Developer REKTBuildr studied the Ledger Live source code and found that the software tracks users and accumulates data about them.
Ledger Live embeds the genuine check into the apps listing procedure. As it is, they always doxx your device when installing or updating apps and firmware. I removed most tracking in Lecce Libre, but they still track you regardless.
For the past couple days I’d been trying to… pic.twitter.com/Q1aF1qpjge
— REKTBuildr ??? (@rektbuildr) December 27, 2023
According to him, Ledger Live checks each device for authenticity after installing the app or updating its firmware. This function is built into the listApps subroutine.
“[Software developers] know every connection to your device and which other apps are installed on it. Therefore there is currently no way to manage Ledger anonymously,” REKTBuildr said.
His attempt to disable remote tracking led to the app breaking.
The researcher advised against installing the latest Ledger Live firmware update, as he is not sure what other information might be transmitted to the company’s central servers.
“They have a recovery function that extracts private keys from the secure chip. How can we be sure that these keys won’t be read somehow “accidentally”?”
He also urged developers to provide advanced users with hardware wallets the ability to operate completely offline, without contacting their servers.
In December, the Ledger team announced a compromise of the software library for decentralized applications. The hacker was able to inject malicious code into their interfaces.
As a result of the incident, user losses amounted to around $600,000.