Ledger Recover
9 minutes
Jan 14th, 2024 - 07:51 am
Many people have been asking us what we think of Ledger Recover. Is the new firmware dangerous? Why would anyone use this service? Is it worth the tradeoff? We will explore the answers to these questions and more; but first, letâs set up Ledger Recover, talk about what that means, and give our overall impression of the service.
The Problem? Understanding The Landscape
Seed Phrase, also known as Secret Recovery Phrase, security and Private Key management has always been difficult topics in the crypto community. Most solutions, even the ones recommended in our own classes, contain some combination of physical security and security through obscurity, a long-distained methodology by those in the security industry. That said, crypto has had a long-standing adage youâve probably all heard by now, âNot Your Keys, Not Your Crypto.â Funnily enough, Ledger even wrote an article with this title a few years ago!
Managing these (now rebranded) Secret Recovery Phrases is still a major hurdle for mainstream crypto adoption. It hardly seems fitting to have digital assets valued at thousands of dollars secured by a steel plate with a bunch of words on it hidden in someoneâs sock drawer. So what can we do? Ledgerâs answer: Ledger Recover.
Sooo⊠What Is It?
Screenshot of https://www.ledger.com/recover
Firstly, it is a monthly paid service that, taken straight from the Ledger website, says "Ledger Recover is an ID-based key recovery service that provides a backup for your Secret Recovery Phrase. If you lose or don't have access to your Secret Recovery Phrase, the service allows you to securely restore your private keys using a Ledger device.â
Does that mean Ledger has a database full of secret recovery phrases that a rogue employee could steal? No. The truth is both more complicated and more secure.
Their process encrypts and then breaks apart seed phrases into three fragments each which are then distributed to trusted third parties. These three fragments are then reconstituted only during the recovery process.
Ledger has a great article introducing and explaining their Recover service. Users can verify through one of their identity partners, and subsequently ârecoverâ their wallet access in order to return to using it as normal. Now, letâs turn to how to set it up.
To Begin: Activating The Service
Here is the list of things Ledger Recover requires before getting started:
A screenshot of the setup requirements of Ledger Recover within the Ledger Live app.
The astute reader may notice that it is currently only available on the Ledger Nano X; you can support us by buying one from the Boring Security shop! The setup, although a bit time consuming, was uneventful. Two things I noticed:
- The signup flow didnât make me confirm my password by typing it twice (hope I didnât typo it!)
- It required a mobile phone.
I was hesitant at first, because of the prevalence of SIM swaps in crypto, but no phone number is required; the phone is simply for taking videos for the verification process and scanning QR codes.
The Experience: How is Using it?
In order for me to actually do the recovery, I needed to first connect a blank Ledger to my computer. In order to test Ledger Recover, I deleted the private key in the Security menu of my Ledger X, and initiated the restore.
After setting up my PIN again, I was greeted with some on-device prompts:
Just like when setting it up, I had to upload my ID again, re-verify myself on camera, and complete some more âproof of lifenessâ checks. I was required to read specified numbers aloud and move my head to the appâs specified commands. After about 10-15 minutes of verifying, I was met with this screen.
Update: I slept for eight hours overnight and it hadnât finished verifying me yet. Or at least it hadnât refreshed yet, because after I went for my morning coffee, lo and behold, it let me continue to:
Overall Impressions:
The service was relatively straightforward. It felt like a streamlined version of other enterprise solutions for Seed Phrase recovery I have used before. Because of the extended video required, I think it would be hard to fool two identity providers through AI deep fakes. Therefore, I think this service accomplishes its mission of giving some additional peace of mind to those who donât want the added stress of managing their seed phrase in a (possibly) insecure way.
That said, a $9.99 per month service is a little pricey for those with only a few thousand dollars in the crypto ecosystem. The service also boasts insurance for funds up to $50,000 in compensation if someone were to get access to funds in an unauthorized way using Ledger Recover. So to me this seems aimed at those who have somewhere between $20-50,000 in crypto they want a little extra piece of mind on. In the future, Iâd love to see slightly higher pricing tiers that offer higher insurance, and a few other features to protect those that are highly targeted individuals.
Other Things Boring Security Wanted to Know:
The biggest questions we had was less to do with the new vector of âextractabilityâ and more to do with the following three questions:
- How does Ledger Recover interact with legal subpoenas
- What happens to someoneâs recovery phrase after they stop paying
- What protections do they offer for users recovering under duress, aka the classic wrench attack
Here are our three biggest questions, and the serviceâs answer to them:
Q: Is it possible to have my encrypted shards get phished through a malicious version of Ledger Live?
A: Want the answer to this and other questions? Join our live event with the Ledger Engineering team on January 29th in our Discord
Q: What happens if the service gets subpoenaed by law enforcement? Are you guys just forced to give up the keys and the user gets rugged?
A: Summarized from Coincoverâs FAQ, the key points here is that the three entities selected as partnerâs for Ledger are in three separate legal jurisdictions, so they would need valid court orders in multiple countries, which would only likely happen in cases of terrorist financing or the like.
Q: What happens if someone stops paying and they need to restore? Are they screwed?
A: Taken from the Ledger Recover FAQs, Accounts that have not paid in 3 months will get their account suspended, but the partners do not delete the encrypted key fragments for at least another 9 months, giving users up to a year before deletion.
Q: Should I Not Upgrade My Firmware If I Donât Want This Service?
A: Weâve had a lot of people asking us this in our discord. Ledger likely wonât maintain a separate firmware that doesnât contain the Recover functionality, but really this shouldnât be a worry. Activating and using the service requires many button presses on the Ledger itself, coordinated with Ledger Live prompts in order to get the three encrypted shards off of the device; it would be an enormous task to socially engineer someone to go through the recovery process unwittingly. Scammers tend to put more time into the low effort scams, so such a time intensive hassle to perform a recovery is a deterrent for grifters.
One last thing to note is that we did not find any mention of duress protection. Enterprise solutions often build in features to let companies restore a fake wallet or a wallet with a smaller amount. They use factors detected during the restore process such as elevated heart rate detection using AI during video verification to detect possible coercion, or secret signals that users can provide during the recovery if it is being coerced. Ledger Recover would benefit by offering these features to a certain set of users in the future.
Additional Resources:
What Is Ledger Recover:
https://www.ledger.com/academy/what-is-ledger-recover
Ledger Recover FAQs:
https://support.ledger.com/hc/en-us/articles/9579368109597-Ledger-Recover-FAQs?docs=true
Coincover FAQs:
Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .
