cover

May 2023

On Digital Wallet Security

Dr Jerome Rousselot

There are two ways to own digital assets: custodial and self-custodial. To put it another way, custody means delegation of control while self custody means that the user has full control. This is a very important topic of debate in this industry. Some users favour the legacy models of banks and custodians, and they trust some other entity for the safety of their assets. While others believe that digital assets by nature should always be self-custodied, as centralised exchanges may be poorly managed, liquidate the assets, lose or steal them.

To self-custody securely, it is generally recommended to use a device called a hard wallet. This small USB device stores the private seed (a long secret number used to sign transactions) for you, keeping it secret from anyone. The seed itself can be backed up offline, for instance on a piece of paper, to protect from device failure or loss.

Is the seed really secure on a hard wallet?

Recently, the launch of a new seed recovery service by Ledger, a well known hardware wallet company, has shocked many users.
They believed that this was impossible by design. They bought a hardware wallet with the belief that the seed could never leave the secure element of Ledger devices.
The new service by Ledger does not seem to directly extract the seed from the Secure Element (a security chip inside the device). Instead, it sends three encrypted Shamir Secret Shares (SSS) to three different parties. The Shamir Secret Shares are encrypted using a key derived from Onfido ID verification service. Two of these shares are enough to recover the seed in case the Ledger device is no longer accessible. But no one can be sure, as the code is not open source and the protocol is proprietary.

How can this be possible?

Users legitimely expect the so-called secure element to protects data. However, components only provide hardware acceleration for a few cryptography protocols. Bitcoin and many others use Elliptic Curve SECP256K1. New cryptography algorithms are regularly adopted in the blockchain industry. For instance, in 2021 Bitcoin added Schnorr signatures to improve the privacy of multisig transactions and performance.
To support all these cryptographic algorithms, present and future, the only solution is a software implementation running on the Secure Element. The vendor updates the SE firmware as blockchains implement new features that users want to use.
This capability also enables a seed recovery protocol. All devices vendors can do this, for the reasons just described.

What does it mean?

Many Ledger users feel betrayed. Maybe the communication around the product and service could have been handled better by the company. For many people, securing an offline seed is difficult and a seed recovery service will be valuable.
It remains true that a desktop hot wallet such as MetaMask is one of the most risky ways to self-custody crypto.
Connecting a hardware wallet greatly improves the security of the assets. Ledger Recover is a very valuable service for most people who do not want to study and backup cryptographic seeds.
MPC wallets such as ZenGo may be the best solution in the long term, as they do away with the seed. For now this novel technology is still experimental.

{item.article_image.alt}

The software supply chain

Finally, any binary software update can install undesirable new features. This is true for smartphones, computers, and hardware wallets. The software being open source is no guarantee of the actual software compiled and distributed. Every business must also comply with the laws of its jurisdiction. A government may secretly force a company to push a software update to a specific user and seize its seed. The Ledger CEO recently brought attention to this risk in an interview.
Alternatively, the company may be hacked by a third party and push a malicious update.

Conclusion

Absolute security does not exist. Hardware wallets are more secure than smartphones, and smartphones are more secure than computers. The goal always remains to reduce the attack surface.

Governments, companies or hackers may push malicious software updates. Being aware of these risks is already an improvement in security.
MPC technology and hardware cryptography acceleration may further improve the security of digital assets in the longer term.

Do you use a hardware or software wallet? Do you trust them to have processes in place to prevent deploying unwanted new features or malicious updates?