Is Ledger Still Safe? Risks & Solution Revealed

Hey use a passpharse if you use a ledger ..it will provide extra layer of security...If its open source or close source...No hardware wallets are 100% safe...But it safe 1000% when we compare to hot wallets

No problem! Thanks for watching Joey, enjoy your week 🤜🤛

Wow, that means a lot. Thank you!

Same here. That's what TH-cam needs, honesty!!!👍🏽

@@trustinginhim1698 I agree, that is my goal always. Thank you for watching!
- Alex

@@cyberscrillainsertname5421 is right. Ledger absolutely LIED! Nothing short of that.

The recover service is in the firmware regardless. But you have to sign up for the service if you want to use it. It’s a paid subscription.
The main issue is trust at this point. They lied about being able to extract the private key via the firmware

Awesome! I’ve heard great things. I hope to review Ngrave wallet in the future. Thank you for watching and for the suggestion 👍

Ngraves secret recovery phrase has an option that allows it to be altered. So much for random generated seed.
The ability to alter it has been programmed into it. No thanks. Was considering ngrave till I realised the seed could be shuffled.

Technically, yes. It’s possible is my point. Just like any McDonald’s employee could spit in your food. Maybe a bad comparison, but the point is that there has to be some degree of trust.
It’s very unlikely, because that would destroy a wallet manufacturer’s brand-as we got a glimpse of with the Ledger debacle.
This is another reason why open source firmware is encouraged. That way people with a technical background can ensure there are no bugs or back doors.

@@cyberscrillaare you a fan of Trezor?

That’s what they say.
The main issue is that Ledger already lied about not being able to extract the private key from your device.
So the real question is: do you trust Ledger?

You are correct. Now the concern is whether or not you trust Ledger.
Previously, they said the firmware could not extract the private key.
Now all of the sudden it can. So essentially they lied to their consumers.
I’d opt for the Keystone Pro personally.
- Alex

same here, i’ve been using both trezor and ledger for years and won’t be using recover, i don’t use dapps or anything other than storing my private keys and don’t connect to the ledgers frequently, if you’re hodling i don’t see it’s any different for me.

Well, you have to trust the millions of users who use the wallet.
Open source means it’s community-based, and thus audited by the community.
If there was an issue, you have to trust that someone from the community who can understand the code would make it public. Plus it’s been audited by independent security researchers.

@@cyberscrilla ok thanks

Tangem does not rely on their own servers. The card relies on the blockchain networks to transact.
And if the app were deleted from the App Store for example, it’s open source and available on GitHub for anyone to recreate.
- Alex

The private key never leaves the Tangem card. The app creates a PSBT sends it to the card, the card signs the transaction and sends the signed transaction back to the app.

Happy to hear that! Seems to be the common theme with Tangem

Was transferring from one to another easy? Does Tangem have thorough direction for us less tech savvy ??

It’s the same for all wallets. It’s a very straight forward process. PLENTY of tutorials online. Just look. It’s really not hard, even if you aren’t tech savvy..
I transfer crypto to and from Tangem in this video to:
th-cam.com/video/LdlmHR120e8/w-d-xo.htmlsi=IUq6Fgd9Unw2llyz

@@cyberscrillaTangem wallet stores the seed phrase in the chip and does not show it to anyone. Not even to the owners right? Does this mean that if you lose your Tangem wallet, there's no way to access your crypto? Even if you get another hardware wallet?

@captainjuice1851 it stores your private key on the chip in the card. The seed phrase is optional during setup. If you choose to use a seed phrase you can write it down to record it, thus allowing your to recover your wallet on any cold wallet, even if you lose all your cards

You’re right. When a cold wallet is “compromised” 99% of the time it’s user error.
Mind (and others) grudge with Ledger is they lied to their customers about the firmware not being able to extract the private key (it can).
Other than that, I still believe Ledger is a good wallet for most people.
But I still prefer a completely open source option like Keystone.
- Alex

I believe so, yes!

@@cyberscrilla you become my favorite adviser 👍 👏 Thanks again 🙏

@@MrLuba6a 🙏

Thanks for watching! Yes, i don’t recommend Ledger anymore. But some people still love their products.

I’d recommend Keystone, OneKey, or Tangem. I reviewed some great alternatives in this video: th-cam.com/video/WJOzS_etRfQ/w-d-xo.htmlsi=e9D529Wr9QVRLiS7
Let me know if you have any questions.
- Alex

It’s hard to say with certainty since the firmware is closed source.
According to Ledger, they can only access your private key IF the user subscribes to Ledger Recover and signs for it using the wallet.
So now the question is: Do you trust Ledger?

@@cyberscrilla Definitely not

This is all subject to change and somewhat subjective.
1: Ledger Recover is initially available on the Ledger Nano X. However, I’m sure all their devices will offer it eventually. As for the firmware version idk. It was available in the 2.2.1 version, which has since been eliminated.
2: If you don’t update the the firmware with the Ledger Recover option, then it simply won’t be an option on the device.
3: I don’t see how older firmware would be relevant forever, the updates also change how the usability and coins support, so eventually you’d probably have to update.
(The only option I see is releasing two versions every time (one with the Ledger Revover, and one without) thus allowing the user to choose.
Exactly, the issue is that Ledger did this PERIOD (and previously stated the firmware couldn’t do this) that’s why they lost trust of many consumers.
- Alex

So, as I know, if you make a ,,firmware update,, nothing is happening. For the recovery program, you have to ,,subscribe,, and ,,register,, for it. With an simple firmware upgrade YOU DO NOT ACCEPT automatically and subscribe for the recovery program, dont compare these 2 things: upgrade / and subscribe (register) these are 2 difference things. Or maybe am I wrong?@@cyberscrilla

Open source = transparency
The community can view the code and confirm there are no hidden backdoors. Sure, not everyone knows how to read the code, but many people can and do.
Ultimately, open source creates more trust between the manufacturer and consumer.
- Alex

@@cyberscrilla thanks Alex, but being open sourced doesn’t mean its the same code on device.

@@optinihilis True, but that’s why users are able to confirm which firmware they’re running and download whichever version they prefer that’s available from the manufacturer.

@@optinihilis This !

You’re right. And that is Ledger’s point with this service.
The main issue stems from the fact that Ledger previously told users the private key can NOT be extracted from the firmware.
Now they are saying it can.
This has led to a huge loss of trust in Ledger.
And there is always the “what ifs”.
What if someone with bad intent on the Ledger team decided to release a firmware update with the ability to extract users keys?
We wouldn’t know because the firmware is closed source.
Sure. It is unlikely. But people don’t trust Ledger enough to care at this point.

It’s debatable. The real question is do YOU trust ledger after they essentially lied to their customers when they said a firmware update could NOT extract the wallet’s private key, and now it can.
If ledger is your only option, I still think it’s better than a software wallet.
But if you could choose another brand, I’d go with a wallet like Keystone or Ellipal.
- Alex

@@cyberscrilla Thanks Alex for taking your time to respond. I am going to take a look into these wallets you mentioned. I was planning to get Trezor initially but found out that they do not support some of the coins I own.

@@tihanhaider9811 of course, I reviewed several wallets in this video: th-cam.com/video/SdnDiUuYDEg/w-d-xo.htmlsi=C7K74RgEzdxWa95L
Let me know if you have any questions. I’m happy to help.
- Alex

@@cyberscrilla I'll check. Thanks again.

Is Trezor any good?

I actually think their intentions with this was to appeal to more consumers. (It’s crazy to think if you lose your seed phrase you lose your entire portfolio).
That said, their announcement and approach was completely off putting.
Terrible execution. Lead to losing trust of many unfortunately…
- Alex

What do you mean? I want to understand what you’re asking so I can better answer your question.
If you’re still using a Ledger wallet and want to continue using it, the best thing to do is NOT subscribe to the recovery service.
Otherwise, get a new wallet and transfer your funds to it.
Maybe that answered your question?
- Alex

@@cyberscrilla Thanks yeah that covers it....I was in a bit of a rush when I was forming the question. Thanks for answering 🙂

No worries. Just want to make sure I could give you a clear answer. Thank you for watching!

Nothing has changed. Ledger Recover is still in the works. If Ledger is your only option, it’s still better than storing your assets in a crypto exchange or a software wallet.
But I’d rather buy a Keystone or Ellipal wallet. Both are secure and affordable.
- Alex

Theoretically Ledger Recover isn’t on your firmware then. In fact it still hasn’t been released in the later firmwares at this point.
But avoiding updating your firmware is more of a bandaid, especially if a future update is required for new features or to fix a vulnerability, etc.
- Alex

Similar to the previous question...
For now, if we've never updated the firmware. Using 2.51.0
Would this next statement/question be correct... if I don't touch the wallet anymore. Just leave what's on it on it. Can I hope for a fix to this sometime in the future? After that, then do the updates??
I'm not good at describing things in text. I hope you know what I mean, and not what I say. Anyways thank you very much and I appreciate you answering everybody's questions.
Also I apologize for using talk to text. Thanks everybody

@@BenLipseyNE what fix are you hoping for? Ledger recover will be around in all future updates.
So you’d literally have to keep the same firmware you have now for the foreseeable future.
- Alex

@cyberscrilla I appreciate your response. Thinking my best bet will be leave The Ledger alone for now. Research a quality wallet and put anything new on that.
After all of this, when it comes time, update the old Ledger and transfer the contents thanks again. 😊

@@BenLipseyNE That is what I lot of people are doing. Just a heads up, I have numerous cold wallet reviews on my channel.
Just go to playlists and tap Hardware Wallet Review.
Here’s my quick 2 cents: if you’re looking for an absolute vault: Keystone 3 Pro is awesome (but not as user friendly as ledger).
If you want the most user friendly wallet on the market that’s still really secure, I’d go Tangem.
But, I’m here if you have any questions.
- Alex

On the Keystone Pro?? I’m not sure what you’re referring to

Ledger Recover is not compatible with the Nano S.
Just the S Plus and Nano X.
BUT, do you really want to use a wallet that collects your IP address and that literally created a backdoor for users that they have to pay for?
Maybe look into a different brand. The SafePal X1 is a great alternative, secure, easy to use, and only $29 right now.
Check out this video, I cover the X1 and a few other wallets:
BEST Cold Wallets Under $100 | In-Depth Review
th-cam.com/video/U9itg22afnQ/w-d-xo.htmlsi=zfIBZBchyOrhLoqU

@@cyberscrilla THANKS for your quick reply and no I do not want my info sent out to anyone. I'll just keep my Nano S for now. ;-)

The Nano S is affected as far as IP addresses are concerned. Ledger Live collects your IP.
That’s why I’m saying throw ledger in the trash and go with something else.

@@cyberscrilla Thanks for your recommendation but is the wallet you're recommending (X1) as easy to use as my Ledger is?
I'm not a "tech" person, so I don't want to have to do alot of studying inorder to make it work if you know what I mean.

Yes, just as easy if not easier than Ledger.

Well, according to Ledger it’s encrypted first, then sent to 3 separate entities. But who actually knows.

Ledger has recently made part of the software open source.
“The OS version 2.2.2 open sources the dashboard, a piece of the OS containing a part of Ledger Recover provided by Coincover implementation, for technical review and verification. For more information please read the Ledger Recover white paper.”

There is no firmware updates for the Tangem wallet. You only need to update the app.

Yep. I’m not sure if they could do that because I’m not that technically inclined. However, I don’t think it’s impossible.
The same could be said for any wallet manufacturer though.

@@cyberscrilla I think the devices are made to look for any update from the manufacturer. Technically you would have to accept the update, but how do you know what is in the update when you are only reading what they told you is in the update?

@@reocurringdream Yep, that is exactly why people prefer open source firmware.

That’s if you trust Ledger.
The main issue is that Ledger previously said: “A firmware update cannot extract the private keys from the Secure Element.”
Yet, here we are. So it’s really a matter of integrity. They lied to their customers.
Until everything is completely open source, nothing is to be trusted in this space, everything should be verified.

@@cyberscrilla The MAIN ISSUE is THE ACTUAL SECURITY OF MY LEDGER DEVICE, yet everyone who has made a video about this issue, has given the impression, that your keys are simply in the wild, only separated into pieces that can easily be combined in the wild as well. Does the firmware, ALLOW you to use the service, YES, BUT if I do not opt in, then my ledger is no different than when I bought it. Furthermore, if I use the service, EACH PIECE IS ENCRYPTED, and TIED TO MY ID data--which by the way is ALSO ENCRYPTED. Its not as simple, as everyone makes it out to be.

@@treyfred3247 sure, but everything you said you’re simply taking Ledger’s word for. And they’ve shown that they can’t be trusted.
There’s no way to verify what they say is true from a consumer standpoint because most of their products are still closed-source.
I’m not completely against Ledger, I own their products. I just think they could have released this service in better, and more honest way.

@@cyberscrilla Ledger did not at all communicate well in this instance I agree, but the "crypto community" that first reported on this issue (and apparently months later) did NOT DO their DUE diligence either, and are still reporting "half truths" about how insecure the Ledger device is. Did you know, that in addition to your seed phrase, you can add another "pass phrase" to the seed phrase, and that the "pass phrase" dose not leave the ledger, even if you use the recovery service. Which means, you still have control over your crypto, even if you use the recovery service to store the "seed phrase?" Of course, that also means, that even if you use the recovery service for your "seed phrase" but lose your "pass phrase" your SOL anyway--and this would be true even if you don't use the recovery service.

No. Ledger Recover will eventually be available for all ledger devices

even nano s ? @@cyberscrilla

I don’t think it matters assuming you’re not sitting at Starbucks using your wallet in public.
That said, there are plenty of options for shitcoins besides Ledger. Onekey and Tangem are both good options

Even then, you still have to trust that Ledger doesn't have access to your private key

YEP. One bad announcement and it can greatly affect a brand. Especially in the crypto space…

Are you going to return them or use them you think? 🤔

@@cyberscrilla Good question. I asked refund for my order after reading your comment. Atleast I will get refund from the second one because I already unboxed one. I'm just too scared to risk my life savings even though the risk would likely be slim to none💀

@@justanswer55 that’s fair. I know Keystone is still running their 20% off sale. It’s my go-to wallet for overall security. It’s just not as user friendly because it’s 100% airgapped and uses hot wallets to manage funds to remain decentralized.
But it’s what I use to secure my largest portfolio.
Here’s a review on that wallet if you’re interested:
Keystone 3 Pro Review: Most Secure Cold Wallet?
th-cam.com/video/sP6jZ9024Cc/w-d-xo.html

No, Ledger Recover requires ID verification. KYC typically involves more than that.

@@cyberscrilla I went over the video like you said and missed where you were describing KYC and put it all together. Sorry about that.

@@tkdolphin No worries, thank you for watching and taking time to leave a comment 🤙

@@cyberscrilla I.D varfication is like KYC. Even with I.D, you will no longer have full anonymity. Someone somewhere will have your I.D and that I.D could now be linked to you and the goverment could potentially request that info.

@@MrLeighman Of course, that’s the case with everything.
Anytime you buy a hardware wallet online, they keep your personal data (name, address, email, etc). There’s no anonymity.
Even if you walk into the store and buy one, they have you on camera and driving away.
At the end of the day, the gov can request access to anyone’s wallet whether it’s a Ledger or not.
My point is that the Ledger Recover service does not require KYC. It requires your id to verify you are who you say you are. Otherwise, anyone could request your key.
To be clear, I never claimed that the service provides full anonymity or anything even close. Just that it’s not technically KYC.

It’s partly due to their terrible rollout. I’d say many people are genuinely concerned that Ledger said that they could not extract private keys via firmware and now they can.
It’s both a trust issue and and security concern.

@@cyberscrilla Agreed, although from my understanding, you have to consent to this feature in a manner that's similar to signing a transaction along with going through a KYC process of sorts.

@@DEM78976 Correct, it is set up so that the user must approve it via a device signature. And no KYC, just identification verification (less personal info than KYC process)

@@cyberscrilla still a 💩 product either way, although I highly doubt ledger is trying to steal anyone's seedphrases. I'm 99% certain that more wallet manufacturers will have similar offerings in the future depending on how all this shakes out for them.
Great video!

@@DEM78976 Thank you! To your point, I think “seed phrases” will be phased out eventually.
There has to be a better way to access our funds without having to worry about losing 24 randomly generated words. We’re still early.

To some extent. But there are safer options on the market.

They touched on this. It doesn’t sound like something ledger is interested in doing.
But things can change.

Perhaps greed led their decision.
Or they simply saw an opportunity that no one else had taken advantage of yet.
Regardless, the way the introduced it wrecked them. It could have been executed way better imo

😂

That’s fair. What wallet are you using now?

Amen

@@cyberscrillaeveryone is trying to figure that out. Maybe with Trezor 3 might be a better solution.

Yep.
Second hand laptop for $100, rip out the network card, Linux and air gapped wallet backed up on steel.

Where did you see that? I’d like to read about it.
I wouldn’t say “stay away from air gapped wallets”.
An air-gapped wallet isn’t impossible to hack-BUT it is hard.
Generally, a hacked hardware wallet is the result of a user-error. So take everything your read/hear with a grain of salt.
- Alex

True. But assuming the code is solid that won’t happen. Many wallet manufacturers use independent auditors before releasing the firmware to the public.
Also, that’s why these companies offer bounties to find bugs in code.
Ultimately, open source should equate to a more secure and transparent code.
That’s why many prefer it over closed source.

@@cyberscrilla no manufacturers have open source chips as they don't manufacture the chip they use 3rd party partners who don't want their code open that's why ledger and others don't have open source it's because of the partnerships limitations not that they are hiding a back door. There is some level of trust in all we do in this life we trust the pilot has the flight experience we trust Netflix won't breach our credit card numbers we trust our social security number to our banks im no coder so i have to trust whomever may test the code because its open source......the same has to be true with hardware wallets trust is paramount at some level

That's not 100% accurate. Keystone Wallet is an example:
"At Keystone, we have open-sourced the firmware of the Secure Element, hardware design (circuit diagram and BOM), hardware wallet application layer, and parts of the hardware wallet operating system layer. We have also released a third-party code audit report, which is the first-ever made public by a hardware wallet company."
Of course we have to have some level of trust to your point. But certain wallet manufacturers we have to "trust" more than others. And I think the goal is to mitigate the required level of trust as much as possible and increase transparency.

I didn’t say I was an expert.
However, I have tested and reviewed numerous hardware wallets both on this channel and on CyberScrilla.com.
For this video, I researched Ledger Recovery and have been using my ledger wallet for nearly 3 years.
Hope this helps if you have any doubts.
- Alex

@@cyberscrilla Fair enough! Appreciate your professionalism!

@@humphschriek1637 Of course, thank you for watching!

How did that happen? 99% of the time it’s due to a phishing link you clicked on at some point.

I've not a clue. I can't imagine what I've clicked. I'm extremely careful. But never again will I use a nano. Lesson learnt! I have traced it to an exchange and emailed them this person has had over 4 million xrp. I can't understand how they don't see all the dodgy traffic in and then out its crazy. But I don't know how it all works on that side. Guess I'll have to start again. Any recommendations for a cold wallet, or I may just leave it on an exchange. £70 for nothing 😑

@@Tanya48b there’s really two ways a wallet is commonly hacked, and it’s almost always user error.
You clicked on a phishing link (most likely)
You have malware on you computer (also possible)
That’s why you should have a dedicated wallet that’s only used to store crypto, you shouldn’t be transacting with it.
And NEVER store crypto on an exchange, that’s just as dangerous.
I recommend Keystone or Tangem wallet. And use it correctly.
Here’s a video:
th-cam.com/video/Dmy6XdKaf9Q/w-d-xo.htmlsi=YsbiAie6xIhuvXqg
- Alex

@cyberscrilla your completely correct. I know what happened when I've thought about it. I put the ledger live on my pc, and my pin said it was incorrect. Then, I had to type my 24-word phase in that it must be the only possibility. I mean, I have anti-virus protection, but I guess that isn't enough. I spend a lot of time on TH-cam, so maybe I've clicked a link there 😭. Still, tho was a lot of money for me. Thanks for the reply. I will watch your video and you now have a new follower 💕

@@Tanya48b You’re welcome. I’m sorry that happened to you. Stay safe and lmk if you have any questions.
- Alex

I’m sorry that happened. However, it’s likely not a Ledger issue but a user error.

@@cyberscrilla well actually it is a ledger issue. God knows how much they earn every day, and they cant afford to a simple notification warning people of the airdrop scam? I heard Rabby does this. They have many ways to see if some action you are doing is suspicious. I NEVER would have thought such scams would be able to get through ledger.

@@cyberscrilla also I saw on twitter in these days thay ledger is hard core tracking every move you make. I have totally lost trust in it and just bought a Trezor that I'll use with Rabby

That's my thought too

Why’d Ledger have to do us all dirty like that 😩

It is HIGHLY unlikely that Ledger Recover was the culprit. It’s not even available at this time as the rollout has been put on hold.
The more likely culprit is user error.
Most hardware wallets are compromised due to the user clicking on a bad link and giving access to the scammer.

@@cyberscrilla thanks for the reply.
Here's the link to the video, if you wanted to hear her story. The comments have a lot of answers from her to questions she didn't address in the video.
th-cam.com/video/0kyHFdkjI7o/w-d-xo.html
I'm glad it isn't the rollout of the new firmware. I was feeling sick after watching the video, especially after seeong yours recently too.
I'm going for the Keystone Pro, regardless of anything Ledger does or says, so I appreciate the recommendation 👍

@@_Rustodian Thanks for sharing. It’s hard to say what happened without being able to view her wallet address to review it.
But the whole story sounds very weird. Definitely not the result of Ledger Recover.
Unfortunately, likely user-error (unknown malware installed on her computer or clicked a bad link at some point, or even purchased a compromised device from a third party).
That said, I’m happy you’re going with the Keystone. I REALLY enjoy their wallets. Let me know if you have any questions about anything.
- Alex

@@cyberscrilla Thank you, Alex.
You have put my mind at ease whilst I procure the Keystone.
I'm over in England, so it's a bit of a wait, but the postage and tax is free! Can't argue with that.
All the best, mate.
Lee

@@_Rustodian I am happy to help Lee. Free postage and tax free sounds like a dream come true!

It could happen to anyone. Would definitely suck

They wouldnt complain about the recovery:)@@cyberscrilla

Pretty much lol

Ledger jumped the line imo. They should have conducted better market research beforehand.
Even a Tweet sent out questioning if consumers wanted a recovery option would have been better than nothing.

BitBox huh? I’ll have to try it out soon.