Avatar
🤙🏼⚡️ 2y ago

#ledger

#[1]​

Correct me if I’m wrong but code now exists that opens a door into the secure element of a ledger device to extract information. Regardless of how that information is handled and processed, there’s a door.

The service being provided isn’t the problem, the problem is the door. People didn’t know it existed, should we have known? Is this normal, do all secure elements have a door that can be accessed with simple firmware update.

I personally thought that physical access was the only way to extract information from the secure element.

Reply to this note

Please Login to reply.

Discussion

Avatar
DETERMINISTIC OPTIMISM 🌞 2y ago

Not a great design choice.

Avatar
Kendy 2y ago

Pascal Gauthier shouted out Coldcard on a Twitter Space a few seconds ago

Avatar
DETERMINISTIC OPTIMISM 🌞 2y ago

👀

Avatar
🤙🏼⚡️ 2y ago

Been meaning to get a coldcard for a while, this was the push to do it! 🤙🏼🍻

Avatar
Nordlys 2y ago

Well, the Coldcard has the same ability to encrypt your seed phrase and send it off-device.

Avatar
🤙🏼⚡️ 2y ago

Does coldcard send the encrypted seed to third parties as default?

Is coldcard code unverifiable?

Avatar
Nordlys 2y ago

No, and I agree the cloud backup thing is concerning. But it’s opt in at least. The Coldcard firmware is open source but you can’t build it and flash your own.

Avatar
🤙🏼⚡️ 2y ago

Im sure you appreciate there are trade offs in all of them, for me coldcard just seems to be a better product all round.

At best ledger has just made a massive communication error, at worst they’ve introduced a larger attack surface.

Ledger leak, the fact both my ledgers screens failed around the same time and now this was just the last straw for me.

Avatar
Nordlys 2y ago

Totally understand and partially agree. There are a lot of unanswered questions about the recovery service.