[LIST] Open Source Hardware Wallets - page 3.

n0nce

hero member

Activity: 882

Merit: 5834

not your keys, not your coins!

Quote from: dkbit98 on May 12, 2022, 01:58:32 PM

Quote from: n0nce on May 11, 2022, 02:34:00 PM

However I think it would make sense to add a 'reproducibility' label. An open, auditable source doesn't help if the wallet doesn't actually run it. Even if it runs a slightly modified firmware, those modifications could easily have been put in to deanonymize users. It also doesn't allow you to verify if a reseller / middleman replaced the firmware, for instance, which can be a big security risk.

Can you personally verify if code for all this wallets is reproducible or not, and do this with each new release?

I've thought about making a list of a few wallets and periodically try to reproduce the latest builds myself; not sure if I can find the time for it, though.

Quote from: dkbit98 on May 12, 2022, 01:58:32 PM

I can't do that for sure, but I understand what you are trying to say and it's not a bad suggestion Cheesy

All we can do is check out websites like Walletscrutiny.com and Bitcoinbinary.org and see if developers checked latest firmware release and if they can be reproduced.
According to Walletscrutiny wesbite, only Trezor, Passport, Keepkey and Krux DIY hardware wallet firmware can be reproduced, and someone on Bitcoinbinary website reproduced firmware for Trezor, Bitbox and Coldcard wallets.
I updated this information in first post.

Yes, I actually thought at first to just add such a 'reproducibility label' simply based on data from walletscrutiny and maybe bitcoinbinary; as you correctly stated they both test firmwares from time to time.

The latter was critiqued in the past though; since they are sponsored by CoinKite, they claimed ColdCard to be reproducible, while the more neutral walletscrutiny website claimed this to be false. Not sure how it played out in the end, though.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: n0nce on May 11, 2022, 02:34:00 PM

However I think it would make sense to add a 'reproducibility' label. An open, auditable source doesn't help if the wallet doesn't actually run it. Even if it runs a slightly modified firmware, those modifications could easily have been put in to deanonymize users. It also doesn't allow you to verify if a reseller / middleman replaced the firmware, for instance, which can be a big security risk.

Can you personally verify if code for all this wallets is reproducible or not, and do this with each new release?
I can't do that for sure, but I understand what you are trying to say and it's not a bad suggestion Cheesy

All we can do is check out websites like Walletscrutiny.com and Bitcoinbinary.org and see if developers checked latest firmware release and if they can be reproduced.
According to Walletscrutiny wesbite, only Trezor, Passport, Keepkey and Krux DIY hardware wallet firmware can be reproduced, and someone on Bitcoinbinary website reproduced firmware for Trezor, Bitbox and Coldcard wallets.
I updated this information in first post.

n0nce

hero member

Activity: 882

Merit: 5834

not your keys, not your coins!

Quote from: dkbit98 on May 11, 2022, 12:58:35 PM

List of Open Source hardware wallets is updated, cleaned and I made few changes.

I recently found out that Bitlox hardware wallet released their code as open source for everyone to check, and it was even more surprising to see they updated firmware recently.
I was not able to find Bitlox device available for purchase because they are sold out, but making it open source is good news for old owners, and it's possible they will have devices available in future again.
They even have their own open source Bitlox explorer that is forked from insight.is explorer.

Hardware wallets removed from this list are Opolo and Keypal because they never released any code publicly, so I am considering they are not open source.

I added new certification symbol C for hardware wallets certified by OSHWA (currently that is Trezor and Passport).

Thanks for putting in the work to keep this thread constantly keeping this updated; it's one of the few threads I regularly go back to and link to people looking for hardware wallets. I believe open-source is an absolute must, otherwise you're trusting your money to an intransparent system; the very problem Bitcoin aims to solve.

However I think it would make sense to add a 'reproducibility' label. An open, auditable source doesn't help if the wallet doesn't actually run it. Even if it runs a slightly modified firmware, those modifications could easily have been put in to deanonymize users. It also doesn't allow you to verify if a reseller / middleman replaced the firmware, for instance, which can be a big security risk.

dkbit98

legendary

Activity: 2212

Merit: 7064

List of Open Source hardware wallets is updated, cleaned and I made few changes.

I recently found out that Bitlox hardware wallet released their code as open source for everyone to check, and it was even more surprising to see they updated firmware recently.
I was not able to find Bitlox device available for purchase because they are sold out, but making it open source is good news for old owners, and it's possible they will have devices available in future again.
They even have their own open source Bitlox explorer that is forked from insight.is explorer.

Hardware wallets removed from this list are Opolo and Keypal because they never released any code publicly, so I am considering they are not open source.

I added new certification symbol C for hardware wallets certified by OSHWA (currently that is Trezor and Passport).

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: dkbit98 on April 02, 2022, 03:16:59 PM

One problem I see in their deal is they are using Taiwanese company UMC and there are a lot of tensions between China and Taiwan that could escalate any moment,
they can't move production to Europe or anywhere else in the world, according to this article, and that can be security risk.

The costs would certainly increase if the chips were produced in Europe and they also mention 3rd party licenses as reasons why the production wont take place in the EU.

It's great news that this is moving in the right direction. Too bad that the article is in Czech and Google translate isn't the perfect way to translate the piece. Anyone speaking Czech on Bitcointalk?

I found a few interesting things in that Czech article.

Quote

Tropic Square is preparing a so-called Secure Element (SE) chip, which is to be largely open. This will, among other things, allow it to be audited.

"Largely open" as in mostly open-source? That would match some of their previous posts where similar terminology was used to describe their chip as "as open-source as possible" if I remembered it correctly. For security reasons, certain parts of the code could stay closed-source. Maybe the firmware like they mention in the following sentence.

Quote

There will also be a RISC-V processor on the chip, which will ensure coordination with the internal firmware. We currently anticipate that the firmware will be closed, but the architecture is designed to allow the user to upload in the future.

Not sure if this translated sentence is telling us that the firmware will be closed-source or "closed" means something else in this case.

The Sceptical Chymist

legendary

Activity: 3500

Merit: 6981

Top Crypto Casino

Quote from: dkbit98 on March 20, 2022, 10:03:24 PM

Right now I would consider recommending only two hardware wallets that are open source, air-gapped devices and that is Keystone and Passport hardware wallets.
At the moment I am not recommending Trezor wallet (until they release version with secure element), and Bitbox wallet I am not recommending for reasons I wrote previously.

I appreciate the advice, sincerely. And as I've said many times, I'm not crazy about Trezor's design anyway (though if it were an ideal HW wallet I'd go with it in spite of that).

I'll look into Keystone and Passport, though at this point for bitcoin I'm not sure that using Electrum and storing the seed phrase in a secure place isn't an easier option.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: JL0 on April 01, 2022, 12:36:28 PM

I think we won't finally see the product until next year.

Thanks for posting this is good news not only for Trezor and other hardware wallets, but for all industry of chips that desperately needs to have open source chips.
One problem I see in their deal is they are using Taiwanese company UMC and there are a lot of tensions between China and Taiwan that could escalate any moment,
they can't move production to Europe or anywhere else in the world, according to this article, and that can be security risk.
I see old TASSIC name is ditched for new name TROPIC01, and they are not sure what license they are going to use for this chip.
Interesting article to read for sure.

JL0

full member

Activity: 817

Merit: 158

Bitcoin the Digital Gold

New update on the Secure Element chip development. It's in czech and you need to use Google translate.

Quote

The Czech company Tropic Square will send the first prototype of its security chip TROPIC01 into production this year. A so-called tape-out is being prepared, which the Czechs, as well as the final production, will carry out at the Taiwanese company UMC. In the initial batch, one and a half million chips are to come off sophisticated production lines.

https://www.lupa.cz/clanky/cesi-se-chystaji-vyrabet-miliony-vlastnich-bezpecnych-cipu-pomahaji-jim-tvurci-trezoru/

I think we won't finally see the product until next year.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: Pmalek on March 21, 2022, 04:15:21 AM

I am not sure why you changed your mind about Trezor. I understand why you are against Ledger and especially the Nano X (or Nono X as you call it) Trezor not having a secure element isn't new information. Their seed extraction vulnerability is public since 2019 I think, and it can be mitigated with a strong-enough passphrase and/or storing a code on an SD card. Either way, it requires physical access to the device. You could even wipe the device clean and reset it to factory settings if you aren't using it very often and have other wallets for daily needs. That would require much more time to set it up again if you want to spend from it.

I didn't change my mind about Trezor, but I do think other hardware wallets I mentioned are better option to buy in 2022.
It is possible that Trezor will eventually have to retire version One, as being the oldest existing living hardware wallet, and I don't feel comfortable recommending it anymore, and model T is to expensive for my taste.
On top of that, they really messed up with recent AOPP introducing and then removing it after community backfired on them.
I will probably recommend them again as soon as they add secure element that is expected in the end of 2022 or in 2023 (I hope so).

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: dkbit98 on March 20, 2022, 10:03:24 PM

At the moment I am not recommending Trezor wallet (until they release version with secure element)

I am not sure why you changed your mind about Trezor. I understand why you are against Ledger and especially the Nano X (or Nono X as you call it) Trezor not having a secure element isn't new information. Their seed extraction vulnerability is public since 2019 I think, and it can be mitigated with a strong-enough passphrase and/or storing a code on an SD card. Either way, it requires physical access to the device. You could even wipe the device clean and reset it to factory settings if you aren't using it very often and have other wallets for daily needs. That would require much more time to set it up again if you want to spend from it.

The thing I don't like about Trezor is that they are playing this hardware vulnerability down instead of putting more attention on the importance of having a passphrase if you are using their HWs. But that's just a company protecting its investment and own ass, and that's the way it is. Whenever they release that new HW with a secure element, their Trezor T should get cheaper and become a great purchase.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: fillippone on March 17, 2022, 06:31:15 PM

How can Bitbox02 be absent from this list?

Bitbox was never absent from this list, and looks like you need glasses my Italian friend Cheesy

You can check archive of this topic and see that Bitbox was among first wallets that I added on my list, and I talked about it before many times.
Bitbox is basically Trezor wallet code with secure element and I like them, except the part when they started to support controversial swiss AOPP rule that violates privacy in my opinion.

Quote from: The Sceptical Chymist on March 18, 2022, 02:25:55 PM

Hey dkbit98, I've been pondering a lot of what you've written about hardware wallets in addition to a post that was written about HW wallet manufacturers and their access to customer data. Could you recommend a HW wallet other than the Trezor that would be a really good one? Same question goes out to the community in general. I was thinking of starting a thread but it'd look like I hadn't done any research, but I have. I just want input.

Right now I would consider recommending only two hardware wallets that are open source, air-gapped devices and that is Keystone and Passport hardware wallets.
At the moment I am not recommending Trezor wallet (until they release version with secure element), and Bitbox wallet I am not recommending for reasons I wrote previously.
That doesn't mean that other hardware wallets are bad, but they just don't meet my criteria.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Quote from: n0nce on March 18, 2022, 05:15:37 PM

But honestly, the BitBox02 is a good middle ground and if you can excuse the questionable AOPP involvement, it's a good value for the price. The main advantage over the Trezor in my opinion is the secure element and built-in USB (if you use a laptop with USB-C connectors you don't need a cable).

I too will suggest BitBox02, it is completely open source, it can be connected with open source wallet like Electrum. I checked Electrum release note for Electrum version 4.2.0 which support pay-to-taproot for this hardware wallet. It will also be resistant to damage if compared to many other hardware wallets. Its secure element makes me to more prefer it, it will be hard for a physical attack to fetch out its seed phrase or keys.

n0nce

hero member

Activity: 882

Merit: 5834

not your keys, not your coins!

Quote from: fillippone on March 18, 2022, 05:11:38 PM

Quote from: n0nce on March 18, 2022, 05:04:18 PM

Secure element or fully open source hardware (secure chips are most of the time closed source)?

I am very curious on your suggestion about this one: I heard different producer (shiftCrypto vs Ledger, amongst the others) calling their design choice superior to the competing one for the exact same reasons (privacy, security).
What would you advice?

Between Ledger and ShiftCrypto, I'd go for ShiftCrypto, since it's open source and better quality. Ledger is known for bad QC and completely closed-source codebase.
However, the Swiss brand has been in discussion lately for being highly involved with the development of AOPP and the screen scratches easily.

Personally, for lower budget I still like the original Trezor One and for higher budget I will probably recommend the new Passport - main concern in everyday usage (with the v1) is honestly the battery consumption / non-rechargeable battery.

But honestly, the BitBox02 is a good middle ground and if you can excuse the questionable AOPP involvement, it's a good value for the price. The main advantage over the Trezor in my opinion is the secure element and built-in USB (if you use a laptop with USB-C connectors you don't need a cable).

fillippone

legendary

Activity: 2268

Merit: 16328

Fully fledged Merit Cycler - Golden Feather 22-23

Quote from: n0nce on March 18, 2022, 05:04:18 PM

Secure element or fully open source hardware (secure chips are most of the time closed source)?

I am very curious on your suggestion about this one: I heard different producer (shiftCrypto vs Ledger, amongst the others) calling their design choice superior to the competing one for the exact same reasons (privacy, security).
What would you advice?

n0nce

hero member

Activity: 882

Merit: 5834

not your keys, not your coins!

Quote from: The Sceptical Chymist on March 18, 2022, 02:25:55 PM

Hey dkbit98, I've been pondering a lot of what you've written about hardware wallets in addition to a post that was written about HW wallet manufacturers and their access to customer data. Could you recommend a HW wallet other than the Trezor that would be a really good one? Same question goes out to the community in general. I was thinking of starting a thread but it'd look like I hadn't done any research, but I have. I just want input.

Since you address 'the community in general': are you looking for a way not to leak your address / identity to the seller? Regarding this, it should be the same precautions for any brand.. such as using a PO box and paying with a 'clean' (e.g. mixed) Bitcoin UTXO.

Regarding 'what would be a really good one', it depends what your definition of 'good' is. I think open-source is a must-have; regarding anything else, it comes down to preference.
Aspects to consider: do you prefer air-gap or USB connection? Do you like something with altcoin support or Bitcoin-only? Secure element or fully open source hardware (secure chips are most of the time closed source)? Budget?

The Sceptical Chymist

legendary

Activity: 3500

Merit: 6981

Top Crypto Casino

Quote from: Pmalek on February 12, 2022, 04:16:58 AM

No matter how big or small, if your hardware wallet holds the majority of your funds, or one big stash of it, carrying it with you in your pocket everywhere you go isn't recommended.

Yeah, why in the world would anyone do that, unless maybe they were at a bitcoin convention and it served some purpose being on your person--but even then it's crazy to do that if that device represents a huge stash of crypto. Jeez, I was riding my bike home from the pharmacy last week--less than 1 mile--and had the prescription bag fall right out of my pants pocket without me even noticing it (luckily no one had picked it up when I re-rode my route back to the store).

Hey dkbit98, I've been pondering a lot of what you've written about hardware wallets in addition to a post that was written about HW wallet manufacturers and their access to customer data. Could you recommend a HW wallet other than the Trezor that would be a really good one? Same question goes out to the community in general. I was thinking of starting a thread but it'd look like I hadn't done any research, but I have. I just want input.

fillippone

legendary

Activity: 2268

Merit: 16328

Fully fledged Merit Cycler - Golden Feather 22-23

How can Bitbox02 be absent from this list?

Amonst the security features you see that the code is open source:

Quote

Open-source
Hide nothing by open sourcing everything, including the firmware on the BitBox02, the BitBoxApp, and x rays of the hardware, schematics.

https://shiftcrypto.ch/bitbox02/security-features/

Link to GitHub Repository:
https://github.com/digitalbitbox/

Edit:
Now I see on the list. ~~Not sure if I missed it, or the OP got edited.~~
I either need glasses, or I am getting old. Or both, actually.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: ?? on ??

have you ever done or such a heartbreaking incident bro?

I can't remember one from the top of my head. Personally, I have never found myself in such a situation. You can apply the same logic to fiat money. If you need to run down to the shop for a package of milk and a dozen of eggs, you aren't going to put $10.000 in your trousers, take it all out, and start looking for a $10 bill in front of the cashier and other customers. You are putting yourself in the spotlight.

I don't do that with my savings either. My debit card is not connected with my savings account where most of my capital is. It's a separate account that I manually deposit to every time I need money to spend. Losing the card wouldn't create too much of a headache like would be the case if my main savings account would be in jeopardy.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Uang_kartal on February 10, 2022, 11:23:38 PM

oh yes, the friends above are busy discussing the mini one key whose shape is attractive and simple so it is practical to carry it everywhere.

No matter how big or small, if your hardware wallet holds the majority of your funds, or one big stash of it, carrying it with you in your pocket everywhere you go isn't recommended. Hardware wallets have been and still are/could be vulnerable to various types of physical attacks. It doesn't matter if the wallet is protected by a PIN, it's a line of defense can be penetrated with enough time or willpower. Keep your HW hidden like you would with other things valuable to you. Carry only the things you need on you. It's better to lose $1k than $100k because you were flashing your Trezor in public.

Uang_kartal

full member

Activity: 378

Merit: 167

betfury

maybe someday I can buy one of my dream hardwer wallets, I just read about Trezor from a physical point of view, its advantages and specifications,
oh yes, the friends above are busy discussing the mini one key whose shape is attractive and simple so it is practical to carry it everywhere. I hope other countries don't join in and ban it from using it, and the Chinese country hopes that there is a solution until the ban is lifted. this presence makes it easy, I have also read the prices of other hardware wallets here

https://bitcointalksearch.org/topic/--5282364

I'm starting to understand and it's interesting, especially when there are physical/materials that are easy to carry, thanks OP

Topic: [LIST] Open Source Hardware Wallets - page 3. (Read 2897 times)