Researcher finds data harvesting inside Ledger Live app
Sleuths have discovered a vast data harvesting operation by the world’s largest hardware wallet manufacturer, Ledger. For reasons that are difficult to comprehend, Ledger Live software transmits information about clicks, page visits, redirects, crypto transactions, page scrolls, numbers of accounts, crypto asset names, session durations, hardware device types, and firmware versions to Ledger’s analytics provider.
Ledger Live is the official software for interfacing with any Ledger hardware wallet. The vast majority of PC users download this software in order to set up their hardware wallet and sign transactions. While inspecting its code, REKTbuildr found that user tracking is built into the entire software suite. He called it a “gigantic user tracking system.”
Cleaning user tracking code from Ledger Live code and JFC the whole thing is a gigantic user tracking system
There’s analytics trackers for nearly all events, on most screens.
Ledger Live is a user data collection tool
How is this system even accepted by the crypto community?
— REKTBuildr 🔺🔺🔺 (@rektbuildr) December 6, 2023
The application is sending tracking data to a service called segment.io. This data includes information on digital assets and NFTs stored on Ledger wallets.
A risky Ledger Live default setting
The Protos team did find that there is an option to turn off at least some of these analytics in Ledger Live’s settings. The settings tab of Ledger Live says enabling analytics will send data on “clicks, page visits, redirections, actions (send, receive, lock, etc), end of page scrolls, (un)installing and app version, number of accounts, crypto assets and operations, session durations, the Ledger device type and firmware.”
Read more: Ledger dubs service ‘risk-free’ despite losing millions of user emails
Ledger Live’s data harvester is a JSON object with a properties key. It transmits user ID and a ‘writeKey,’ which can uniquely identify the PC. It can also send segment.io account information including names of digital assets owned and other information about users’ computers.
Although Ledger Live doesn’t send private keys or recovery phrases to segment.io, it sends plenty of information about a user that could subject users to extortion attacks. Any segment.io hacker, for example, could easily identify any user with substantial crypto holdings — including timestamps of crypto activities and other terrifyingly detailed information about assets.
Aggregating Ledger users as a high-value audience package
A likely commercial explanation for all the data harvesting, REKTbuildr speculated, is that Ledger wants to resell anonymized data to third-party advertisers. Prepackaged IP or cookie ‘audiences’ with thousands of users who have engaged in a recent digital action, such as clicking a button within a crypto app, for example — are commonly resold to advertisers by data aggregators like Google, Bluekai, or eXelate.
Alternatively, the data could be used internally for user experience (UX) and user interface (UI) workers at Ledger.
As a courtesy to the community, REKTbuildr forked Ledger Live software, removed its tracking codes, and uploaded the patched software to GitHub.
Naturally, Ledger had very little to say about analytics harvesting on its social media. Its disinterest comes as little surprise to the digital asset community.
Ledger has already shocked the community’s trust in its hardware wallets. In May, it announced a controversial Recover service that shared abilities to remotely decipher the private keys on one’s hardware wallet. It unapologetically pushed that update live, eliminating years of perception that private keys never left a hardware wallet.
Another lowlight in Ledger’s history includes its email database. Hackers exposed millions of its users’ emails, which led to users receiving fake wallets in a likely phishing attack. Experts quickly posted warnings.
In summary, Ledger is tracking user data, possibly for its own UI/UX workers, or to profit from resale. Luckily, users have alternatives, including tracker-free forked versions of the software, or using the hardware wallet itself without installing Ledger Live software at all.