Earlier this week, we sent out an email to all Bitvice clients regarding the Ledger hardware wallet controversy and Ledger’s controversial new service offering: Ledger Recover.
Should you be concerned if you are using a Ledger hardware wallet to secure your private keys? Are your funds at risk? Do you need to acquire a new hardware wallet? Read more to find out…
The Ledger hardware wallet has long been a staple go to for many Bitcoiners. It is so popular that it has almost become a meme for what a hardware wallet looks like: the quintessential thumb drive-styled device.
At Bitvice, we take your Bitcoin security seriously. The foundation of this security is your self custody Bitcoin wallet. For the past two years, we have been happy to recommend that our clients make use of Ledger hardware wallets because they are widely available, affordable and up until now, have been secure. However, over the past week a lot has changed and we have taken the liberty of sending you our thoughts on the issue and some options of what you can do next if you are a Ledger user.
Ledger hardware wallets: How it started
Recently, Ledger has announced a new product called Ledger Recover. This is a service that allows users of their Nano X hardware device to recover their digital assets if they have lost their seed words (private key). However, the trade-offs for this are such it gives a 3rd party access to your private keys. The implicit promise of hardware wallets is that this should never be possible. Your private keys should only be accessible by the owner of the hardware wallet and nobody else. Hence, in the eyes of many Bitcoiners, Ledger has undermined their fundamental value proposition.
Ledger hardware wallets: How it’s going
Bitcoiners all over the globe have responded very strongly to this news from Ledger, as the implication is that Ledger can gain access to your Bitcoin if they wish too. This means that you will have to trust Ledger not to be a nefarious actor themselves, not be compromised by one (hackers) or coerced by one (such as a nation state) to gain access to the Bitcoin secured by their devices. One of the underlying principles of Bitcoin is “don’t trust, verify”. Ledger now relies on trust, which in our opinion excludes their hardware wallets as a long term security solution for users who take their self custody seriously.
Important points to consider about your Ledger hardware wallet:
That being said, there has been a lot of noise surrounding this over the past week, but the fact of the matter is that you don’t need to panic. Your funds are safe and you can take your time deciding on the correct course of action, relative to your personal circumstances. The reason why we say this is because:
Ledger Recover is an optional paid, opt-in service
This means that you would have to sign up for the service and then update the firmware on your device in order to expose yourself to this risk.
The service is not live yet
Ledger has announced the service, but as of the time of writing this email, it is not yet available to Ledger customers.
The service is only available to Ledger Nano X hardware wallets
If you are using a Nano S device, then this service is not available to you. This service is only available to Nano X devices presently and as such, your Nano S device is still safe.
However, long term, we have concerns surrounding Ledger’s trust model:
You will need to update your firmware eventually
In order for your device to function properly over time, you need to upgrade its firmware. However, Ledger does not open source their codebase or firmware, so you will need to trust them when they say that there is nothing in their update that could expose your private keys to them or some other 3rd party. Not updating your firmware for a long period of time could result in your device malfunctioning over time and being rendered useless. So at some point, you will need to update your firmware, and then you will not be able to verify what is contained in the update, you will have to just take Ledger’s word for it.
Ledger is closed source
As mentioned above, Ledger does not open source their codebase. There are many alternative hardware devices on the market that open source all of their code (see our list below). This is superior to closed source code, as it means that many different sets of eyes (who don’t work for the device manufacturer) can inspect the codebase to ensure that it does what it says it should, without any critical trade-offs and security holes. Presently, if you own and use a Ledger device, then you have to trust Ledger. This is unnecessary when open source alternatives exist. More on these later.
This only affects the Ledger Nano X hardware wallet (for now)
While this currently does not affect any users (as the service is not yet live) it will also only be available to Nano X wallet users. A large proportion of Ledger users make use of the older, Nano S model. This buys these users time to make an informed decision about which wallet they would like to use over time (or stay with Ledger, if they so wish). However, the risk exists that sometime in the future Ledger may publish a firmware update for the Nano S which creates security vulnerabilities to the private keys stored on the device. Thus it may be prudent to start looking for an alternative device before this happens. Based on the extreme negative feedback that Ledger has received over this, we would not be surprised if they do not roll out this feature to the Nano S range of devices, but the cat is out of the bag now and the vulnerability that is having to trust Ledger is now highly apparent.
So what do you do now?
- Don’t panic! Time is on your side.
- Decide if you trust Ledger, or wish to look for an alternative hardware wallet.
- Acquire an alternative hardware wallet.
- Move your funds over to your new wallet.
- Update your Bitcoin address in your Bitvice profile so that your new purchases are sent to your new wallet.
Hardware wallets that we recommend:
Should you wish to procure a new hardware wallet, we have curated a non-exhaustive list of wallets that we recommend. The following list contains wallets that have open source codebases, which removes the risk of a provider creating a firmware update that can expose your private keys to them.
- Jade – well priced with great security
- Coldcard – best security but expensive
- Passport – comparable to Coldcard
- Trezor – well priced & available in South Africa
- Seedsigner (DIY wallet that you can self assemble)
Life is to short to lose you Bitcoin
In summary, closed source wallets always make the trade off that you will have to trust their firmware updates. As the Bitcoin network and value of the asset class grows, there will be more incentive for bad actors to focus their efforts on corrupting or coercing closed source Bitcoin service providers. The best way to defend your stack against this is by making use of open source software which allows for thousands of independent people to review their code.
If you have any questions, please don’t hesitate to contact us. If you would like help with making a decision on which hardware wallet is right for you and how to set it up, then the Bitvice Concierge is here to help! Find out more here.
I have a multisig wallet which makes use of a Ledger hardware wallet, am I at risk?
No, multisig wallets are extremely secure. In order for your multisig wallet to be at risk, you would need to: Be using only Ledger Nano X devices in your multisig, sign up for Ledger Recover with all the devices and update the firmware on all your devices. Furthermore, Ledger would need to have a copy of your wallet coordination file in order to know which devices are part of the multisig wallet. Unless all of these criteria are met, your multisig wallet is not affected by this vulnerability. However, it is unclear how this will change in the future. Changing some of the hardware devices in your wallet out for other brands can offset this risk.
I am using a Ledger Nano S hardware wallet, should I be concerned?
Presently, no. Ledger Nano S hardware wallets are not affected by this change. However, future firmware updates may include this offering. To offset this risk, do not update your firmware and switch your hardware wallet out to a different provider over time.
I am using a Ledger Nano X hardware wallet, what should I do now?
If you wish to keep your private keys private, do not sign up for the Ledger Recover service when it becomes available. Rather learn how to securely back up your private keys yourself. Bitvice can assist you with resources on how to do this yourself. Furthermore, do not update the firmware on your Nano X device from your current version.
What hardware wallets does Bitvice recommend?
See our list above.