[...]
I'm not quite sure I can agree with this conclusion. Having the firmware and applications reside on the same chip as the seed does by itself not necessarily mean that the firmware or applications can access it. You can still have an architecture where part of the flash storage is accessible (ie. for firmware updates and installing apps) and some isn't (ie. for securely storing the seed). Additionally it should also be possible to have some parts of memory be accessible by the firmware, but not by applications.
So it's highly speculative whether the other applications can in theory access the whole seed phrase as well.
However, given what we now know and the closed source nature of the code... it's also highly speculative whether the apps can't.
(but we do know that at least the firmware can access the seed phrase, if only due to them admitting to it)
The function to explicitly export the seed phrase from the monero ledger application
has been around for a long time. This means that there are no fundamental restrictions for any ledger application to be able to read the seed phrase.
Looking at the script, I see nothing about it extracting and accessing the seed phrase.
For reference, these are the functions being used when converting the seed phrase directly on the hardware wallet (referred to as "Online" in the Readme):
def send_dict_chunk(dongle, p2, chunk,start,cnt):
header = pack('>4B', 0x00, 0x28, 0x01, p2)
data = pack('>BII', 0,start,cnt) + chunk
apdu = header+pack('>B',len(data))+data
print('.', end='')
dongle.exchange(apdu)
print('.', end='')
def get_online_seed(lang):
if lang['english_language_name'] not in ("English", "Esperanto", "French", "Italian", "Lobjan", "Portuguese"):
error("%s not supported online"%lang['english_language_name'])
print("Open device...")
dongle = getDongle(False)
print("Erase old key words...")
dongle.exchange(pack('>6B', 0x00, 0x28, 0x02, 0x00, 0x01, 0x00))
print("Load dictionnary", end='')
start = 0
cnt = 0
chunk = b''
for w in lang['words']:
w = w.encode('ascii')
if 1+8+len(chunk)+1+len(w) > 254:
send_dict_chunk(dongle, 0, chunk, start, cnt)
start += cnt
cnt = 0;
chunk = b''
chunk += pack('>b', len(w))+w
cnt += 1;
send_dict_chunk(dongle,lang['prefix_length'], chunk, start, cnt)
print()
print("Done.")
print("Your key words are avalaible on your device under 'Settings/Show 25 words' menu.")
print("You can delete it at the end of keyword list.")
All these functions do, is load the Monero-specific word list onto the hardware wallet. And while I don't understand the contents of the APDU (if anyone has a reference at hand that'd be greatly appreciated, as I didn't find any and it has sparked my intrigue), I can see that there's only write operations taking place with no data being fetched from the dongle (ie. nowhere in the code the return value of
dongle.exchange is being used, though in this case it's probably just result and error codes).
Keep in mind that displaying the seed phrase on the hardware wallet's display doesn't imply that the wallet application is able to access it. It can tell the dongle to display the seed phrase without having access to it itself. To some extend this even applies to the firmware, but that depends on the architecture of the device and as we've seen for Ledger that's not the case anyway (the firmware not having access to the seed phrase, that is).
Please note that I'm not saying that this proves that applications can't access the seed phrase. I'm just saying that
this particular example does not access the seed phrase.
Regardless of that, I agree with your conclusion:
It is reasonable in my opinion to consider any activated ledger hardware wallet already compromised (and any security model based on a "black box" is inherently weak), in order to avoid unnecessary frustration.
