid subscription, requires users to go through know-your-customer (KYC) checks. A Twitter user nicknamed @Zk_shark asked whether Ledger will readily respond to any government subpoena requesting data of the Ledger Recover users.
He recalled the infamous case of 2018, when Coinbase complied with the IRS’ request to provide data of 13,000 users. Later, 10,000 Coinbase users received a letter from the tax agency suggesting that they might have failed to properly report their crypto-related taxes. The IRS did not disclose the source of the users’ data.
Gauthier’s response was: if you fear this scenario, don’t use Ledger Recover. However, receiving such subpoenas is not something that is bothering the company. “We don’t think it’s very easy to subpoena a service like Ledger Recover,” Gauthier said.
However, he added, “if you want to be absolutely censorship resistant, you should just not activate the function.”