Ngrave is only in pre-sale and price is a big no no, for me.
I also don't like their claims stated on website at all.
For example:
'most secure solution on the planet'
'The most advanced wallet generation process in the world'
They also have one more stainless steel plate backup thing called Ngrave Graphene that claims to be 'fire-, water-, buried-, & shock-proof everlasting'
source: ngrave.io
Topic: Is NGRAVE ZERO worth its money? (Read 471 times)
That price tag is killing it for me. ~
Honestly for me too, the price must be twice as low for device from the new company which is only going to enter this market. In that security equation there is another unknown variable i.e. in which way the device would receive the update of firmware and whether it would be updated at all after release.
To me, making QR codes for transaction requests and signatures (the only real advantage I see it has in the comparison) ideally has more security than using Bluetooth to communicate with an app (Ledger Nano X) or using a desktop app that communicates via USB (Ledger Nano S), but then again, if that's the only real reason why someone would use this over more established hardware wallets, there are other software-based wallets that can make QR codes like that too, if that's what you want. And support for those alternatives is often more transparent than XYZ vendor's customer support system due to the fact that more people know how software-based qr code wallets work, versus a hardware wallet that only the vendor knows how to service.
Seems silly but this does solve most worries about USB power security issues:
http://usbcoldpower.com/
That's a really cool device, but it doesn't protect against the kind of attack I'm envisioning.http://usbcoldpower.com/
There was another hardware wallet, the Ellipal wallet, released last year which also made a big song and dance about being completely airgapped, having no connections, immune to being attacked, etc., much like the Ngrave wallet is claiming. It also had a USB port which was only used for charging. Ledger opened the device up (https://donjon.ledger.com/Ellipal-Security/#finding-2-usb-interface) and found that actually the data pins were simply not connected, and after a quick soldering, were able to use the USB port to access the bootloader, dump the flash, and extract the private keys.
All the things Ngrave are claiming sound great, but honestly, we've heard them all before, and seen them all be compromised before.
Seems silly but this does solve most worries about USB power security issues:
http://usbcoldpower.com/
Brought to you form the people who make the ColdCardWallet.
There have been a lot of "new & better" hardware wallets lately. None have really impressed me.
I know I keep saying it but you need these 3 things to trust a HW wallet:
1) Open source hardware design. Publish how to build one if you want to and where to source the parts. Case and such not needed but the hardware must be.
2) Open source firmware
3) When there is a vulnerability or security concern, no matter how trivial or difficult to exploit tell you about it.
Without those 3 things it's tough to trust.
Stay safe.
-Dave
http://usbcoldpower.com/
Brought to you form the people who make the ColdCardWallet.
There have been a lot of "new & better" hardware wallets lately. None have really impressed me.
I know I keep saying it but you need these 3 things to trust a HW wallet:
1) Open source hardware design. Publish how to build one if you want to and where to source the parts. Case and such not needed but the hardware must be.
2) Open source firmware
3) When there is a vulnerability or security concern, no matter how trivial or difficult to exploit tell you about it.
Without those 3 things it's tough to trust.
Stay safe.
-Dave
I am surprised that no one has pointed out that according to that image, Ledger Nano X has no internal battery which is obviously not true. I don't believe that it is not an intentional mistake. Also, ''Offline experience" should be marked differently (something between Yes and No). Both Ledger and Trezor are supported by Electrum which can work offline. Also, Trezor users can run a local version of Trezor Wallet.
Reading the text on their indiegogo page, they accuse other wallets of a lot of negative things, but offer absolutely zero proof that they don't do the same thing. An example:
A couple of other concerning things:
It looks nice, I'll give them that, but so far it is just another airgapped device you communicate with using QR codes. Until it has been aggressively penetration tested, then it certainly isn't worth $250.
Quote
Existing solutions give you a key, so they may have a database holding all the keys they ever made, including yours. They also rely completely on the interior chip for generating your key, and also here there could be backdoors, as has been proven in recent history.
The ZERO introduces a whole new key generation process that not only relies on the interior chip, but that also includes your biometrics and your surrounding light.
That's great and all, but there is absolutely zero proof that they also don't just "give you a key". You can scan my fingerprint, you can even let me enter my own entropy, and then just spit out a pre-generated key anyway. Unless I am generating my key manually by flipping a coin or similar, then I am still "relying completely on the interior chip".The ZERO introduces a whole new key generation process that not only relies on the interior chip, but that also includes your biometrics and your surrounding light.
A couple of other concerning things:
Quote
The NGRAVE "Perfect Key" is the 64 character hexadecimal equivalent of a 24-word mnemonic phrase / 256-bit (0s and 1s) master seed. Hexadecimal means that each character of the key can have one of 16 values (0-9; A-F). With 16 values per character and 64 characters, this equals a 256 bit key. What makes the “perfect key” is the ability to resolve the challenges of using words-based backups.
Why are they encouraging people to back up a 64 digit hexadecimal number? Quote
As the ZERO never needs to connect over USB, Bluetooth, NFC, Wifi, 4G or any other network connection, hackers simply cannot even attempt to steal your crypto.
That's all well and good, except:Quote
There is a USB-C port for charging and firmware updates.
So there absolutely is a USB connection that hackers could exploit.It looks nice, I'll give them that, but so far it is just another airgapped device you communicate with using QR codes. Until it has been aggressively penetration tested, then it certainly isn't worth $250.
I did not read the white paper details, but the device does not provide creative solutions, merely repeats some things like:
- Security tools: a password, fingerprint, and some words for recovery look traditional and can be easily broken.
- Wallet seeds: I have not read about how to drive it, but they must be compatible with some wallets, such as Electrum, for more features.
- Battery charging time and features: Since it is a wallet, there are many unnecessary features that will affect the battery charging time.
- Security tools: a password, fingerprint, and some words for recovery look traditional and can be easily broken.
- Wallet seeds: I have not read about how to drive it, but they must be compatible with some wallets, such as Electrum, for more features.
- Battery charging time and features: Since it is a wallet, there are many unnecessary features that will affect the battery charging time.
Looks interesting, but until they are on the market and a proper security professional can dismantle it and give their review I file it under hype.
And, I did not see any mention of open source, that is a deal breaker right there.
-Dave
And, I did not see any mention of open source, that is a deal breaker right there.
-Dave
I watch their introducing video to get a better idea of what exactly it is about, and I personally am not surprised by the price considering the design of the device if you compare it to the Ledger. Also, if the specifications are to be believed, Zero is using the latest security technologies and is manufactured entirely in Belgium. What raises the price of their product is their backup (Graphene) consisting of 2 metal plates, which gives the ability to create backups without the use of seed words. An alternative backup mode allows you to choose random sequences of numbers/letters that you can engrave on a metal plate.
How much the level of security has been raised with the fact that communication with the device takes place exclusively via QR codes and whether we can talk about some absolute security remains a question. I also don't think this device is something that will attract the masses, because most still think that $100 is too high a price for a hardware wallet. On the other hand there are always those with deeper pockets who like to try new things, and they are certainly the target group for this product.
It should be noted that the device will be ready to send to customers only in November 2020, so for now you can only see it online.
How much the level of security has been raised with the fact that communication with the device takes place exclusively via QR codes and whether we can talk about some absolute security remains a question. I also don't think this device is something that will attract the masses, because most still think that $100 is too high a price for a hardware wallet. On the other hand there are always those with deeper pockets who like to try new things, and they are certainly the target group for this product.
It should be noted that the device will be ready to send to customers only in November 2020, so for now you can only see it online.
Fingerprint sensor.. and <230€. Hmm..
If providing biometrical data is sufficient to be able to sign a transaction.. it definitely is not secure.
A proper fingerprint sensor costs waaay more. Anything in this price range is useless and can easily be circumvented by providing some stupid silicon material.
There are blueprints available which unlock ~70-80% of all fingerprint secured mobile phones. And the sensor in that device can't be much better.
If providing biometrical data is sufficient to be able to sign a transaction.. it definitely is not secure.
A proper fingerprint sensor costs waaay more. Anything in this price range is useless and can easily be circumvented by providing some stupid silicon material.
There are blueprints available which unlock ~70-80% of all fingerprint secured mobile phones. And the sensor in that device can't be much better.
The first thing that catches my eye is their marketing, which is very agressive and repulsively intrusive at the same time. Everything is "ultra secure", "high quality", "the most advanced". "The ZERO is the most secure hardware wallet ever made" - oh, come on, should I trust you just because you say that? My reaction is completely opposite. I don't want to spend money on it, I better stick with something less ultra secure. Coldcard, for example, can be used as completely offline wallet and it costs a half of ngrave zero wallet price.
That price tag is killing it for me. If you're new to the market, maybe start with something that can compete with Nano S, then make new products gradually from there. Spending more than 200 euros just to try a new product is not really a thing for most people.
the newest hardware wallet
Jump to: