All data funneled through centralized server.
There has been a lot of drama with Ledger recently. First, their servers got hacked and their data leaked to the darkweb. This is when everyone collectively realized that Ledger had been storing information on users that they never should have been storing in the first place. Names, addresses, and email addresses were leaked. People were literally kidnapped and murdered over this because Ledger doxed their userbase.
Did Ledger get in trouble for this?
Nope of course not.
Business just continued as usual after some bad press.
Then came the backdoor.
Now Ledger is under fire for creating a service that allows the seed to be stored across three different private corporations and able to be recovered with 2FA. Two out of the three shards allows the seed to be recovered. This is a heinous policy considering one server/corporation is in USA and one is in EU; collusion is inevitable.
Many have correctly assessed that this is a huge security breach, and even the CEO of Ledger itself has admitted that a court order would end in the forfeiture of all the crypto on the device. This is considered an "acceptable risk" because Ledger's target demographic are law abiding citizens with less than $50k in their wallet.
I think this is hilarious logic to employ considering the exponential growth of crypto. Crypto does a 100x and all of a sudden their target demographic no longer has <$50k worth of crypto but rather <$5M. To assume that government or other bad actors would not exploit this vulnerability is a childish notion. But I digress.
https://twitter.com/zachherbert/status/1710357413793071525
- zachherbert
Here we see a tweet of a guy further criticizing Ledger for bragging about securing 20% of all crypto assets in existence. 20%? Wow I hope that's not true, but it probably is. Insane.
What this guy doesn't seem to understand is that every hardware wallet operator knows exactly how much crypto you have. It's a bit mind blowing that nobody actually knows how any of this works and they just assume that every part of the process is totally decentralized. It is not: decentralization is very difficult to achieve and inefficient in many cases.
Hardware wallet don't know which assets you control.
I bet if you were to ask 99% of hardware wallet owners if their device knows how much crypto they have they'd automatically say yes without even thinking about it. Okay, well... how would it know that? How could a hardware wallet possibly know how much money you have? It literally never connects to the Internet... ever.
Your crypto exists on the internet.
The public ledger is on the Internet for anyone to see. That's kind of the entire point. The ONLY thing a hardware wallet can do is sign messages with the private key. That's it. It doesn't know anything else. And guess what? In many cases the only way to organize an operation that needs a signature is with internet access.
Take Hive for example
On a technical level every operation on Hive must have a ref_block_prefix and a ref_block_num. These variables basically point to a previous block on the current fork. The reason this is necessary is because imagine Hive forked to a new chain... we'll call this new chain Steem or Blurt or something.
Now imagine after the fork happens you try to do something simple like transfer Hive from account @xyz to @abc. What's to stop someone (account @abc) from rebroadcasting that public operation to all the other forks? Say you sent @abc 1000 Hive. @abc could just take that operation and broadcast it to both Blurt and Steem and steal 1000 coins on both chains that you never authorized. ref_block_prefix and a ref_block_num prevent this from happening by referencing a block on the chain long after the forks happened.
The problem is that in order to get a reference to a current block... well you'd need access to the internet to get that info. You need access to a node to setup the transaction so that the hardware wallet even has a valid message to sign in the first place. This means that every single hardware provider funnels all of your data through their private servers and can track anything and everything their customers do. They ALL do it, not just Ledger. Ledger is just blatant about it and even brags on it.
An example for Bitcoin
You know how on a hardware wallet you can have a Bitcoin "account" but that "account isn't actually just a single wallet? In fact, you can click the "deposit" button on an "account" and the Trezor/Ledger website will give you a different public key for every single deposit. This practice increases security/privacy in theory, especially from a on-chain data analysis perspective.
But again how does that work?
Right? Because when you go to spend the money you don't have to dick around and manage 10 different private keys even though you could have deposited money into 10 different public addresses. It "just works". Money sent.
But no see in the background their private centralized servers have to make a decision for you. Imagine you have 4 UTXOs (Unspent transaction outputs)
- 0.1 BTC
- 1 BTC
- 0.25 BTC
- 0.15 BTC
Still with me?
Account X is going to tell you you've got 1.5 BTC in your wallet, but in the background what you really have is the 4 UTXOs listed above. Let's say you wanted to transfer 0.25 BTC somewhere. Well the wallet has a dozen different ways it could actually do that. It could spend 0.25 BTC from the 1 BTC UTXO leaving 0.75 left. It could completely drain the 0.25 wallet leaving nothing left, which would be cheaper than spending the 0.1 BTC & 0.15 BTC UTXOs because it only requires the signature from a single private key.
Point being that none of this is possible without a centralized frontend to do all the heavily lifting to create a seamless user experience. The user is none the wiser, which is exactly why most people have absolutely have no idea how any of this stuff works. It's actually quite centralized in ways that are never even considered or even thought possible.
Metamask
Same story. You connect to a single centralized node and simply hope it's telling you the truth a lot of the time. How does Metamask know how to estimate the fee you need to pay to post an operation? Again, it's owned by a centralized company called ConsenSys and it is this company that pulls a lot of these strings and makes for a seamless user experience. Most haven't the slightest clue as to how it actually works. "It's decentralized, bruv."
Conclusion
Popular hardware wallets are data-harvesting user information and most people haven't the slightest clue. In fact we only express outrage when a company like Ledger straight up admits what they are doing and tells us straight to our faces. Imagine all the shady stuff they've done that they will never admit. Yeah. The optics are not great on that one. This is actually exactly why I had to stop using my COBO airgapped hardware wallet. The public data was being encrypted and I had absolutely no idea what kind of information was exiting the device.
The solution to this problem is to create hardware wallets implementations that aren't grossly centralized to companies and frontend nodes in this manner. Easier said than done obviously, as the way it works now is pretty convenient and considered a "good enough" solution. However we should be well aware that this ecosystem could change at any moment. How much longer until the NSA forces all hardware wallet producers to add in a secret backdoor that nobody even knows about? How do we know this isn't a thing already? We don't honestly.
Ultimately what needs to happen is that we develop air-gapped end-to-end encryption that can't be hacked or intercepted because the device sending the messages doesn't have an internet connection or even a USB port. The code must be open source and anyone must be able to boot up their own frontend-api for personal use or to share with others that trust them. Only this level of decentralization is secure enough for the endgame. I have faith we'll get there but it might take a while. Perhaps when we all have at least a couple million dollars on the line and the stakes are much higher. Wen moon?