In a world of paramount privacy concerns, the latest revelations surrounding Ledger Live, the official software for managing Ledger hardware wallets, have sparked significant apprehension. Privacy advocate REKTBuilder, known for their scrutiny of crypto applications, has uncovered unsettling details about the extent of data collection carried out by Ledger Live, raising essential questions about user confidentiality and security.
Tracking Every Move
Ledger Live embeds the genuine check into the apps listing procedure. As it is, they always doxx your device when installing or updating apps and firmware. I removed most tracking in Lecce Libre, but they still track you regardless.
REKTBuilder’s investigation, which delved deep into Ledger Live’s Python code, has exposed the existence of a covert “genuine device check” that transmits user data, including the list of apps installed on the device, every time a Ledger device is connected to a computer or phone. This surreptitious tracking mechanism could potentially provide Ledger with insights into the networks and cryptocurrencies its users engage with.
The concerns escalate as it is revealed that Ledger Live also keeps tabs on the crypto balances stored on the device. This trove of data, including sensitive information about users’ crypto holdings, is sent directly to Ledger’s servers, raising serious questions about the safety of this information and the extent to which Ledger can access it.
Unmasking the Intricacies
Since we're on the subject
Ledger Live is offering a new firmware update rn
Don't wanna spread FUD or anything but
IMHO you're probably better off keeping your Ledger firmware outdated
REKTBuilder’s investigative prowess revealed that Ledger Live’s tracking mechanism is deeply embedded within a subroutine named “listApps.” This subroutine logs installed apps and meticulously records the time and date of each device connection, hinting at persistent user surveillance.
Perhaps most alarming is that attempts to turn off the tracking code render the software unusable, implying that Ledger Live’s core functionality relies on this data collection. This lack of an “opt-out” option is undeniably unsettling for privacy-conscious users.
Privacy and Transparency Concerns
While these revelations send shockwaves through the crypto community, Ledger has remained conspicuously silent despite these allegations. This silence is not the first instance of Ledger facing privacy-related accusations. In 2022, the company came under fire for collecting data on users’ online activity and their cryptocurrency transactions. Ledger issued an apology and vowed to enhance its privacy practices but has now found itself in hot water again.
In a separate incident in July 2023, a security researcher exposed a vulnerability in Ledger’s Node Package Manager (NPM) account, which left user data, including email addresses and purchase history, susceptible to theft. This incident impacted an estimated 270,000 accounts, further eroding trust in Ledger’s data security.
The Dilemma for Users
Despite the mounting privacy concerns, REKTBuilder admitted to continuing to use Ledger Live due to the lack of viable alternative hardware wallets compatible with the Avalanche network. This highlights users’ predicament prioritising security and privacy and underscores the need for greater transparency and accountability within the crypto hardware industry.
In a world where personal data is increasingly under siege, Ledger’s response to these allegations will undoubtedly be watched closely. The absence of clear explanations and safeguards can only perpetuate the apprehension of crypto enthusiasts who rely on Ledger hardware wallets to protect their digital assets. Privacy, it seems, remains a precious and precarious commodity in the ever-evolving landscape of cryptocurrency.
