Ledger has full control over the 3-try-wipe pin logic - big single point of failure?
Hi community, look at this chat with Ledger's team:
Did most of you know about this fact, that the **3-try-wipe logic of the pin code sits actually inside the firmware** software and not inside the hardware's secure circuitry?
This becomes a great single point of failure. Because Ledger would be able to do this:
> Ledger staff could technically deactivate/edit the 3-try-wipe logic and thus make unlimited pin guesses (brute forcing) possible"
Did you know about it? Again: This is not about the mnemonic, its about the pin code, when you enter it wrong 3 times in a row, the device gets reset. This makes brute forcing practically impossible. But if this 3-try logic gets deactivated, anyone who gets your device will have access to your funds (its not hard to brute force 8 digits if you have unlimited tries)! And how many times people lost their phones? How many times people get robbed? Very huge security threat when your device gets lost without a wipe-logic in place! No one needs the 24w mnemonic anymore.
Such a single point of failure is not given in a software wallets. Not any wallet can remove your selected wallet pin/password.
In my opinion Ledger should cease control over this wipe-logic just as they cease control over the 24w seed phrase. There should be some sort of solution to this. I wanted you to be aware of this wipe logic issue.
How do you see this topic?
Major update: the governance token for all @StableTez assets, reserves, upgrades, including @USDtz and @BTC_Tez will be the SABZ token (short for stabletez); SABZ is being built under the #Tezos FA 2....
Today we are releasing the first public version of Galleon Mobile, the mobile counterpart of our popular Galleon desktop wallet for @Tezos! https://t.co/UFkAfhYaMb (1/6) pic.twitter.com/9VV0WfE5z5— Cr...
Sapling Background There has been much speculation in recent weeks whether the upcoming Tezos protocol upgrade dubbed the ‘Bond’ upgrade, due to its 007 reference number is likely to include privacy f...