On May 18, Ledger, a leading provider of crypto hardware wallets, provided clarification regarding how its firmware operates after a tweet on May 17 sparked controversy and was subsequently deleted by the company. The tweet in question, attributed to a customer support agent, suggested that Ledger could develop firmware capable of extracting users’ private keys.
Charles Guillemet, the chief technology officer of Ledger, took to Twitter to address the matter and stated that the wallet’s operating system (OS) requires the user’s consent whenever the OS interacts with a private key. In essence, the OS cannot copy the device’s private key without the user’s approval, although Guillemet acknowledged that using a Ledger wallet necessitates a certain level of trust.
The original tweet from Ledger’s customer service mentioned the technical possibility of creating firmware to facilitate key extraction, but Guillemet’s clarification emphasized that Ledger has never deployed such firmware and highlighted the importance of user trust in the company.
The tweet generated intense debate on Twitter, with many users accusing Ledger of misrepresenting the security of its wallets. Critics also pointed to a previous Ledger post from November that stated a firmware update could not extract private keys from the Secure Element, which seemed contradictory to the deleted tweet.
The controversy initially arose on May 16 when Ledger introduced a new service called “Ledger Recover,” allowing users to back up their secret recovery phrases by splitting them into three shards and storing them with different data custody services. The now-deleted tweet was in response to this new feature.
Guillemet’s Twitter thread clarified that Ledger’s firmware or OS is an open platform, enabling anyone to write and load their own apps onto the device. However, before an app is accepted on the Ledger Manager software, it undergoes evaluation by the Ledger team to ensure it is not malicious and does not have security flaws.
Ledger emphasized that even approved apps cannot utilize the private key for a network they are not designed for. For instance, Bitcoin apps cannot access Ethereum private keys, and vice versa. Additionally, whenever an app requires the use of a private key, the Ledger OS prompts the user to confirm consent. This implies that third-party apps installed on Ledger should not be able to access a user’s private key without their explicit permission.
Guillemet also acknowledged that while this system is currently part of the OS, it is theoretically possible for Ledger to change it or for an attacker to compromise the company’s computers. However, he dismissed concerns by stating that a certain level of trust is inherent in using any wallet. To protect against a potentially dishonest wallet provider, Guillemet suggested building one’s own computer, compiler, wallet stack, node, and synchronizer, though he acknowledged that this undertaking is a lifelong endeavor.
Rival hardware wallet provider GridPlus has offered to open-source its firmware as a means to attract Ledger users. However, Guillemet argued that open-sourcing firmware would not provide protection against a dishonest wallet provider, as users would have no way of verifying if the published code is actually running on the device.