As you can imagine, there’s only so many manufacturers that make MCU’s that meet all these requirements whilst also being the right size, the right price, are reliable and so on. This means there’s only a few chip types out there to use. So which MCU does your Hardware Wallet use? It’s probably the STM32.

• Trezor: The Bill of Materials for their One and Model T devices both list the STM32
• Ledger: Their website states that their products use the STM32
• Coinkite: Their website states that the COLDCARD Mk4 uses the ​​STM32L4S5VIT6

As you can see, many of the top Hardware Wallets out there all use the same STM32 microcontroller, which becomes a problem because now you have the vast majority of Hardware Wallets all using the same product from the same manufacture: STMicroelectronics.

STMicroelectronics is a Dutch multinational corporation and technology company of French-Italian origin headquartered in Plan-les-Ouates near Geneva, Switzerland and listed on the French stock market. The company resulted from the merger of two government-owned semiconductor companies in 1987: Thomson Semiconducteurs of France and SGS Microelettronica of Italy. - Wikipedia

This is centralisation and it’s bad because when something that’s critical to security is big and centralised, it can be compromised far more easily than if it’s decentralised over thousands and thousands of other smaller things. To make matters worse, STMicroelectronics was formally owned by two governments! So if the French, Italian or any other government wanted to insert a back door into the STM32 chip, it likely wouldn’t be too hard a thing to line up.

Compromises Have Happened Before

At this point you might be thinking that maybe all this “government spying on you” stuff sounds like a bunch of tin foil hat wearing, crazy conspiracy type thinking and you’re right. It is crazy. But. That doesn’t mean it hasn’t happened before… multiple times.

There’s been multiple programs that have been publicly exposed outlining the extraordinary lengths departments like the CIA or NSA will go to. From global monitoring programs like PRISM or MUSCULAR to the CIA literally buying companies like Crypto AG to spy on governments all over the world it’s clear that nothing is off bounds. Plus you know it’s not just America that’s doing this, it’s everyone.