A researcher revealed questionable practices by Ledger that raises important privacy concerns about the leading crypto wallet.
The researcher particularly raised concerns regarding how Ledger Live manages user data and the limited options for offline use on Ledger hardware wallets.
According to @rektbuildr’s findings, Ledger Live actively monitors users and gathers data, performing a device check whenever a Ledger device connects.
Ledger’s code, according to @rektbuildr, prevents users from operating the hardware wallets anonymously.
The Paris-headquartered company is always aware of the device’s connection, making it impossible for users to disable remote tracking without disrupting functionality, the researcher adds.
“Which means Ledger knows it’s you every time you plug the device in. During that procedure it lists which apps are installed in your device, so they also know what you’re running on your HW [hardware].”
The code sleuth urged users not to update their Ledger firmware and expressed skepticism about the necessity of the upgrade and highlighting concerns about the company’s ability to read the secure enclave and even extract private keys.
“If they’re embedding device doxxing in simple things like apps listing code, what else are they doing? We now know their secure enclave is readable. They have a recover function which extracts private keys from the secure chip.”
This is not the first time @rektbuildr has exposed Ledger-related issues.
In early December, he revealed that Ledger Live software tracks a big set of data including clicks, page visits, redirects, crypto transactions, page scrolls, account numbers, crypto asset names, and session durations. As of the time of writing, Ledger has not issued a public statement on the new revelations.
In 2023, Ledger faced challenges as its customers reportedly suffered significant losses in Bitcoin (BTC) and Ethereum (ETH) due to a fraudulent version of the app, which sneaked into Microsoft’s App Store. Additionally, the wallet manufacturer received criticism for its recovery service, which offered users a means to regain access without requiring their secret seed phrase.