reply on: Which one is safe and secured hardware wallet? \ stacker news ~bitcoin

pull down to refresh

5 sats \ 0 replies \ @final 15 Jun 2023 \ on: Which one is safe and secured hardware wallet? bitcoin

COLDCARD Mk4 for Bitcoin is incomparable to all the others and has stood the test of time repeatedly. The Foundation Passport is also very sufficient since it had their security model in mind. I think Blockstream Jade has something going for it as well but it is still a new product and it's security model mainly boils down to not trusting itself because of shortcomings of not using a secure element.

I would consider a strong security hardware wallet should have:

Source-available firmware with bonus points for being reproducible builds.
Secure boot support to prevent running compromised/unsigned firmware or usage of stored secrets with that firmware.
Good hardware security either by a secure element or by trusting a second external component for seed usage.
Air-gapped functionality
A proven and transparent track record for dealing with security issues.

A plus is firmware attestation also.

Being entirely open source would be a plus, however components such as secure elements will not be open source. But you will often find hardware wallets that don't use secure elements (Trezor) have serious, unfixable hardware vulnerabilities.

Business attitude and communication plays a part in this, personally I am more likely to trust a wallet manufacturer who knows the limitations of their device than one who says something misleading or incorrect. The big issue with the whole Ledger Recover situation is that they claimed 'A firmware update cannot extract the keys from the secure element' (false) and then backtracked later and said it was always possible and you trusted Ledger not to (true). Anyone can make malicious firmware for any device to do something like this, and it should be well communicated what the limitations are to prevent controversies like this.

Even if Ledger Recover is 'completely optional', 'does not increase attack surface' and is 'only for the Nano X' etc. as they claim, they immediately will have people trust these words less because what they said was misleading in the past. I still wouldn't have used Ledger before this because of the proprietary firmware anyhow.

As for popular wallets here is what I think of the ones I have direct knowledge with:

COLDCARD: Essentially top tier, great hardware security, reproducible source-available firmware, secure boot, and runs entirely airgapped. I think their controversy with Foundation is a sore wound to communication but it's far from a violation of security by any means. Coldcard still has open-source firmware but with the Commons Clause license, meaning commercial-use forks are not permitted.
Foundation Passport: Not used it, but it appears to be Coldcard but with a camera and different appearance. So I would assumingly trust it.
Blockstream Jade: Reproducible FOSS firmware, secure boot, airgapped. Has no secure element or true hardware security but overcomes it by not trusting itself entirely and using a 'Blind Oracle' (second device of choice) to manage authenticating the device.
Trezor: Basically the same as Jade but not airgapped and does not do anything to overcome the hardware security problem. Therefore physical access can brute force the PIN to extract funds. This old attack was even redone with the Model T very recently (video). To mitigate this problem you can use a 30+ digit PIN with passphrase. Trezor's secure boot functionality is probably the best of all the wallets I have seen however, very third-party firmware friendly. Their commitment to making an open-source secure element (Tropic Square) should be looked at.
BitBox: Not used. But other comments have discussed an issue I personally would not be happy with, seems to not meet my requirements anyhow.
SeedSigner: It's a Raspberry Pi, which lacks hardware security and has a lot of proprietary components alone. You cannot perform any sufficient attestation on a Raspberry Pi since the device has no compatability for it compared to a for-purpose hardware device. I also can't find anything that claims SeedSigner uses secure boot. There are ways it overcomes this issue, such as using a QR code for the seed-phrase instead of storing it to my knowledge. I'd probably consider it fine if you don't care about hardware security or physical compromise.
Ellipal: No open source firmware, everything else seems in good order, but I wouldn't ever use one.
Ledger: No (closed source firmware, awful communications). One they open-source firmware like they promise to, I will give them a chance and take a look.

Anything else I have not used or not heard of.

0 new comment