Crypto hardware wallet firm Ledger is pushing back against critics who say their new seed phrase recovery option indicates the company has a potential “backdoor” to obtain user data.
Ledger says their new product, “Ledger Recover,” is an optional subscription for users who want a backup of their secret recovery phrase.
The product encrypts a version of a customer’s private key and splits it into three encrypted fragments that are stored by three different parties “on hardware security modules,” according to the company.
Hardware security modules are tamper-resistance devices that secure cryptographic processes by generating and managing keys used for encrypting and decrypting data.
Recovering your seed phrase will require a comprehensive ID verification process, and then the third-party providers will send the encrypted shards directly to a customer’s Ledger Nano device, Ledger explains.
Mudit Gupta, the chief information security officer at Polygon (MATIC) Labs, argues that anything secured by ID verification is “inherently insecure.”
“The problem here is not splitting the key into three parts. That’s actually good! I may or may not be doing that personally as well.
The problem here is that the encrypted key’s parts are sent to three corporations and they can reconstruct your keys.
Additionally, they use ID verification to confirm your request for key construction. Identity theft is relatively easy and super common. It’s not a secure method at all.”
Changpeng Zhao, Binance’s chief executive, also criticized the product.
“So the seed can leave the device now?
Sounds like a different direction than ‘your keys never leave the device.’”
Pascal Gauthier, Ledger’s CEO and chairman, pushed back against the critiques on Twitter.
“Backdoor would mean that we control all ledger devices and could run automated updates for example… That’s not the case. Will never be the case. Only you can use functions on your ledger. No one else can enter your pin code and press those buttons…”
Generated Image: Midjourney
Read the full article here