Ledger's Security Model: How Are Ledger Devices Secured? (2024)

Nov 12, 2022 | Updated Sep 4, 2023

Ledger’s security model means your Ledger device is protected from many digital and physical threats. But how does it stay safe?

Combining technical innovations, rigorous testing, and user awareness, Ledger provides a robust defence against attacks. Collectively, these aspects contribute to Ledger’s exemplary track record of never experiencing a hack. That’s right–in almost a decade of business and over six million devices sold, Ledger has never been hacked. This impressive track record is simply thanks to the constant innovation surrounding the best security practices for hardware wallets—ensuring the development of the most effective security model in the crypto hardware industry.

In fact, this is only solidified by Ledger’s trusty software, namely Ledger Live. But how does Ledger’s security model protect your digital assets? Let’s explore:

What is Ledger?

But wait, what is a Ledger exactly? For the full details, check out our article on What Ledger is. But for the purposes of this article it’s important to know that Ledger is an ecosystem of solutions combining hardware and software to improve web3 accessibility.

Most notably, Ledger produces secure hardware wallets capable of protecting your private keys in an environment isolated from your internet-connected device, such as a smartphone or tablet. Whether you’re using the Ledger Nano X, Ledger Nano S Plus or Ledger Stax, it’s Ledger’s security model that helps keep your assets secure.

Put simply, every Ledger is capable of generating private keys and creating blockchain accounts. These private keys grant you access to your funds on the blockchain and provide you with the ability to access blockchain apps and execute transactions.

But it’s not just hardware that Ledger offers to protect your precious assets. Ledger also offers several companion tools that allow you to navigate the blockchain ecosystem with confidence. For example, Ledger Live is a single application that allows you to manage your device and access countless blockchain apps and services directly from your device. And you can do so knowing that transactions you sign in Ledger Live are secure and transparent. Put simply, Ledger provides you with all of the extra knowledge you might need to navigate the space safely.

But before we dive into the details, let’s explore what makes Ledger’s ecosystem so secure.

Understanding Ledger’s Security Model: The Basics

There are several core elements to Ledger’s security model and they all work together to protect your assets. So what is it that keeps Ledger devices secure?

Offline storage

Firstly, Ledger devices stand out from many other crypto wallets on the market simply as a physical solution to an age-old problem. By keeping your private keys on an internet connected device, such as software wallets do, they are vulnerable to digital hacks. Software or “hot” wallets may be convenient, but they are not entirely secure since they run on internet connected devices. Instead of storing your private keys on your smartphone or laptop, Ledger hardware wallets store them in an offline environment. This keeps your private keys hidden from any nosy hackers vying to steal your assets.

Secure Element

Specifically, Ledger devices protect your private keys using a Secure Element chip. This is a physical chip inside a physical device; and it’s the same chip you might find in your credit card or passport. Using this chip ensures that no one could access your funds should they manage to get physical access to your device.

Ledger is the first–and currently the only–hardware wallet company to use a Secure Element to store private keys. To learn more, check out the full article on the Secure Element. But it’s important to note that Secure Element chips are audited by security professionals; meaning they are more safe than their untested counterparts.

BOLOS operating system

Since the Secure Element chip’s default operating system was designed for use in bank cards, Ledger devices use a custom operating system named BOLOS that can manage private keys. Essentially it’s responsible for handling the underlying rules of the device and its apps. BOLOS lets you install multiple apps while keeping your information secure and isolated within each of them.

Trusted Display

Furthermore, computers and phone screens can be tampered with by hackers via your internet connection – but your Ledger screen cannot. Every Ledger device features a Trusted Display, a screen that is tamper proof since the screen itself is secured by the Secure Element. Yes– you can verify the full details of your blockchain transactions, and know exactly what you’re signing before you hit “confirm”.

PIN Code

So now you know about the inside of your device, what happens if someone could get physical access to it? No one wants to worry about leaving their device behind at home or at the office.

Luckily, every Ledger device is protected by a 4 – 8 digit PIN code. You have the power to choose this code upon setting up the device, and are responsible for keeping it safe and out of the way of prying eyes. This PIN code offers the first layer of security for everyday usage. Put simply, you can’t do anything with a Ledger unless you know the code. Sending and receiving crypto requires it, signing any transaction requires it. In fact, you can’t even upgrade to the latest firmware without your trusty PIN code. Setting up a good PIN code ensures that you (and only you) can access your device.

Donjon Testing

Creating the most secure crypto wallet involves testing both the physical components and the firmware. The Ledger Donjon is a security evaluation team, made up of the leading security experts in the industry. This team of white-hat hackers is constantly testing the security of your device. These professionals are thorough; making sure to identify every possible attack vector, and seeing to the problem immediately. If the Donjon finds any kind of vulnerability in a device, it will immediately roll out a firmware update, meaning each new update improves the security of your Ledger. This ensures that Ledger wallets are impenetrable—and stay that way.

What Do Ledger Devices Protect Me From?

So now you know all of the measures Ledger puts in place to protect its devices, you might be wondering exactly what kind of attacks they protect you from.

Malware and Software Attacks

Software and malware attacks are some of the most common ways crypto wallets become compromised. Simply, if you use a hot wallet, which stores your private key on your host device, hackers may be able to extract your private key by targeting your smartphone or laptop with malware. Ledger devices mitigate this risk by keeping your private keys isolated from your internet-connected devices using the secure element. Plus, the trusted display means you can sign transactions with confidence, knowing your Ledger’s screen is completely tamper-proof. Finally, connecting your device to Ledger Live gives you an option to verify the validity of your device and its firmware.

Physical Access

Do you often move around with your device or live with people you can’t trust? Well luckily a bad actor can’t steal your crypto with physical access to your Ledger device. Firstly, someone with physical access to your device will have to know the PIN code in order to do anything with your device; even simply to unlock it!

Without the PIN, a bad actor’s only choice is a physical hack, however, Ledger devices are protected from physical hacks too. Firstly, the Secure Element chip is designed to withstand power-glitching, unlike many comparable hardware wallets on the market. Secondly, they are also protected from side-channel attacks. These sorts of attacks aim to gain access to a piece of hardware by watching how it behaves in use, and attempting to uncover its PIN code. Luckily, you don’t have to worry about either of those vulnerabilities with your Ledger device.

What Doesn’t Ledger’s Security Model Protect Me From?

Ledger devices can protect you from multiple hacks, but they can’t protect you from mistakes you make or scams you fall for. So what kind of mistakes should you be watching out for when using your Ledger device? Let’s explore:

Revealing Access to Your Secret Recovery Phrase, Private Keys or PIN

Your secret recovery phrase is the key to accessing your funds in case of device loss or damage—and anyone with it has full access to your funds.

For this reason, you should store it somewhere safe, fireproof and waterproof. Most importantly though, you should never reveal it to anyone. To ensure the latter, you should never keep a copy of your recovery phrase online. If you do, you’re increasing the risk of remote unauthorized access. This includes importing that secret recovery phrase into a hot wallet interface. Doing so will store the private keys on your internet connected device, which increases the risk of exposure to potential security breaches or attacks

In the same vein, you also shouldn’t write down your PIN in unsafe places. Writing it down on your phone’s memory, in cloud-based services, or on sticky notes leaves you with that same vulnerability. In short, no one should have access to your secret recovery phrase, private keys or PIN code, no matter the situation.

Malicious Transactions

Blind signing is one of the biggest dangers in the cryptocurrency ecosystem. To explain, blind signing involves executing transactions which you can’t read and therefore can’t know their repercussions. Unfortunately, this is often necessary when connecting to blockchain apps and platforms, and it can leave your funds at risk of malicious transactions. Not only that, scammers use blind signatures to their advantage, and may try to convince you to sign away your assets. So how do we mitigate this risk?

Put simply, you should never connect to untrustworthy smart contracts or platforms using an account containing valuable assets. Connecting to potentially untrustworthy platforms is suitable for your minting account only, and failure to segregate these approvals could leave your assets at risk. To learn more, make sure you check out the article on how to segregate your crypto assets effectively.

Social Engineering

While Ledger can protect you from multiple vulnerabilities, the biggest vulnerability of your device is you. Put simply, most crypto hacks are the result of social engineering. To explain, you’re way more likely to sign a malicious transaction when it comes from someone you trust. Ledger recommends a well-known piece of advice in this instance: Don’t trust, Verify.

If you feel like someone may be pulling on your heart strings in order to execute a crypto swap or sale, make sure you DYOR. Not everyone in the web3 community will have your best interests at heart.

How Ledger Helps You Make The Right Choices For Your Assets

While Ledger can’t directly protect you from making mistakes, its wider ecosystem is full of useful tools that can help you mitigate risk and make the right decisions. That’s right, it’s not just your expertly-crafted device that can help protect you from scams. So, what are the best tools to navigate the system, and what should you do to keep yourself safe?

How To Tackle Blind Signing

Blind signing might sound scary, and honestly, it can be. No one wants to sign away their assets with unreadable transactions. This is why the Ledger ecosystem offers tools to make sure you never need to transact blindly.

Ledger Live: A Trusted Platform for interacting with Web3:

The Ledger Live platform allows you to manage your assets and access countless blockchain apps and services directly with your device, meaning you benefit from Ledger’s security model while interacting with web3. This lets you sign transactions in confidence, as apps on Ledger Live will never prompt you to sign malicious transactions.

Managing your Secret Recovery Phrase Effectively

Your private keys on your Ledger device are safeguarded using a 24 word password called a Secret recovery phrase. This secret recovery phrase is like the master key to your private keys, and thus keeping it safe is imperative. Ledger devices each come with a card to record your secret recovery phrase on; and this you’re expected to store somewhere safe. But actually, Ledger’s wider ecosystem can help you protect it further.

Physical tools for safeguarding your secret recovery phrase:

Well, for the full details, check out the full article on how to protect your recovery phrase.. But in short, you must have a clean, dry, accessible place to store this piece of card. Otherwise, you have a few alternative options. If you need a more robust way to store your recovery phrase, check out the Ledger shop. Both the Billfodl and the Cryptotag Zeus are physical metal cards that can store your recovery phrase. The whole idea is they are built to last—with designs that resist water, fire and much more.

Passphrase

The passphrase is an advanced feature that allows you to add an additional word to your recovery phrase. For this reason, it’s also commonly referred to as the 25th word. Unlike the regular recovery phrase, you would choose the 25th word. There are no limitations for which word you’d like to choose. As a matter of fact, the only limitation is using a maximum of 100 characters.

When you use a passphrase on top of your usual settings, it will open a brand-new set of accounts. It’s similar to having two completely different recovery phrases. To learn more, check out the full article on what a passphrase is.

Ledger Security Model Protects You, If You Protect Yourself

Ledger’s security model protects your device in countless ways; from remote access to your wallet, to physical hacks to theft or loss. Then, its wider ecosystem provides you with the tools to help make the right decisions every time you transact. The only danger to your assets when using a Ledger device is you. That’s why educating yourself on the crypto industry and its dangers is so important. Whether you’re a crypto beginner or a full-time trader, Ledger’s security model offers you the agency over your assets. It’s down to you how you use them.