Developer Discovers Tracking in Ledger Hardware Wallet Software

In a recent revelation, a software developer known as REKTBuilder has exposed an alarming privacy concern within the Ledger Live hardware wallet software, a popular tool for Bitcoin storage. The developer delved into the Python code of the device's software and discovered what he believes to be a recurring "device authenticity check" each time a user connects their Ledger wallet to a computer or phone. According to REKTBuilder, this check extends to all applications installed on the device, allowing Ledger to gain insights into the user's network usage.

REKTBuilder took to social media to share his findings, stating, "Ledger Live has a built-in check during the app listing process. They always verify your device when installing, updating apps, or flashing. I removed most of the tracking code in Lecce Libre, but tracking still occurs."

In early December, REKTBuilder initially claimed that Ledger Live was recording users' cryptocurrency balances. This led to the emergence of an open-source alternative to Ledger Live called "Lecce Libre," which aimed to eliminate trackers. However, REKTBuilder has now identified a more substantial privacy issue within Ledger Live.

The developer found specific lines of code containing the phrase "genuine check." Intrigued, he added the phrase "tracing prints" to this code and discovered that the device failed to launch during the check. This raised suspicions, prompting REKTBuilder to dig deeper.

He found that the actual check was embedded in the listApps subroutine. Ledger could utilize this check to determine the time and date of a user's device connection. Attempts to remove this code rendered the software non-functional.

REKTBuilder made a disconcerting revelation, stating, "I tried to disable remote tracking, but it's impossible. If you do, the wallet breaks. This means that every time you connect your device, Ledger knows it's you and which apps you've installed."

It's worth recalling that Ledger recently pledged to compensate users for losses incurred during a hacking attack on the company's hardware devices. In October, Ledger officially launched a feature for recovering seed phrases of cryptocurrency wallets, a move that sparked significant controversy within the crypto community.