Current Events: Ledger Seed Recovery

in #leofinance2 years ago

recovery-road-into-sunlight-760.jpg

image.png

Hardware wallet providers once again proving they can't be trusted.

Ledger Recover is a subscription service that allows users to utilize an additional layer of protection for their private keys. This service employs a technique where the user’s seed phrase is divided into three encrypted fragments, each sent to different external entities. Once these fragments are combined and decrypted, they can be used to reconstruct the original seed phrase.

And understandably people are pissed.

Mudit Gupta, the chief information security officer at Polygon Labs, shared, “It’s a horrendous idea, DON’T enable this feature.” Gupta expanded further in his Twitter thread that “the problem here is that the encrypted keys parts are sent to 3 corporations and they can reconstruct your keys.”

Of course many assumptions are being made here.

For example... um so the three parts are encrypted... but encrypted with who's password? It could be more secure than it sounds, but like others I have my doubts.

Bitcoin investor and podcaster Chris Dunn shared, “First they exposed mailing address, phone numbers, and email addresses of their customers," referencing the Ledger data leak that exposed users’ information in 2020. “And now they’ve put a back door into seed phrases. It’s time to say goodbye to Ledger.“

Hm yeah exactly.

Ledger has already shown that they are incompetent by storing data that they never should have been storing in the first place, and then getting hacked. People literally were threatened, kidnapped, and died over this event, and as far as I know Ledger got away with it essentially scot free.

Also... what if you have 2 of the three pieces of the seed?

Each word added to the seed phrase adds exponential security to the encryption process. If someone controls 8 out of the 12 words? LoL, you could brute-force hack that shit on a laptop in five seconds.

I wish I had the numbers on me because I know I've seen an infographic showing how secure adding each word is, but it might even be possible to hack a 12 word seed even if someone only controls 4 of the words, which would render this entire process completely pointless and even less secure than storing all the words in a single place (because if any of the three get hacked you're done, son).

Binance founder and CEO Changpeng Zhao chimed in on Gupta’s thread, saying, “So the seed can leave the device now? Sounds like a different direction than ‘your keys never leave the device.’”

Sick Burn by CZ

That is such a political and polite way of putting it.
Underneath the surface it is absolutely scathing.
Very nice.

The wallet provider shared that Ledger Recover is an optional subscription for users who want to back up their secret recovery phrase. “You don’t have to use it, and can continue managing your recovery phrase yourself if that’s why you bought a Ledger,” the company explained.

scrap-yard-junk.jpg

"Don't worry about it," said untrustworthy corporation.

"It's just optional, bro." LoL, yeah but if the code exists to extract the seed from the device then spoiler alert: the code exists to extract the seed from the device. It doesn't matter that it's "optional". It exists, and that's a threat.

This is something I have spoken to multiple times now, and I'm actually quite flabbergasted that only when the untrustworthy corporation comes out and openly admits they are going to implement a bad idea that people seem to realize what's going on here. What if they had simply said nothing and programmed a backdoor into the next firmware update? Kek... as if they can't do it at any time.

Now governments and other institutions all around the world can apply pressure to companies like Ledger and Trezor and demand that so-and-so's wallet needs to be confiscated. This is such a bad look it's unbelievable, but hopefully I'm exaggerating (at least in the short/mid term). Hopefully these threats don't actually materialize until we have better options available.

Better options like what?

Event's like this always bring me back to my idea of creating an air gapped hardware wallet on something like a Raspberry Pi device. Something like this would be 100% trustworthy if the user set everything up themselves, and would be fairly trustworthy if they bought it from a trusted third party on Hive (even if it was hacked you'd be able to see all the data exiting the device when you scanned the QR code on your phone).

Of course something like this is a serious end-game type project that has to be either funded by the @hive.fund or by a philanthropist on Hive. Sorry boys, I'm not a multimillionaire yet so I can't afford it. Still, it would be super cool (especially if it was hidden and embedded on a Raspberry Pi that played video games via emulator or something: then no one would even know it was a hardware wallet).

Conclusion

Terrible terrible idea from Ledger. Just terrible. Of course mathematically it's a great idea if the number of seeds that get recovered are greater than the number of seeds that get stolen due to this functionality. However such a point might be moot as it opens up all seeds to systemic risk (meaning it's possible they could all get hacked at the same time after the appearance of being secure for years).

This kind of "solution" is a very slippery slope. On the one hand it's just the kind of thing we'd expect for mainstream adoption so noobs can rest at ease knowing that they aren't going to make a mistake and lose everything, but also it opens Pandora's box in terms of the security of everyone with a Ledger, not just the users who opt into the service. If code allows the seed to escape the device by design it doesn't matter if it's "optional" as Ledger is claiming here.

Luckily I like my Trezor quite a bit, but I only trust them slightly more than Ledger at this point. Corporations are corporations after all. It's also noteworthy to point out that Hive account recovery is superior to this solution in every way because Hive recovery doesn't add any attack vectors to the platform and is a very elegant solution that can't recover a seed but it can allow a seed to be changed securely.

In any case it's nice to see that Ledger has gotten so much bad press over this and we need to be watching them closely to see what they do next. Whatever it is I imagine it won't be good.

Sort:  

Ledger's internal chip was closed source.

Fortunately Trezor is open source so we should know if pressure has been applied to SatoshiLabs before we're compromised. An added passphrase should also increase security. It probably helps that the chokehold point is located in the Czech Republic and not some more western aligned "woke" nation.

Loading...

https://leofinance.io/threads/view/idksamad78699/re-idksamad78699-2t1baw77x
The rewards earned on this comment will go directly to the people ( idksamad78699 ) sharing the post on LeoThreads,LikeTu,dBuzz.

Holy Shiznitz!

Do you know how easy it would be to break an encryption on a file that contained 4 or 8 words from a predefined list???

There are even some algorithms that can guess the words based on size and complexity.
You don't have to decrypt it all, just enough to guess the rest.
And so, there is no encryption at all.

Might as well be sending the bad guys the keys to your wallet.

And you are very correct, with four words known, and at least a bitcoin as the goal, just set a laptop to work on it for a year, maybe not that long. Your only problem is competing crackers.

The biggest problem is your aren't encrypting a big document with all kinds of possibilities.
it is 12 or 24 words from a specific set.

AND!!!! the whole point of having a hardware wallet is that those keys stay in the damn thing and never, ever, ever get exposed to the outside world. Failure at the 0th level there Trezor

Definitely got me considering diversifying into another wallet. Ngrave and SafePal seem the top 2 airgapped choices. Though even then, theoretically, firmware updates become a weak link until the code is fully open-sourced. And even with Trezor’s, the physical device itself can be hacked.

Passphrases 100% of the time with all options.

I ordered a KeepKey the day I saw the news. Trezor is open source, so at least you can see what they are doing. Ledger is closed source and we don't know what they have cooking behind the curtain. I am going to get rid of my ledger, keep my trezor (for now) but will likely use the keepkey for the bulk of it.

I wasn't super interested in the whole thing, since I don't have Ledger, however when I've heard about it, I assumed it was something like 3 of 3 + passphase version of Shamir Backup present for some time in Trezor. The new thing would be user sending each part of recovery seed to different entity for safekeeping. If that was the case, then there was no need for backdoor to read the seed from the device nor the corporations that safeguard your data would be able to recover the seed without a passphase. Still why the hell would anyone want to pay for such service?

Shamir Backup offers a significant advantage compared to the regular single recovery seed method. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold.

Ah nice...

But if it also has a "passphrase" doesn't that just lead itself to the same scenario of forgetting the passphrase and losing the money? Also setting the threshold to 100% seems... counterintuitive. It also sounded like it has a strong KYC element to it which I forgot to even mention in the OP.

Hardware wallets stem from the idea of brain-wallet. You get a long passphrase and run it through the script magic to get the pair of keys (or any amount of pairs when BIP32 was introduced). This way all you need to do to always have your wallet on you is to remember the passphrase. That's the problem though. People are nowhere as unique as they think they are. So they used quotes from the Bible or Cthulhu, phrases in Klingon or Quenya, children rhymes and song lyrics - guess what, other people had the same idea. When I first read about the concept, I've played a bit with different passphrases in Armory, and it didn't take me long to run into some that were connected to addresses that at some point in the past held nontrivial amount of Bitcoin. So, if you wanted to use brain-wallet, you had to make a passphrase that was specific to you, like concatenation of your name, address, PIN to your debit card, your social security number, password to your email etc. But since you are not using it every day and every character matters, such passphrase is very difficult to remember even if you know all its components.

Hardware wallets eliminate that problem. You only need to remember a simple PIN to unlock the wallet and you get the benefits of a very strong passphrase that you don't need to remember for every day use. On top of that you can also use extra passphrases that are easy to remember, like names of your children, that act as extra word of the passphrase. Since each acts effectively as different seed, you can even share the same hardware wallet between multiple people in the family. Or you can use it for "plausible deniability", so even in third world countries, where you can be jailed for not revealing your password, like Great Britain, you can make up words on the spot - they will all be valid as seeds for key generation and equally useless (just leave one as bait with a bit of actual crypto, in case you are being beaten with a crowbar to reveal your coins).

Again, hardware wallets take the heavy lifting leaving you with very simple PIN/words to remember. Unless your name is Julian Assange, Edward Snowden or maybe Ross Ulbricht, that should be safe enough. That pushes the focus on not losing access to your own coins. That's where the encrypted backup split between different locations comes in handy. You have full access, while it does not pose a security threat because potential attacker first needs to get a hold of all the pieces and then also guess the password to decrypt the seed, which is still not enough if you are using extra words for actual key generation. Well prepared and determined attacker will get through all those obstacles eventually, but it has to be worth it and hopefully it leaves you enough time to notice the problem and react.

Fuckers now I need to get rid of my Ledger. Not the expense I wanted right now!

I always thought storing crypto in a "cold" wallet was a bad idea: the stick could fail, I could lose it etc... The safest way is to just write keys on several mediums like USBs, paper etc. and store them at multiple locations.

Oh and Metamask is going to take taxes now if you haven't heard