Ledger just turned itself into a meme. Should you still trust them? #20
This week we learned that Ledger can program their devices to do anything they want. This includes granting themselves full access to your coins... for $9.99 / month!
Ledger has finally shown their true face. Eager to chase more profits they inadvertently disclosed that they lied to their customers (see image below for a TLDR).
Turns out, Ledger can make their “hardware wallets” do anything they wish with a simple firmware update. This includes them receiving full access to your coins. They are so out of touch, that they even plan to charge you $9.99 per month to do so. All in the name of “securing” your assets… from you.
This blatant contradiction has made people run for the exit. What is the point of a hardware wallet if Ledger can access your coins? Their new subscription service, called Ledger Recover, has turned into a PR disaster.
The main takeaway?
If you are using Ledger, you are trusting this company (a third-party) with your money and coins. Moreover, every firmware update from Ledger has become a possible vector of attack.
What can you do to protect yourself? My analysis and recommendations next.
To activate the Ledger Recover service, users have to consent and approve the associated firmware update that allows it. Ledger argues that you can choose to skip this update and even if you do install it, this service is optional.
But there is a catch.
That would not have been such an issue if this firmware update and new service were restricted to a new dedicated device for this purpose. Instead, Ledger released it on their existing devices which were sold on the promise of “self-custody”. This new service exposed Ledger’s biggest secret: all their existing devices are programable to do anything they want - that includes gaining full access to your seed and coins.
Wait what?
It defeats the whole point of buying a Ledger. The backlash was quick to come.
This was not supposed to be possible. Only the user was supposed to have such access. But now, Ledger is happy to charge you $9.99 per month to hold your seed safe (for a time, if you don’t pay - you lose it). This is not self-custody, this is a centralized custody service provided by a third-party that you now have to trust with your money every time you click update.
Suddenly, Ledger devices turned into hot wallets exposed to the Internet.
With one exception.
The old Ledger Nano S device.
Presumably because it has such a low memory space that this update is not possible. Ledger’s original security philosophy - make the memory so small that you can’t really do anything else on the device but keep the coins safe - turned out to be true. We just didn’t expect that we needed protection from Ledger.
If you have a Ledger device, here is what you have to do to protect yourself:
Do no update the firmware
If you did it by mistake, do not opt into the new service
Start looking for alternatives to Ledger (my suggestions at the end)
Considering what we know now, you should never update your Ledger firmware again as each update is now an added risk. To illustrate, Ledger could be coerced by governments or any third party actor to push an update which may grant them access to your coins, without you knowing this. This becomes particularly problematic with their Ledger Recover service as they would have all your personal details tied to your wallet and full access to your coins.
Apart from the old Ledger Nano S, all their existing devices are programmable to do anything they desire as the below image shows.
It’s ironic that their original design prevents that to some extent. Yet, that got in the way of Ledger making profits via subscriptions. The assumption Ledger makes here is that regular users are not capable of safely storing their private key and they completely disregard their existing customers that bought their devices trusting that they alone had such access and no one else did. This is now false.
To make matters worse Ledger’s code is not open source and in 2020 they leaked their customers private data. Now, they are asking you to trust them with your money, at a fee. However, the cherry on the top is that they lie and they don’t seem to stop as the next image illustrates.
Time to seek alternatives. My recommendations next.
The safest hardware wallet should:
use open source code (removes the trust required in companies like Ledger)
be narrow in scope (do one thing well and one thing only - similar to the old Ledger Nano S)
not connect to the Internet (to pull updates that can get access to your coins)
To play it safe, I recommend you start using two hardware wallets:
One dedicated only to holding Bitcoin (this would make it physically impossible to hold anything else, like altcoins or other malicious software)
One dedicated only to holding altcoins
After some research, the hardware wallet that ticks these boxes is BitBox2. It has a Bitcoin only edition and you can use the regular one for altcoins. I was not paid to say this - this is my opinion only - do your own due diligence.
The majority of your wealth should be in Bitcoin and be the most secure. The rest, like altcoins, can be held in a separate hardware wallet which would have to have a larger memory space to accommodate all those updates and new blockchains.
On a personal note, I’ve been a happy Ledger user for over five years, but this news made me reconsider. I will no longer recommend them in the future, nor use their devices. Time to look elsewhere. The space is evolving fast and you should evolve with it.
Pledge your support if you find my writing awesome. You won’t be charged until subscriptions are enabled. I will announce it when that happens.
Great article. And yea Ledger messed it up pretty badly.