Skip to main content

Evaluating the security and trustability of hardware wallets

As Bitcoin appreciates in value, it is more important than ever that we encourage users to withdraw their coins from exchanges and store them securely. For the average user, storing sizable quantities of Bitcoin requires a hardware wallet.

But how do we evaluate the security and trustability of the numerous hardware wallets available on the market today?

Foundation is concerned with new entrants making false claims with regard to open source security models and trustability. We believe it is imperative that our industry self-regulates and follows a clear set of disclosure criteria – so that hardware wallet buyers can make well-informed purchasing decisions.

In this post, we propose a set of criteria with which to evaluate hardware wallets. To avoid bias, this post does not attempt to rank the security or trustability of any specific hardware wallet, and all company and product names have been redacted in quotations.

Proposed Criteria:

  1. Open or Closed Security Model
  2. Trustable Components
  3. Trustable Supply Chain
  4. Present vs. Future Capabilities
  5. Honest Claims
  6. Security Certifications
  7. Bitcoin PSBT Support

Read on for more details!

Open or Closed Security Model

Hardware wallet producers must disclose whether their security model is open or closed source. There is no middle ground. If parts of the design are secret – such as undisclosed portions of the circuit schematics, redacted component information, or closed source code – then the hardware wallet is closed source.

Foundation has recently observed bizzare open source claims from hardware wallet producers. For example, one claimed to have “pioneered the hardware wallet industry’s first open source secure element firmware” – while not disclosing that the device’s operating system is closed source!

This same producer claims that their “hardware wallet application layer, device schematic (circuit diagram), and bill of materials (BOM) are also open source” – but does not mention that their schematics are omitting certain information and that their BOM does not include details of the secure element chip.

Another popular producer rightfully states that the apps running on its hardware wallets are open source, but fails to mention that the device firmware itself is closed source.

This is important because most consumers take open source claims at face value. If they are told that a hardware wallet is open source, they expect that experts in the Bitcoin community are able to research and verify the hardware and software running on the wallet. We must provide consumers with accurate information and empower them to make informed purchasing decisions.

Furthermore, it takes a great deal of time and effort to open source hardware products. Producers must provide proper documentation, comments, and build instructions for firmware. Circuit schematics must be legible, self-explanatory, and properly formatted. Electrical designs must be exported to the correct file formats. Bills of materials must detail every component. Datasheets for each component must be provided when possible.

If our industry becomes comfortable with a degraded definition of open source hardware, then we reduce the incentive for producers to be honest and forthcoming. We risk “open source” becoming a buzzword that every hardware wallet producer slaps onto their marketing material in order to sell more units.

For more detailed guidance, we strongly encourage open source hardware wallet producers to comply with OSHWA criteria and open source all hardware under CERN’s Open Hardware License (OHL). This covers many edge cases, such as components on the BOM requiring manufacturer NDAs for datasheet access.

Foundation is currently unaware of any hardware wallet that meets OSHWA criteria and is open sourced under CERN OHL or a similar open hardware license.

Trustable Components

A hardware wallet must be ultra-secure. Therefore, hardware wallet producers must carefully select components that can be trusted. Since hardware today can not be fully trustless, as we must rely on third party components and global supply chains, Foundation refers to trustworthy components as “trustable.”

Below are common hardware wallet components and potential concerns.

  • Screen
    Does the screen include an integrated processor running closed source firmware? Most modern high resolution displays are running black-blox silicon. Is the supply chain opaque? Most AMOLED and E-Ink displays have highly proprietary supply chains. What company manufactures the screen – is it an OEM off Alibaba or a more reputable company like Sharp?
  • Touch Panel
    If using a touch panel instead of a physical keypad or buttons, does it contain an integrated processor running closed source firmware? Most high-quality multitouch surfaces include an embedded CPU.
  • Processor (also referred to as MCU)
    What company manufactures the processor? Is it a small China-based producer or a more reputable company like NXP, STM, or Microchip?
  • Secure Element
    Is the secure element a “dumb” device that cannot execute code, or is it running firmware and an operating system? Does the hardware wallet producer know what firmware is running on the secure element, and do they open source that firmware? Is the secure element a black box? What company manufactures the secure element – a small China-based producer or a more reputable company like NXP, STM, or Microchip?
  • Camera
    Does the camera include an integrated processor running closed source firmware? Most cameras do. If so, does the hardware wallet sanitize the input from the camera, and can the hardware wallet producer demonstrate this by open sourcing the code?
  • Lithium Ion Battery
    Does the battery contain an integrated processor running closed source firmware? Some hardware wallet attack vectors include monitoring the power consumption during usage. What company manufactures the battery?

Foundation is heavily inspired by the work of bunnie, a well known open source hardware expert. Read more about trustable hardware on his blog.

Trustable Supply Chain

Hardware supply chains are complex, and it is rare to see vertically integrated hardware producers. Most hardware companies rely on contract manufacturers, and all hardware companies rely on component supply chains that originate in China. So that buyers can make an informed purchasing decision, Foundation believes that hardware wallet producers must disclose the following:

  1. Suppliers of key components such as the screen, touch panel, secure element, camera, and battery. This should be done even if the hardware wallet is closed source, as it is trivial to identify this information with a tear-down.
  2. Name and location of third party engineering firms that contributed to hardware wallet design. For example, buyers need to know if a US-based wallet producer outsourced electrical engineering work to a firm in China.
  3. Location of contract manufacturer(s). While it is prudent to keep manufacturer names confidential for security reasons, it is important to know the general location of manufacturing. For example, buyers need to know if a European wallet producer outsourced manufacturing to China.

Present vs. Future Capabilities

Hardware wallet producers will improve their products over time, both by adding new features and responding to bug reports and vulnerabilities. We know that it is tempting to rush a hardware wallet to market in order to generate revenue as soon as possible, but producers must understand that they are selling important security devices. The industry must judge hardware wallet producers on the capabilities of their devices today – not based on future roadmaps.

We’ve recently observed new hardware wallet entrants promise to open source components of their designs in the future, or add critical features like PSBT support in a future release.

In a Twitter DM with one hardware wallet producer, I asked in regard to a mobile companion app:

So you’re comfortable letting your customers use the app, but won’t release the code?

They replied:

We are comfortable letting users use the app. We just think doing code audit before open source it is a responsible way compared to directly open source it.

This is mind-boggling to me, as the company admitted that it feels comfortable having users download a closed-source, unaudited companion app and use it to secure their cryptocurrency. Our industry must judge hardware wallet producers by the present capabilities of their devices, and push back hard on any company that states “we will do X in the future.”

Honest Claims

Foundation has observed numerous false claims by hardware wallet producers with regard to device security and capabilities. Most consumers do not have the expertise to determine whether claims are truth or fiction. Therefore, the community must hold hardware wallet producers accountable and call out any false or exagerated claims.

Below are some claims we’ve recently observed:

Hackers simply cannot even attempt to steal your crypto

The first Bitcoin wallet to secure against physical attacks

The combination of multi-layer and multi-sig protections creates the most physically secure storage wallet every created

Thanks to its innovative key generation and recovery system, you will always be safe from any attack

The WORLD’S FIRST Multicurrency, Non-electronic Hardware Wallet

[Wallet] adopts an industry-first 2-Factor Key Generation (2FKG) process for the production and private key generation for our physical wallets. The 2FKG process ensures the highest safety standards for your cryptocurrency assets.

Anti-Tamper: Theft are not an issue as [Wallet] is protected from physical attacks.

The Cold Wallet, not just a hardware wallet. Air-Gapped. Anti-Tamper. Trustless Trust

The [Wallet] is built around the most secure type of chip on the market, ensuring optimal security for your crypto.

The Best Security…[Wallet] offers the best level of protection: your key remains protected in a certified secure chip.

Many of these claims are complete lunacy (“Hackers simply cannot even attempt to steal your crypto”), but many buyers of hardware wallets will take these claims at face value. Others are more nuanced (“built around the most secure type of chip on the market”), but are attempting to state opinion as fact.

Hardware wallet producers must understand that they are not selling toaster ovens or calculators – they are selling important security devices that are designed to safeguard large amounts of cryptocurrency. Hardware wallets are imperfect. Hardware security is imperfect. There will always be vulnerabilities. Producers must make honest claims.

Security Certifications

Some hardware wallets producers advertise security certifications like EAL5. There is nothing inherently wrong with security certifications, but we must recognize their shortcomings.

  1. Component producers pay certification organizations to certify their products. It’s important to understand this incentive structure.
  2. Certification processes do not cover every attack vector; components are placed through a predefined process with predefined scenarios.
  3. Certifications are not a replacement for independent reviews.

We as an industry cannot allow hardware wallet producers to hide behind security certifications. For example, a recently launched hardware wallet producer described its product as follows:

A 100% offline, anti-tampered cryptocurrency hardware wallet and the only one in the world with the highest security certification for its secure firmware (EAL7)

I emailed the company asking for further clarification on whether the firmware was open, and was told:

We’ll make a lot of the code available on github etc, but our secure firmware which has earned the highest security certification in the world (EAL7, as per press release tomorrow), will be closed sourced (as well as the secure element). We hope to go more towards the open source end gradually.

This is massively misleading for average consumers who do not understand how security certifications work. We cannot allow new hardware wallet producers to hide behind certifications as an alternative to making their devices open source and auditable.

Bitcoin PSBT Support

As a bonus, Foundation believes that hardware wallets that support Bitcoin should clearly disclose whether or not they support partially signed Bitcoin transactions (PSBT). PSBT is a standard format for Bitcoin transactions which, among other things, makes it easy to create multisig setups across different hardware and software wallets.

Hardware wallets producers that do not support PSBTs are perpetuating walled-garden ecosystems, discouraging Bitcoin innovation, and drastically increasing the difficulty for software wallet developers to integrate with new hardware wallets.

Conclusion

Foundation hopes that this post is a starting point in a larger conversation around hardware wallet requirements in the Bitcoin and cryptocurrency industry. We must self-regulate in order to provide consumers with the most secure possible products in order to safeguard their assets.

Bitcoin and the sovereign Internet need open hardware

Our entire world is based on trust. We trust that our banks will safeguard our deposits; we trust that companies will keep our personal data private; we trust that governments will keep us safe. 

But is this sustainable? Over the past decades our trust in critical institutions has slowly eroded. Irresponsible banking practices plunged us into repeated economic crises. Facebook and Google collect our personal data at an unprecedented scale, while repeatedly failing to implement sufficient safeguards against data breaches and leaks. And now, as the COVID-19 crisis progresses, our governments are working with tech companies to expand mass-surveillance capabilities. 

The solution is clearly a sovereign Internet and financial system built on Bitcoin and other sovereign technologies. Bitcoin allows us to opt out of the existing system, transacting peer-to-peer without trusted third parties. 

Open source makes Bitcoin possible. Without open source, there would be no way to independently verify that Bitcoin has a maximum supply of 21 million coins; there would be no way to understand how it functions. Without Bitcoin’s open source code, we would be forced to trust third parties. Open source is the bedrock of our emerging sovereign Internet.

At Foundation Devices, we strongly believe that open source software alone is insufficient – open software must run on open hardware. And while we’ve seen immense progress in the FOSS movement and Bitcoin, we’ve seen little progress in open hardware. 

Hardware today is a web of proprietary intellectual property, non-disclosure agreements, and security-via-opaqueness. Want to know more about how that hardware wallet keeping your Bitcoin safe? Sign that NDA and learn about that EAL5+ security certification and proprietary operating system! 

Ledger Nano X product page

This opaque hardware security model may be fine for your passport or credit card. But with the rise of Bitcoin and cryptocurriencies, for the first time ever real money can be stolen without any recourse. No bank or credit card company can reverse a Bitcoin transaction. No government will provide your Bitcoin wallet with FDIC insurance.

If an employee at Ledger adds a vulnerability to the proprietary, closed source firmware running on the STMicroelectronics (STM) security chip, your funds could be stolen. If a security researcher discovers a vulnerability in the STM security chip, you will not be notified without signing an NDA. If a government works with STM to insert a backdoor into their security chip, you will never know. 

With Bitcoin’s market cap at around $160B, there are minimal incentives for our institutions to misbehave. But what about at a $1T market cap? $10T? The incentives continue to grow, and it is inevitable that companies and governments will attempt to compromise Bitcoin hardware in this decade.

And what about when every device is transacting with Bitcoin, sending machine-to-machine micropayments? What happens when our entire economy is built on Bitcoin? Every device – from cellphones to laundry machines – becomes a hardware wallet. 

Closed, trusted hardware security models no longer work in a Bitcoin world!

So what do we do? We build open source hardware. We start by designing products with more trustable components, assembled in a more trustable USA-based facility. We produce open source, legible circuit schematics using a respected license like CERN’s Open Hardware License. We publish all firmware as open source under MIT or GPL3 licenses. We clearly identify the components that require trust, such as the processor and secure element, and we work to source or build our own components that are more open and trustable.

In addition to emphasizing open source, we deliver great design and UX. We make open hardware with mass-consumer appeal. We prove that open hardware can be beautiful, intuitive, approachable. We demonstrate that open hardware can sell! 

We start with a hardware wallet and move to other critical products. We build the open hardware foundation for Bitcoin and the sovereign Internet.

Introducing Foundation Devices: a new Bitcoin hardware company

We believe Bitcoin and decentralized technologies will empower the individual, leading to a better world where people control their own data and their own money. This is the dream for our industry; this is the reason why so many of us have chosen to start or join Bitcoin companies. We seek to eliminate the need for trusted third parties – like banks, cloud providers, and even governments – in order to make our systems more efficient and more accessible. And we seek to move power away from central points of failure to the edge; to the people.

As we build our industry from the ground up, we must remember this principle. We must build products and services that enable individual sovereignty.

We are concerned that today’s most mature Bitcoin and decentralized tech companies are the most centralized and opaque. Coinbase provides a custodial exchange. Blockchain.com provides a hosted wallet. Bitmain is a web of secrecy. Our industry’s biggest players provide trusted exchanges, trusted wallets, trusted mining pools, trusted lending services, trusted nodes – and even trusted hardware wallets! (Yes Ledger, we are referring to you.)

Have we forgotten the point of it all? Have we forgotten why we are all here?

So many of the Bitcoin products and services that successfully enable sovereignty – like Electrum, Wasabi, Samourai, Nodl, and Coldcard – are fantastic offerings that lack consumer-oriented UX. While we love and use these products, they will never “cross the chasm” to the land of mass consumer adoption.

We worry that as Bitcoin and decentralized tech reach the next phase of adoption, the vast majority of consumers will become dependent on centralized providers. We will have succeeded at creating a different financial system with different intermediaries. But we will have failed at empowering the individual and building a new Internet.

This is why we started Foundation – to make beautifully designed, open source hardware for Bitcoin and the decentralized Internet. To bring great design and UX to hardware wallets, nodes, and more. To allow mass consumers to securely use and store Bitcoin while maintaining their sovereignty. To help our industry cross the chasm while staying true to our founding ideals.

We call this open hardware. And we are excited to bring it to the world.

Our Mission

Foundation Devices strives to empower humankind – to make Bitcoin and decentralized tech accessible to each and every individual in order to build a new era of sovereignty, ownership, and privacy. Our products are the foundation of a better, sovereign Internet.

Our Values
  • Foundation offers best-in-class security and privacy via openness. No walled gardens; no closed source engineering. We are the antithesis of existing tech companies.
  • Foundation products are beautiful, intuitive, and approachable. Bitcoin and decentralized tech already have a steep learning curve; our products do not.
  • Foundation gives sovereignty to individuals and businesses. We empower you to take ownership and control of your money and your data.
  • Foundation products reflect our optimism about the future. We are building a better Internet based on a better form of money. Our products feel positive, aspirational, and a bit sci-fi.
Next Steps

This summer, Foundation will launch a new Bitcoin hardware wallet that provides the same security model as Coldcard while offering a beautiful, intuitive hardware and UI design. From day one our hardware wallet will be compatible with popular desktop and mobile applications. We will open source all circuit schematics, design files, and firmware – and we will assemble exclusively in the USA.

Over the next several weeks Foundation will release blog posts discussing the importance of open source hardware, diving into hardware challenges faced by our industry, and providing more details about our upcoming hardware wallet.