多元化数字货币存储策略:探索Ledger争议

In a recent turn of events, Ledger, the prominent provider of hardware wallets, finds itself embroiled in a controversy surrounding its newly launched Ledger Recover feature. The optional service, aimed at aiding users in recovering their seed phrases, which grant access to their crypto wallets, has raised serious security concerns among the crypto community.


What is Ledger Recover?

The Ledger Recover service aimed to provide an additional layer of convenience by allowing users to recover their seed phrases in case of emergencies. To utilize this service, users are required to undergo identity verification by submitting their passport or national identity card for authentication. The process involves encrypting the seed phrase into three fragments, which are then distributed among Coincover, Ledger, and an independent backup service provider.

To regain access to their wallets, users must pass ID verification, after which two out of the three companies will send the encrypted fragments back to the user’s Ledger device. By combining and decrypting these fragments, the original seed phrase is revealed.

Implications and Security Concerns

The introduction of this feature has raised significant concerns among users, primarily due to two key implications regarding security.

Firstly, the involvement of three companies in storing encrypted private keys increases the risk of exposure to potential security breaches, social engineering, and identity theft.

However, the most concerning aspect is the potential exposure or extraction of the seed phrase from the device itself. The fact that the Ledger devices could have the private key extracted out of their secure element chip by a firmware update is highly alarming. The design of a hardware wallet is intended to ensure that the seed phrase never leaves the device, even in the event of a malicious firmware attack, thereby maintaining an “air gap” to prevent any unauthorized access. In fact, Ledger themselves tweeted this claim in Nov 2022:

Further investigations have confirmed that the Secure Element chip can be programmed to send back any requested information. This programming requirement, essential for supporting new chains through new device applications, unfortunately leaves Ledger devices vulnerable to potential exploitation of a backdoor, emphasizing the significant security risks involved.


Closed-Source vs. Open-Source Code

One of the primary reasons behind the backlash faced by Ledger is the closed-source nature of its code, which prevented users and developers from scrutinizing the code repository.

Unsurprisingly many users and developers have since called out to ledger to open-source their code. In response to the outcry, Ledger has announced plans to open-source their code, except for the secure element code, which has to be kept secret.

How about Trezor?

In contrast, Trezor, another popular hardware wallet, has always operated with an open-source code. However, it’s important to note that open-source code doesn’t guarantee absolute security. Users must trust that white-hat hackers examining the code are more competent at auditing and identifying vulnerabilities than potential black-hat hackers.

Does this mean everyone should all use Trezors instead? Well, some Trezor devices are vulnerable to a high voltage glitching attack brought to light by Kraken security labs. This glitch only works if the attacker has physical access to the device itself.


Diversification and Mitigating Risks

Different hardware wallets have their own pros and cons, the fact that you are using a device created by another company already demands a minimal level of trust, and paper wallets are far from convenient and ideal. Considering the vulnerabilities highlighted in the Ledger controversy, it becomes evident that diversification is crucial not only for digital asset holdings but also for storage methods.

The key takeaway here is to diversify not just your digital assets holdings but also how and where you store them. By diversifying where your assets are stored, you can mitigate damage done when vulnerabilities are exploited.

This article provides information on the recent controversy surrounding Ledger’s new Ledger Recover feature and its implications for crypto storage. The views expressed in this article are based on the available information up to Jun 23, 2023 and may not reflect the current state of Ledger’s products or services. Therefore, readers are strongly advised to conduct further research and stay updated on the latest developments before finalizing their crypto storage strategies.

FEB recommends individuals to explore multiple storage methods and devices that align with their specific risk profiles. By staying informed, conducting thorough research, and adapting storage strategies accordingly, individuals can mitigate potential risks and enhance the security of their digital assets.

新技银行商业账户

摆脱传统银行的束缚,体验更先进的商业金融服务。
© 2021 -
2024
Corporation. All rights reserved.

加入我们的电邮订阅名单

掌握新技银行的最新资讯。

公司注册

请提供一些基本信息,我们会尽快与您联系!

客服工单

企业治理

新技银行的合规计划旨在有效识别和控制合规风险,以保护本行的财务和声誉免受损失,并确保符合监管要求和标准。
合规部门的任务是确认、评估、建议、传达、监控以及报告 新技银行在法规要求方面的合规情况。我们基于《1996年多米尼克联邦离岸银行法案》 (Offshore Banking Act 1996 of the Commonwealth of Dominica )以及其他法规(包括随后的修订)制定了有效的合规政策和程序:
新技银行高度重视合规性,我们采取了严格的措施和政策,并每季度进行评估,24/7监控,确保我们是全球金融服务社区中尽责的成员之一。