Amid fallout over Ledger’s controversial decision to allow private keys to be “recovered” from its devices, cold storage competitor GridPlus has announced that it will move to “open source” the firmware of its crypto wallets.
GridPlus took to Twitter on May 17 to inform its 17,500 followers that it will open source the firmware of all its crypto devices in the third quarter of this year in what it claims is in a bid for greater transparency.
The most trusted name in cryptography, relied upon by the world’s governments for their highest security applications for decades, sold products backdoored by the CIA. How can we ensure this won’t happen again? Open-source software.
GridPlus will open-source its firmware in Q3. pic.twitter.com/889OnqXd20
— GridPlus (@gridplus) May 18, 2023
“This week’s hardware wallet discussions laid bare trust assumptions taken for granted,” wrote GridPlus in a follow up comment.
“We as an industry must hold ourselves to the highest standards and we call on all other hardware wallet manufacturers to open-source their firmware as well for the benefit of our ecosystem.”
Much of the ire directed at Ledger over the last 48 hours stems from its firmware — a term for software that’s built into a hardware device — being updated that would allow the potential extraction of a user’s private key from their cold storage device, despite reportedly assuring users the opposite in the past.
Notably, Ledger’s firmware is closed source, meaning that only developers from the company itself can view the code and inspect it for flaws. Open source code on the other hand allows for any programmer to access and inspect pre-existing code to improve it and check it for potential errors.
Speaking directly to this point in a May 17 Q&A session on Twitter, Ledger Support clarified that it had “always been possible” for the company to write code that would allow for key extraction and users must trust in Ledger.
(1/2) Technically speaking it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not.
— Ledger Support (@Ledger_Support) May 17, 2023
While Ledger’s announcement subverted many user’s understanding of the kind of privacy features its products offered, some have suggested that the outrage has been blown out of proportion.
Competitors appear to have been quick to capitalize on Ledger’s poorly-received announcement, with some choosing to offer discounts across the bulk of their products including Trezor, Blockstream’s Jade and BitBox.