Rektbuilder, a developer, has stated that cryptocurrency hardware wallet company Ledger can track user identities, apps, and even cryptocurrency balances in the device through the use of Ledger Live, its wallet management software. The developer discovered this behavior while working on Lecce Libre, a lighter, less intrusive software for the hardware wallet.
Ledger Live Sends User Information to Ledger, Developer Alleges
Developer Rektbuilder alerted about the information that Ledger, the hardware wallet manufacturer, receives through its wallet management program Ledger Live. According to his findings, the software embeds checks for the ID of each device when installing or updating apps and firmware.
The developer, currently working on “Lecce Libre,” a less intrusive and lighter app to manage Ledger hardware wallets, warned that removing this verification code breaks the app, meaning that using it is mandatory. He stated:
I tried disabling the remote tracking and it’s impossible, it breaks if you do. Which means Ledger knows it’s you every time you plug the device in.
Previously, he had also reported having removed balance summary details involving network calls for asset balances. Rektbuilder stated that the Ledger Live made 2,000 network calls for “all sorts of unnecessary stuff,” having already removed them in Lecce Libre.
He escalated his concerns, stressing that due to the available recovery function that allows retrieving the private keys in the device, nobody can be sure these are not being read.
Emin Gün Sirer, founder and CEO of Ava Labs, also called on Ledger to address the issues presented by Rektbuilder. He stressed that Ledger “should be able to confirm or deny (1) if these claims are true, (2) if there’s a way to work entirely offline without tracking, and (3) if the private keys are readable from the secure element.”
Ledger, which recently faced an attack that caused users to lose $600,000 in assets, has contacted Rektbuilder, who reported they are now working with the wallet company to obtain feedback on the issues raised.
What do you think about Ledger Live’s alleged privacy issues? Tell us in the comments section below.