Don’t use Ledger Live (the supplied software) with Ledger (use Sparrow or Wasabi)

REKTBuildr 🔺🔺🔺

@rektbuildr

Ledger Live embeds the genuine check into the apps listing procedure. As it is, they always doxx your device when installing or updating apps and firmware. I removed most tracking in Lecce Libre, but they still track you regardless.

For the past couple days I'd been trying to find the genuine check code in Ledger Live

There's "genuine check" labeled code everywhere, but I added tracing prints to it and none of that code was ever run when it checked the device. I thought that was funny so I continued digging.

Looking at the Python code (below) instead of the convoluted Typescript from Ledger Live desktop, I finally understood what's happening

Ledger's genuine device check is embedded with the listApps subroutine. It's kinda hidden there TBH

I tried disabling the remote tracking and it's impossible, it breaks if you do.

Which means Ledger knows it's you every time you plug the device in. During that procedure it lists which apps are installed in your device, so they also know what you're running on your HW.

So right now there's no way to operate Ledger HW's anonymously. They know every time you plug your device in and which apps you have installed. It was even worse before Lecce Libre, it also tracked your crypto balances!

So, the obvious question is why did they glue together apps listing and genuine check? They're not trying to save network calls, that's for sure because their software makes 2 thousand network calls for all sorts of unnecessary stuff (I've removed them from the sources and the system still works).