Ledger is 95% OpenSource, why not 100%?

At Ledger, our mission is to make digital ownership easy to use without ever compromising on security or self-custody. We promise to deliver the best security architecture; resilient by design and without compromise, for individuals and enterprises.

Beware of other wallets and custodians who make compromises that are simply below Ledger’s standards then justify these compromises with FUD. When you buy Ledger devices, you can rest assured that we have considered every trade-off when selecting our security architecture and have not made any compromises; driving toward what security experts agree is the most secure architecture choice at each step.

This includes Ledger’s choice of a Secure Element to generate and store your private keys, perform your crypto transactions, and drive the input/output (a touchscreen in Ledger Stax and the screen and buttons on Ledger Nano). Devices without a Secure Element, secure screen, and input do not meet Ledger’s security standards and you won’t see us make that architectural trade-off. 

Contrary to annoying FUD you may read on Twitter placed by competitors with inferior architectures, Ledger’s Operating System and Software are 95% OpenSource and/or available for you to review here:

• Ledger Live
• Wallet API
• Secure SDK (including crypto library and its documentation)
• Embedded applications that run on all of our Ledger devices
• OS commands dispatcher 
• Entry points of Ledger Recover implementation

Plus we’ll continue to organize and release as much code as possible for review. You can review our full OpenSource/review-ready roadmap here.

Our choice of a secure element chip based on smartcard technology impacts our ability to be 100% OpenSource. 

Your entire experience on a Ledger device is driven by a Secure Element chip, the same kind of SmartCard technology that is in your credit card or your passport. These Secure Elements have been hardened over tens of years and dozens of billions made and used across a variety of secure hardware.

Our agreement with the maker and provider of this chip, STMicroelectronics, legally prevents us from exposing the low-level code that talks to the hardware blocks of the Secure Element. Secure Element designers have invested billions over the last decades in building the IP and raising the bar for security. They want to keep their competitive advantage. This is the reason why they prevent firmware developers from disclosing parts of the code that are circuit-dependent.

Herein lies the trade-off. Would you prefer a secure chip, hardened over tens of years and many billions of uses at the expense of not being able to review the small amount of code talking directly to the chip, or do you prefer a less secure chip? Ledger always chooses security, and in this case, the call is quite easy. We chose the Secure Element chip.

Additionally, in all cases, you rely on low-level code embedded in any circuit: this is always closed source. The same applies to the circuit design itself.

Other wallets have chosen to prioritize OpenSourcing by opting for a less secure chip or incorrectly claiming their Secure Element is fully OpenSource. However, these OpenSource approaches don’t meet Ledger’s security standards. “OpenSource” Secure Elements without appropriate safeguards can be exploited, and if a device’s architecture relies on processing sensitive information with any chip other than the Secure Element—such as an insecure MCU—this poses another vulnerability.

The idea of a truly OpenSource secure element is not new to Ledger, and something we’ve considered building in the past. However, building this securely poses several yet-solved challenges, and it’s possible that finding a solution with today’s technology may be wishful thinking.

At Ledger our focus is the best security TODAY, and Ledger’s architecture choices unquestionably provide this ahead of any other wallet choice on the market. 
We always recommend you do your research and discuss with security experts. We hope this explanation helps you understand which questions are important when choosing a hardware wallet, and why Ledger has made choices without any compromise on security.