Ledger on How Consumers and Institutions Should Be Safeguarding Their Private Keys

Eric Larcheveque, cofounder and CEO of Ledger, and Demetrios Skalkotos, global head of Ledger Vault, describe the company’s three main offerings: its hardware wallets, the new software-as-a-service product for institutions, and an Internet of Things offering for transactions involving physical assets. They also describe how the company scaled for a massive increase in demand in 2017, who their customers are and how the company has responded to vulnerabilities found in its products. Plus, they explain why they don’t put tamper-proof packaging on their hardware wallets.

Thank you to our sponsors!

TokenSoft: https://www.tokensoft.io

Microsoft: https://twitter.com/MSFTBlockchain or https://aka.ms/unchained

CipherTrace: http://ciphertrace.com/unchained

Episode links:

Ledger: https://www.ledger.com

Eric Larcheveque: https://twitter.com/EricLarch

Demetrios Skalkotos: https://twitter.com/DemoSkalkotos

Introduction of Ledger Vault: https://medium.com/ledger-on-security-and-blockchain/ledger-vault-nyc-office-brings-crypto-security-to-institutional-investors-ec9ee3445850

Three part-series on hardware wallets: https://medium.com/ledger-on-security-and-blockchain/ledger-101-part-1-do-you-really-need-a-hardware-wallet-7f5abbadd945

Ledger’s description of BOLOS: https://medium.com/ledger-on-security-and-blockchain/a-closer-look-into-ledger-security-our-custom-operating-system-bolos-ab608bcb0839

Blog post from Saleem Rashid: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Demonstration of attacks on hardware wallets at 35c3: https://wallet.fail

Ledger’s response: https://medium.com/ledger-on-security-and-blockchain/chaos-communication-congress-in-response-to-wallet-fails-presentation-17bcd166a052

Ledger Donjon: https://medium.com/ledger-on-security-and-blockchain/ledger-donjon-3e04e0ce49a9

Transcript

Laura Shin:

Hi, everyone. Welcome to Unchained, your no hype resource for all things crypto. I’m your host, Laura Shin. If you’ve been enjoying Unchained, pop into iTunes to give us a top rating or review. That helps other listeners find the show. Here’s a pause for the ads.

My guests today are Eric Larcheveque, co-founder and CEO of Ledger, and Demetrios Skalkotos, Global Head of Ledger Vault. Welcome, Eric and Demetrios.

Eric Larcheveque:

Hi.

Demetrios Skalkotos:

Hi. Thank you.

Laura Shin:

Eric, tell me how you got into bitcoin and came to start Ledger?

Eric Larcheveque:

Yeah, of course. So I have been an entrepreneur most of my life and in 2013 I sold my last startup which was a price comparison _____ 00:00:40, and I was looking for the next thing to do. I just had my third child so at the time I had a lot of let’s say free time to browse the internet and I was reading everything that I could about startup new technology, and I stumbled upon bitcoin and I really wanted to understand what was this magic internet money, and so I spent basically two weeks reading everything I could about bitcoin, the blockchain technology, and the mining, and I was struck by lightening. For me what’s the technology of the blockchain and bitcoin was really extremely interesting. It was a true revolution and I was sure that I had to do something in the field.

So beginning of 2014 I opened a bitcoin center in Paris because initially I didn’t know what to do exactly, you know, should I do mining, should I do an exchange, should I do this or that, so I say okay, let’s have a very broad _____ 00:01:45 approach, and so the first idea was to open a physical center named La Maison du Bitcoin, the House of Bitcoin, in the center of Paris where I spent my time explaining about bitcoin, about mining, about blockchain, and so I’ve talked about bitcoin to hundreds of people.

Laura Shin:

How did you come to launch Ledger? Also you’ve mentioned to me before that for a long time people told you that users didn’t want hardware devices, so how did you grow the company?

Eric Larcheveque:

So thanks to La Maison du Bitcoin, so our bitcoin center, we had the opportunity to meet a lot of developers and also startups, and there was one guy, one company coming from the smart car industry who developed the first prototype of the hardware wallet, so using the smart car technology, the chip _____ 00:02:36 technology to secure private keys, and as a company was sending bitcoin through postal services and they needed a media to send the private keys.

So basically what happened is that we started to work together to build the first real usable hardware wallet. It was end of 2014 and this is how we went to create Ledger, and at the beginning for the first two years where we had our first version of the Ledger Nano which didn’t have a screen and it was really bare bones. It was quite a tough sell because as you say, no one really wanted to have a hardware device because it’s the cloud as you are supposed to be completely free of everything and have everything in the cloud, and when you think about bitcoin and the private keys, you really need to have security, a local security, and so it means you need to have a hardware wallet and at the beginning it was not something that user were ready to accept and everybody told us that basically Ledger couldn’t scale, it couldn’t be anything about adoption, about massive adoption because of the fact that you need a hardware wallet.

But when we introduced Ledger nonetheless, which had a better visibility, multiple currencies, and also when we had the big boom of bitcoin and also crypto currencies where basically there was lots of realization that the security of private keys was paramount and there was a lot of word of mouth for Ledger and if in 2017 basically we are hoping to sell maybe 30 thousand units of the Nano S, and we ended selling 1 million units, so it has been a massive success, quite impressive if we were the first surprise because we had to scale the company like crazy, and now I think for most of the users, the people who really know about blockchain and crypto currencies, having a hardware wallet is something completely normal.

So I think that now having a piece of hardware is something that is accepted and is not regarded as completely alien as it was maybe a few years ago, so in the last three years there have been a lot of evolution regarding the security and hope people are pursuing the use of crypto currencies.

Laura Shin:

And Demetrios , what was your background prior to joining Ledger?

Demetrios Skalkotos:

My background has been primarily within the financial services exchange space, so I spent considerable time at both US exchanges working and running software businesses and managing P&Ls for them over the past years.

Laura Shin:

And so how did you come to join Ledger?

Demetrios Skalkotos:

Was doing some consulting in the space around bitcoin. Similar to Eric, I was exiting from one of the exchanges and spent a little bit of time doing some research myself and had some key influencers suggest that I really look at this space pretty strongly, and I did and felt that my skillsets from the financial services arena and exchange space and running software, SaaS businesses, and managing P&Ls that I could provide my skillsets in leading and growing a business and just happened to come across the opportunity at Ledger and it came to fruition, which is fantastic.

Laura Shin:

Let’s do an overview of Ledger’s products and services. Let’s start with the consumer products. Can you describe those for me?

Eric Larcheveque:

Yes, of course. So the basic technology, the core technology of Ledger is an operating system for securities, so it’s very original, and with that you can do a lot of things. But the first application, the first product that we put on the market was hardware wallets. So the idea is to keep the product keys in isolation to make sure that they can never be exposed to the internet, so that’s the basic idea of a hardware wallet, and if the private keys stay secure, stay let’s say offline or cold, then you are sure that they cannot get hacked.

And hardware wallets are basically used by end users, consumers, and that’s the first let’s say approach, first product approach of Ledger. As we were just saying, it has been a massive success in 2017, but what we are seeing also is that a lot of professionals have been using the hardware wallets. We have some customers who have bought hundreds of the Nano S and they are using it to keep the funds of their customers on each different devices and they have like real physical vaults where they keep the Nano S.

So not only we are seeing that these hardware wallets have been a success on the customer electronic markets but also on the enterprise. The hardware wallet is really for individuals. I mean, it’s like one device, one person, and by discussing with our customers, we are seeing a real need from the institutions, from enterprises basically, to keep crypto safe, crypto funds secure.

But they were lacking something very specific which is governance, and this is what put us on the path to build an enterprise solutions to really bring what we call governance or rules or multi signature into action, to build what we call today the Ledger Vault which is really a product dedicated for enterprises and professionals who want to keep funds secure within the use of rules, having teams managing different accounts, etcetera.

And so that has been the second let’s say part, second frame of Ledger, so the first one is hardware wallets for individuals. We have the Nano S and we also have the Nano X that we have announced recently, and the Vault really for enterprises and professionals, and we are also providing solutions for what we call IoT, Internet of Things where our technology can secure communications, usage, or even projections because we see more and more applications of the blockchain technology in real life environments through the need of tokenization where basically you need to attach a physical assets to a token, and just to give a concrete example, you have energy where you need to attach certificates of origin of renewable energy to tokens so you can trade the tokens, and our technology can really ensure that the issuance of tokens are really backed by the energy which is put into the grid.

So basically today we have these three offerings. Consumer electronics with hardware wallets, enterprises with the Ledger Vault and all the offering for back office, and finally everything related to IoT and connected objects.

Laura Shin:

Super interesting. For the first bucket where you were talking about how you had built this device that was mainly for consumers but that different firms were using them to hold the funds of their customers, what are some examples? Would that be like a crypto fund that is using Ledger to hold its investments?

Eric Larcheveque:

Yeah. Yeah, absolutely. There are a few crypto funds that have the needs to keep the funds of their customers secure and basically they use segregation of the funds by having as many hardware wallets as they have accounts or customers, so from a physical point of view it’s really a vault which is for of Nano S, so it’s a first good step to bring a solution to the problem of security in _____ 00:11:25, but justly it’s not enough because you want to have a real process of how you handle the funds and here you still have the risk that someone is going to open the vault, take the physical device, take the pin code and run with it, so that’s why we needed to have let’s say a more complex solution involving all of governance.

Laura Shin:

Yeah. I’ve had one of the crypto funds on my show talking about how they do use…I actually don’t know which hardware device it is, but how they do use that to hold their customer funds. It’s Ari Paul by the way, of BlockTower, and he was saying that they then wrap it in…shoot, it’s something like tamper-evident plastic and then they will put glitter nail polish on it and take a photo of it because it’s very difficult to replicate the pattern.

So anyway, it was an elaborate setup I guess in order to protect their funds. But you know, as you were describing for your institutional offering now, that is one where instead of needing this kind of like physical protection it’s governed by rules. So what do you mean by that? Like how does that work exactly?

Demetrios Skalkotos:

So we sought to create, you know, a multi-authorization governance solution to eliminate the single points of failure and make sure that we’re still securing the end points, so we came out with four governance levels for the enterprise _____ 00:13:02 solution. You have the shared owners which are three people that create one-third of the master seed and then our software…once those each individuals create their own one-third of the seed, we combine that into the master seed.

We also have three other individuals that create a third of the wrapping key custodian which is really encrypting the environment within the Ledger Vault infrastructure, so further securing that no one has access to the private keys that are sitting on the Vault.

Then we have administrators and operators. The administrators are the folks within the form that set up each individual wallet, so the vault can have multiple wallets and each wallet can have its own governance protocols. So you could have what we’d like to say the vault is very temperature agnostic so if you want to design a particular wallet that replicates something that’s very cold you could have eight of eight _____ 00:14:12 approvers. You could also have a time limiter on there for further folks to evaluate that particular order and approve, or you can have the vault have two or three _____ 00:14:24 approvers to have something that’s much more warm in a hot wallet, and then the operators are the fourth component of governance which are the ones that are submitting the orders to place within the infrastructure.

So you’ve got that four layers of governance protocols within the Ledger Vault infrastructure. So you’re securing the end points and you’re providing multiple approvers in order for a transaction to be completed.

Laura Shin:

Wow. Okay, and do you approve this setup that each company does, because…

Demetrios Skalkotos:

No.

Laura Shin:

…what if they do it in such a way, like I think you may recall with the Bitfinex hack that BitGo was involved in some way but BitGo leaders said that it was the way that Finex had implemented their setup, I think that was the issue.

Demetrios Skalkotos:

So what we’re doing is Ledger Vault is doing something a little bit different. We’re providing the technology infrastructure for firms to completely manage and control 100 percent of their crypto currencies. The firms that we are providing this infrastructure for are the ones that are setting up their governance principles and policies and procedures for each wallet and each security, so they manage 100 percent of their private keys. Ledger has nothing to do with that particular process or approval process at all.

We’re not a custodian, we’re providing the technology infrastructure for them to self manage their assets or provide a custodial services to their customers in the marketplace.

Laura Shin:

Okay, so essentially if there is some sort of breach or something it’s entirely on them because then it indicates that there was some I guess lapse in the way that they set up their procedure. Is that it?

Demetrios Skalkotos:

In essence, yes. Yeah, we’re providing them the infrastructure to manage their entire assets. We have no view into managing their private keys.

Eric Larcheveque:

What we provide is really with the security of the private keys, we make sure that the governance cannot be broken, that it is true that if they sent rules that they do not follow or if it give away the hardware wallets to access the funds to anyone or if they do like _____ 00:16:43 procedure or mistakes, it ensures that and defeats the purpose. However, when we talk to our customers we can give them and we discuss about best practice, and when they set up the vault it’s quite complex solution. They of course make sure to have a governance that cannot be easily breached.

Laura Shin:

I also wanted to ask you about another one of your offerings which is the Ledger operating system, the BOLOS, the Blockchain Open Ledger Operating System. What is that and why did you make it possible to use that with any hardware, not just Ledger?

Eric Larcheveque:

So BOLOS is an operating system which has been designed to run on secure hardware, so if you have android for smartphone or iOS, so BOLOS is basically the same thing but for _____ 00:17:38 secure devices, and operating system is really are designed to run on different kind of hardware. So we have the hardware wallets that we built, obviously like the Nano S, the Blue, the Nano X, but we also provide solutions for Secure Enclave in smartphones, so basically in some smartphones such as _____ 00:18:02 funds, for instance.

If you have what we call Secure Enclave which is secure hardware inside the funds, so we can basically run a hardware wallet or anything else on top of our operating system which is not android. So even if android is breached, then the hardware wallet stays safe and the private keys cannot be exposed. We do the same on hardware security _____ 00:18:28 which basically are ultra secure computers that run inside of the computers with little bit like computer inception, and we build a little vault on top of that.

We also have a version of operating system for Intel _____ 00:18:49, so we really want to make sure that any platform, any secure platform can run a secure hardware wallet or secure applications, and why we’ve designed our operating system to be open is because our vision is really to provide the ecosystem with a global open platform that can basically be used to have hardware wallets everywhere. We are talking about importance of having a hardware device. It may be a solution acceptable for the first maybe hundred millions of people or 10s of millions of people interested into crypto currencies, but if we want to go to real mass production to billions of people, then of course it’s not really possible to have specific hardwares that we have to give to anyone.

So we have to make sure that smartphones can run hardware wallets securely. We have to make sure that PCs can run hardware wallets securely, and our objective is really to have BOLOS deployed in all these kind of platforms and that we can have in three years, in five years, it’s hard to see exactly when, but to have the possibility to have secure hardware wallets on any kind of consumer electronic computer device. So that’s really the vision.

Laura Shin:

So there’s like a whole new wave of smartphones that have secure enclaves inside just for crypto. Do you think that those are a threat to Ledger’s business model?

Eric Larcheveque:

No, not at all. They are more like an extension, so we have launched the first hardware wallets running on _____ 00:20:42, on Secure Enclave in 2016, so almost three years ago, and so we have the technology for a while and we believe that in the future when the Secure Enclave will be ready, because right now there is a lot of fragmentation, it is quite complex to use it consistently on different kind of platform or smartphones, but when it will be ready, and I think it can be in three years, then we will have the opportunity to deploy our hardware wallet technology, to deploy our technology directly on the _____ 00:21:23.

So in three years I believe that we will continue of course to sell hardware wallets because they will still be needed, but we will have a new market where we can address billions of smartphones and deploy our technology through some kind of licensing _____ 00:21:45. So it’s more like a big opportunities that Ledger have in the future.

Laura Shin:

And I also want to zoom back out, you know, we’ve been talking about storing your crypto on a hardware device, but obviously there are so many other ways that somebody could store their crypto. They could have it on you know, a company like Coinbase or you know, right on an exchange where they might be trading, or obviously there’s the other end of the spectrum, you could even create a paper wallet. So can you just describe for me sort of all the different ways and then amongst all those like why it is that somebody should choose either Ledger or any hardware wallet as their preferred method, like you know, who is that the right choice for?

Eric Larcheveque:

Well, there is a saying in bitcoin and crypto, like not your keys, not your bitcoins. So the first question that you have to ask yourself is do you wish to own your crypto or do you want to give it to a set party and really do not care about it, so it’s a little bit the same approach that when you want to buy gold, physical gold. Are you really to buy physical gold and keep it yourself in your safe at home or in a bank, or are you going to buy paper gold? Are you interested into really owning the product, the asset, or do you want just to speculate?

So that’s the first philosophical approach and I think that a lot of the crypto enthusiasts are interested into crypto because they can really own it, and so if you are in crypto because you really want to own this alternative assets, then it’s not to have them on an exchange. I mean, you can do some speculation to buy, to sell on exchange but for long-term storage, it’s not recommended because you are putting all the _____ 00:23:53 of the ownership in the hands of the third party and basically it’s limited to the capacity that you have to protect your password of your email and also if you have the second factor of authentication to make sure that your firm is not hacked.

We have seen countless of horror stories, and also the exchange can also decide to freeze your account, to not allow you to take your bitcoins or cryptos with you. Beginning of January they have been to proof of keys movements where basically everyone was invited to put out their crypto into their own wallets to make sure that the exchanges are not running on fractional reserves because as well I know third party audit so are you sure that when you give your crypto to a third party that they are really owning it, they are not lending it to a third party, etcetera.

So, I mean, _____ 00:24:53 you do not care about ownership and then maybe it’s fine to give it third party, but one thing is for sure that if you decide to own yourself your crypto, then using a hardware wallet, whatever it is, is really the best solution. Why? Because obviously your software wallet’s on a computer or a smartphone, it’s just a question of time before you lose everything.

It’s like buying physical gold and keep it on your chimney. I mean, it works but it doesn’t scale, and if you can use paper wallet it’s more like for experts, and also a paper wallet because you can make mistakes you have to make sure that when you print the paper wallet your computer, your printer is not connected, that you do not have the information in your cash, etcetera, and at some point if you want to use your crypto, if you want to spend your paper wallet you have to scan it and put it online and then you are back to square one.

Of course you can also buy a computer, install _____ 00:25:58, remove all the connections, and really basically build a hardware wallet yourself but that works only if you know exactly what you are doing because cyber security is not an easy task and so that’s why hardware wallets are very convenient and are today recognized as the best solution for keeping your assets.

Laura Shin:

Yeah, except, I mean, I think that like the other methods there is some sort of security procedure that you must undertake on your own and take responsibility for keeping your hardware wallet safe and your seed safe because you know, I personally can think of a lot of ways where if I’m keeping this at home on my own that I could mess up as well, so I think like there’s a lot of education that needs to happen in order for customers of hardware wallets to make sure that they don’t lose their _____ 00:27:00 as well.

Eric Larcheveque:

Yeah. I completely agree. I think education is one of the big challenge for Ledger and other let’s say crypto companies because you are completely right, being your own bank is not easy, meaning you have a lot of responsibilities and you need to make sure that you have to keep safe your you know, seed, your recovery phrase, etcetera, so it is sure that it’s only if you want to take the time to understand what you do. If only if you want to take the time to understand what are the right steps because you can make mistakes, and it’s true as of today that mass adoption is maybe not for tomorrow regarding that because it’s not a _____ 00:27:51. You have to stop, think a few minutes about what you are doing because if you make a mistake no one is going to give you back your crypto, so ensure that’s education is really, really important for the time to come.

Laura Shin:

Yeah. So I’m going to ask you a few quick questions before we turn to our ad break. The first one is how many crypto assets do you support?

Eric Larcheveque:

So we support about 11 hundred crypto assets and _____ 00:28:24.

Laura Shin:

Oh, wow. Okay, and how do you decide which, I mean, it sounds like it’s a very low bar. How do you decide which ones to support?

Eric Larcheveque:

So we decide to support basically…we have third-party developers who can build the support so it’s not Ledger _____ 00:28:43 everything. We have an open platform and so these developers can support the coins themselves, so it’s true that it’s quite open and easy as long as the developers do the right job of putting the support for the coins, and Ledger is going to publish it. It’s a little bit like an app store, so that’s the beauty of an open ecosystem is that you can have a lot of developers working to add support for cryptos.

Laura Shin:

And who are your customers, and lets do the full range in terms of the everyday consumer and then if you can name any of the institutions that have started to use your enterprise offerings, that would be great.

Demetrios Skalkotos:

The customers for the Vault are pretty much asset managers, hedge funds, crypto funds, family offices, and everything in between. Also exchanges are possible customers for us as well. We have a few exchanges using the Ledger Vault in testing out our enterprise capabilities. Also a lot of the folks that are supplying the trading technologies and infrastructures to the exchanges are also logical opportunities for us as well as the folks at providing you know, data center infrastructure and services and cloud-based services into the marketplace could be also other opportunities for the enterprise Ledger Vault to provide a full range of customer support for the Fintek community and also folks that are managing assets and crypto assets.

And obviously the banks and the trust companies that are specifically focused on crypto, or the traditional ones that are contemplating and hearing from their customers that they want them to support crypto moving forward, we’re providing that infrastructure to them. In essence we’re the digital plumbing for them to provide this capability and this service to their customer base.

Laura Shin:

And Eric, for the everyday consumers, like what demographic do they fit?

Eric Larcheveque:

So it’s a good question because by design we do not want to know who are our customers. We do not ask them anything about what they do or why, etcetera, however we do have some guesstimates regarding the type. So we have one estimation of one sort of our customers who are really traders because they want to use the device all the time and they have a lot of different cryptos so they are like traders or people who really like to juggle between different cryptos, and we have more than half that are what we could call huddlers, I mean, that just buy the device, they put the crypto on it and then they are not going to use it for months or maybe for years, and then the rest is a kind of mixed of the usage, and our customers are really distributed globally. We are selling in 165 countries and basically it’s one-third America, is one-third Europe, and one-third Asia.

Laura Shin:

We’re going to discuss more about Ledger security and how it’s scaled, but first a quick word from our fabulous sponsors. Here’s the pause for the ads.

Back to my conversation with Ledger. So how many units have you sold overall?

Eric Larcheveque:

So since the beginning of Ledger in 2014 we have sold about 1.5 million units.

Laura Shin:

And you mentioned how 2017 was a crazy year, that you projected you would sell 30 thousand and sold a million instead. Describe what happened at Ledger during that time and how you managed to scale so quickly.

Eric Larcheveque:

Well, in one word, _____ 00:32:58. I mean, we always knew and we believed that one day crypto, we’re going to scale and it will be like nice times, but the speed at which crypto has been growing and the speed at which the demand for the United States has been growing has been completely crazy, and we were doing all the assembly of our devices in France and we had to scale production in China in a matter of weeks, so it has been a lot of work for the operation and production guys, and also we had to build from like a real customer support solution, we were like one and half to do the customer support, now we are more than 10. We had to build a legal department because we had to export in all the countries.

It opened lots of questions, a lot of work, and so basically what we had to do is to hire a lot of people. We were 20 before the craze of the crypto began and now we are about 200 in five locations globally, so the company has really had to grow. We also have raised a lot of capital. We closed a series _____ 00:34:29 last year January 2018 of 61 million euros, 75 million dollars, so it helped us give have all the visibility to really scale the company because not only we had to scale the customer electronics and scale the infrastructure and the production and everything, but also we had to build new SaaS product with the Vault and also to answer all the demand and the growth that we are having on the IoT, and it still is a very busy day every day at Ledger.

Laura Shin:

Yeah, and I was curious because the markets are down this year, or you know, we’re in 2019 but obviously there was the downturn that started in 2018. How have sales changed from 2017 to 2018?

Eric Larcheveque:

So for sure there was an impact. We have roughly if last year we have sold 1 million device and this year we have sold half a million device, and we have sold a lot of these devices in the first quarter of 2019. No, because when the price is going down the interest in crypto is going down, and also the media coverage is going down and so generally speaking the traffic is going down and so we sell less.

So there is a lot of impact of the bitcoin price and crypto price to our sales, but what is funny is also when we have a major crash like we had in basically in November, there was a lot of mention in the media of bitcoin, you know, bitcoin is dead and etcetera, etcetera, and we had more traffic and it generated also more sales. A good indicator of the health of the market is Black Friday and the Black Friday of 2018 was very good compared to ’17, so it showed that despite the fact that we have seen a lot of let’s say the price has been plunging and there was a lot of _____ 00:36:43 in the press for getting crypto currencies, the general interest and the dynamism of the market has been still good.

Laura Shin:

So let’s now talk about security. Last spring Saleem Rashid, a hacker from the UK who said he was 15, which is pretty amazing, he published a blog post showing how he was able to hack Ledgers in a few different ways and from what I understand the crux of the issue seems to be that you have the secure element but then I think that doesn’t really communicate outside, so then you have this other thing called the micro controller which is what enables the user to communicate with the secure element and get information from it, and from what I understand it looks like maybe that is a part of the Ledger that can be subject to attack, whether through the supply chain, _____ 00:37:34 of the device can be compromised before the customer even receives it, or through a so-called evil-made attack in which someone could temporarily gain access to the device, such as a maid in a hotel room and compromise it in that time period, or through malware that’s put on the victim’s computer.

Do you plan on changing the architecture of your devices to address this issue? Why or why not?

Eric Larcheveque:

So you are correct. We had Saleem, he’s really 15 years old and he discovered a vulnerability in the Nano S which indeed allow to change the nonsecure micro controller firmware and to do some kind of man in the middle attack of the device, and open the way for a supply chain attack.

So thanks to the discovering of Saleem, we have patched the threats and corrected the issue, but security is always a game of cat and mouse and that’s why we have a _____ 00:38:44 program with responsibility _____ 00:38:48 solutions, and we have all the time let’s say security researchers who are publishing and sharing with us findings, and so we are always trying to have _____ 00:39:00 of the security.

What we have done regarding the architecture is to go to the next level, and this is what we have done with the Nano X that we have recently announced. The Nano X has its secure chip which is a much more powerful secure chip and with more let’s say capacity to connect to screens and buttons, and so in this new architecture the secure elements is driving directly the buttons and the display and so all this kind of attack is now impossible because we have changed the architecture.

So to answer your question, yes, we have enhanced and evolved our architecture and now we have a solution which is let’s say at a higher level of security and this kind of attack or threats on the Nano X won’t be possible.

Laura Shin:

And so, but you still sell the Nano S.

Eric Larcheveque:

Yeah, but the Nano S has been patched. It’s called the threats that has been delivered to us by Saleem has been corrected and as of today there is no known attack that can change the unsecure micro controller. But of course in the future a security researcher could always discover something because nothing is _____ 00:40:40, but as of today we do not know any let’s say threats on the Nano S, and our own security teams we have 10 people at Ledger who every day are attacking our solutions, making sure that such threats are not existing, so we stand behind the Nano S and there is as of today there is no known attack victor to do _____ 00:41:06 attacks at this time because we have patched it through thanks to new _____ 00:41:11 dates.

But anyway, when we have decided to work on the new device, we have upped the security architecture to add something that provide with let’s say a better architecture, a better security architecture. So even though the Nano S is still a _____ 00:41:33 chip architecture, we stand behind it and we are going to continue to sell the Nano S and continue to support the Nano S.

Laura Shin:

And there was also a different conference recently, the 35c3 conference where some researchers presented the different ways they had hacked some Ledgers and TREZORs and again, they were sort of like supply chain but another one was even taking control remotely of the Ledger to perform a transaction. Do you find those issues that they raised to be credible threats for consumers who own the Nano S?

Eric Larcheveque:

So they are more like Tom Cruise, Impossible Mission threats, so they are quite fun and interesting, but what they are doing basically is opening the Nano S, installing some kind of remote device on it, and then observing you with a camera or something when you want to let’s say approve _____ 00:42:38 since they have put a malware on your computer that are going to send a wrong transaction, and then they are going to manually press a button on the side which is going to press a button on the Nano S and activate the _____ 00:42:54.

So we believe that it’s not a real credible solution because most probably it’s much easier to put a camera to see you put the pin code and then steal the device, I mean, it’s easier to do that, and the other _____ 00:43:16 that is shown on the Ledger Blue is basically to recall all the electromagnetic signals that you have when you press your pin code on the device, and then to be able to extract the pin code from this emonition of electronic _____ 00:43:34. And again even though it’s quite fun and we like this kind of attack which are _____ 00:43:40 attacks, it’s not really practical because if you move the device let’s say by one inch or a quarter of an inch, then it will change everything.

So it’s not something that you can really exploit in the _____ 00:43:57, but still we appreciate to have this kind of attacks, and the more security researchers are going to get some interest into hardware wallet and crypto security in general, the best it will be because we will always have to let’s say to come with even better solutions.

Laura Shin:

And as for the Nano X, if you enable Bluetooth connections on that does that introduce any other vulnerabilities?

Eric Larcheveque:

No, not at all. So the private keys are never going out of the secure chip so they are never on the transmission. It’s exactly the same than USB cable. At worst what can happen is if you break the Bluetooth encryption because it’s _____ 00:44:44 end to end quite strong encryption, but let’s say that if you manage to break the encryption then the worst is privacy. It means that you can see the transactions that you want to _____ 00:44:57, like the amount and the destination address, this kind of things.

So from the security of the private key, it doesn’t change at all the model and having a Bluetooth doesn’t expose the user to more or less security threat.

Laura Shin:

And then I also wanted to ask about the Ledger Blue because some of the attacks that these hackers performed were on the Ledger Blue which is the device being used in the Ledger Vault. So do any of those attacks have any implication for the security of Ledger Vault?

Demetrios Skalkotos:

From the Vault’s perspective it is configured differently than the retail Ledger Blue device. It’s configured for the enterprise use, it’s only for the authorization and putting your pin code in to authorize a transaction and authorize the user itself, and also the user has to have a digital certificate on their laptop that will authenticate that Blue device and authenticate that user to communicate to the HSM to initiate a transaction.

So there’s no keys stored on the Ledger Blue device in the enterprise model, it’s just for authentication of a transaction, and again depending upon the use case and depending upon the users and the wallets, there’s multiple approvers that would need to authenticate that person’s initiation of a transaction.

Eric Larcheveque:

And nevertheless what we plan to do as an easy fix to that, even though the threat is not really practical, an easy fix is just to scramble the pin code so instead of having one, two, three, four, etcetera, each time that you press a pin, then it’s going to scramble the position of the numbers and then it will render completely imperative the sites in that attack.

Laura Shin:

And then the other thing I was curious about, and I think this is an issue for even like an online wallet like blockchain or something, but how do you protect against rogue employees installing something in the hardware or in the operating system that could compromise customers’ coins?

Eric Larcheveque:

Well, first you cannot compromise the operating system because it’s on a secure chip, but let’s say that you could compromise as you said before with the supply chain attack of Saleem, the unsecure chip, or if you want to enter to put inside some kind of remote device, then if you think that you can get subject to this kind of attack, then you’ll have to be maybe a little bit more paranoid because first, probably what exactly is going to happen is that someone is going to observe your pin code because they work with you and at some point maybe they will steal the device, and so it’s a question of process and that’s why when you have lots of friends, especially if you are in a company, especially if you are a professional environment and you have co-workers, and then that’s why you shouldn’t use the Ledger Vault because with the Ledger Vault such attack is not possible because there is a governance and it’s not about compromising one person at what time.

Laura Shin:

Right, but sorry, but I’m asking about Ledger’s employees, like if I’m…

Eric Larcheveque:

Oh, sorry.

Laura Shin:

…just a consumer ordering, then yeah, how do I know that there isn’t some Ledger employee who’s compromised it in some way?

Eric Larcheveque:

Yes. Yes, of course, sorry. So internally we have processes. Basically if we want to sign a new firmware into flash, the devise with a new firmware version, it has to be signed using a protocol, using governance. Basically while using ourself a Ledger Vault, not to keep crypto currencies but to authorize the signature of a new firmware, of a new application, and so there is a code review and it has to be signed by a quorum of different key people at Ledger.

So of course you could say but what if everyone at Ledger wants to release let’s say a firmware with a back door, which is a fair question, then the answer is that we believe there is more value at Ledger being a global leader in hardware wallet and crypto currencies rather than trying to get a few millions of tens of millions or even hundreds of millions by stealing them by using  a firmware back door. So we have this internal processes and after it’s a question of reputation and thinking that we have much more to lose by stealing our customers rather than building a multi billion dollar company in the future.

Laura Shin:

And you have a pretty interesting way of shipping out the devices which is to not put tamper-proof packaging on the devices, claiming that the hardware itself is tamper proof. Do you plan to continue not doing that?

Eric Larcheveque:

Yes, of course. Well, and if you have seen the CCC wallet, that _____ 00:50:20 presentation, they started to say is that tamper-proof stickers are irrelevance. They are what we call security _____ 00:50:31, and so what we use is cryptographic _____ 00:50:34 of the _____ 00:50:37 of the firmware, and we believe it’s a superior solution compared to using stickers. So for sure the Nano X doesn’t have any anti-tampering sticker because it’s _____ 00:50:52.

Laura Shin:

And there have been these instances of people being held at gunpoint or kidnapped and forced to send their coins to their assailants’ addresses. I saw in a blog post that you wrote that you said that Ledger uses a distributed governance or multi signature process to make that infeasible, so how does that work?

Eric Larcheveque:

So that’s something that has been put into the Vault that’s called like delayed opening.

Laura Shin:

Oh, so that’s not for consumers.

Eric Larcheveque:

That’s not for consumers, however we plan to introduce such solutions in the future using excellent _____ 00:51:29 where you can have accounts that are going to sign only if the external Oracle is going to say yes. But of course it means that you still have to make sure that your 24 words, the backup, is not accessible because if anyone at gunpoint access your 24 words, then it’s game over. That’s why being your own bank has a lot of responsibilities.

Laura Shin:

Yeah. And I also wanted to ask about this Ledger Donjon Team? I don’t know if I’m saying that right.

Eric Larcheveque:

Yeah.

Laura Shin:

Who are they and what do they do?

Eric Larcheveque:

So the Donjon Team is the secretary team of Ledger. They are like 10 professionals who are coming from various security practice, doing security evaluation so they have a lot of tools like lasers, like _____ 00:52:21, like _____ 00:52:22 bench and test, and the mission is to evaluate the security of our products by attacking them relently on the hardware, on the software, at any _____ 00:52:34, and also doing the security evaluation of the competition because we have to make sure that we stay ahead.

So the Donjon is really the guys at Ledger who make sure that’s everything that we do is secure.

Laura Shin:

All right, so I actually also want to ask about this new trend that we’ll probably see emerging over the next couple years which is a shift from proof of work to proof of stake or delegated proof of stake. So how  would staking work if I have my coins on a ledger or in the Ledger Vault?

Eric Larcheveque:

So if you have the coins on the hardware wallet you will have the possibility to stake your coins, so we are working with a few cryptos such as Tezos to start implementing the baking or the staking, and we want to make sure to have the same functionalities as well into the Vault because for sure that’s a big feature that is requested by let’s say our custodians or hedge funds who have lots of assets, and Ledger is going to deliver this year in the Ledger Live the first solutions to do the delegated proof of stake. We believe it’s part of the future of crypto and we want to make sure that we will provide with the best interface to be able to do that.

Demetrios Skalkotos:

And the Vault provides, you know, the companies the opportunity because again, you have instant access to your funds based upon the governance principles that each firm sets up for the wallet, so it provides a great entry point for this next development of proof of staking with our technology.

Laura Shin:

And something else that I was curious about was for decentralized exchange. If I have my coins on a Ledger, then the way that that would work is I would need to connect it to my computer whenever I wanted to do a trade, is that how users would…

Eric Larcheveque:

Yes, that’s correct, and you will be able to verify on the Ledger device, on the screen, on the secure screen, what trade you do. So that’s correct, you can use…basically when you are using a centralized exchange you are taking all the responsibilities of the security and that’s why hardware wallet compatibility is really critical and Ledger has put some _____ 00:55:11 already for some decentralized exchanges and want to continue to do so, and also do some deep integrations in the Ledger Live which is that the wallet interface used by our devices.

Laura Shin:

So I want to leave the listeners with a some advice from you because I know that you guys must be experts on security and projecting your crypto assets, so what advice would you give to listeners on how to make sure that they don’t lose their coins?

Eric Larcheveque:

Well, I think one of the biggest advice is to take time and try to understand what you do. Ledger is bringing a lot of documentation of block _____ 00:55:51, about best practice, about what you should do, what you should not do, and when you buy something new like any device or anything, you always want to open and start to use it immediately. You know, you take the documentation, you don’t read it and you just want to go with it, and in crypto you have to be very careful.

So my big advice would be take your time, read the documentation, understand what you are doing, and if you are following the best practice, then there is very little chance that you will do a mistake. Do not panic, just take your time, read, understand, and move forward. So I think that’s the biggest advice I could give to anyone.

Laura Shin:

Well, one other question that I have is you know, when you record your seed _____ 00:56:46, I can think of different places where I might hide it but I can’t think of a place where I might hide it and then like not forget that I put it there. So how do you recommend people figure that part out, you know what I mean? Or like where it wouldn’t get lost or where it wouldn’t be seen by somebody else?

Eric Larcheveque:

So it’s a very interesting question which has a lot of ramification because maybe the next question is how do you make sure that if you have an accident or if you die it’s transmitted to your next of kin? But I would say that the best, probably the most secure approach is to rent a safe, a physical safe at your bank and to put it there because one, you are not going to forget that it’s there because you have a physical safe. Two, if you are going to have let’s say an assault, a physical assault _____ 00:57:43 or anything, it will be much more difficult to go into the bank safe. And three, I mean, if you die or if you are hit by a bus, logically to access your bank safe we go to your next of kin and if you give all the documentation inside to explain what to do with the 24 words, it can also solve how you can transmit your crypto to your loved ones.

Laura Shin:

Okay, and I suppose you should seal that because otherwise what if a bank employee goes in there and is like oh, hey…

Eric Larcheveque:

The bank employee cannot access the safe. No, usually you need two keys, so yeah, you have to take a reputable bank and make sure that it’s not possible to open the safe without you which normally should be the case.

Laura Shin:

Okay. Okay. All right. Well, this has been an incredibly fascinating discussion. Where can people learn more about you and Ledger?

Eric Larcheveque:

Well, go into ledger.com and have a look at all our products and offering.

Laura Shin:

Great. Well, thanks to both of you for coming on Unchained.

Eric Larcheveque:

Thank you.

Demetrios Skalkotos:

Thank you.

Laura Shin:

Thanks so much for joining us today. To learn more about Ledger, check out the show notes inside your podcast player. New episodes of Unchained come on every Tuesday. If you haven’t already, Rate, Review, and Subscribe on Apple podcasts. If you liked this episode, share it with your friends on Facebook, Twitter, or LinkedIn, and if you’re not yet subscribed to my other podcast, Unconfirmed, I highly recommend you check it out and subscribe now.

Unchained is produced by me, Laura Shin, with help from Ralene Gallipoli, Fractal Recording, Jennie Josephson, Corrin Fife, and Daniel Nuss. Thanks for listening.