Topic: Secure Element in Hardware Wallets (Read 3419 times)

As the disclosure article mentions, for this attack to work, they attacker would need physical access to the device and the secure element. They also need to possess the needed hardware to carry it out, not to mention the knowledge to know what they are doing. There is no threat of a remote access if I understood correctly. Vulnerable hardware or not, the moment someone gets their hands on your hardware wallet, it's time to move your coins as soon as possible.

This is another reason why I think the best hardware wallet option right now is Krux, because it's stateless and fully airgapped, like SeedSigner, but Krux improves on that model by using passphrase QRs and encrypted seed QRs.

Encrypted seed QRs on an airgapped device are a game changer.  I have to assume other hardware wallets will add this feature too, eventually.

Here's an example of an encrypted seed QR.  The decryption key for that QR is a 4 word passphrase.  Krux also gives the ability to save the passphrase as a QR & scan it to decrypt the encrypted seed QR.  It's a very slick system that I have to assume more wallets will adopt in years to come.

I wrote about this in another topic, but Infineon Optiga Trust M chip is affected by this newly found vulnerability, and they can be found in Trezor Safe 3 and Safe 5 devices as secure elements.
One potential issue is that attackers could use this vulnerability to bypass the authenticity check with scam devices, but this can be mitigated with other tools.
There is no firmware update that can fix this issue, but everyone should be careful with upcoming phishing attacks trying to use this situation!


It is important to say is that Trezor is using this chips for protecting PIN code for device, that releases a secret stored in secure element, and that protects recovery seed that is stored on STM microprocessor in Trezor.
https://trezor.io/learn/a/secure-element-in-trezor-safe-devices

An Infineon chip side-channel vulnerability has recently been found by "NinjaLab" and this vulnerability remained under the radar for 14 years ^[source]. Despite Trezor using their chip in two of their latest products, they're claiming the wallet backup "isn't affected" and "for the protection of the seed, they're relying on HMAC" ^{[having said that, they also mentioned what this vulnerability could do in "theory]}.
^{- I still need to find out the whole picture, but any device [e.g. not just HWs] that uses their chips might be affected!}

No, as far as I know this is not open source chip and there is a signed NDA with other manufacturers who use different secure element models.
Trezor made a special deal with Infineon, and maybe they are working together in Tropic Square project.
If anyone finds any information proof for other non-NDA chip please post them here.

There is Infenion github page and only Optiga Trust M is available there with open source framework:
https://github.com/Infineon
https://github.com/Infineon/optiga-trust-m

Is the Infineon SLE 97 model of secure element chips also open-source and doesn't require companies to sign NDA's for using them in their devices? Logic dictates that it should be because that's the case with the Infineon OPTIGA Trust M model that Trezor uses, but it doesn't hurt to ask.

Updated and corrected information about secure element used SecuX hardware wallets.
All their devices including Shield BIO card, SecuX V20, SecuX W10, SecuX W20, and newly announced SecuX Neo series are all using Infineon SLE 97 secure element that is EAL5+ certified.

Infineon is German manufacturer and other hardware wallets are also using some of their secure elements, but different models.
Best know is Infineon OPTIGA Trust M that is used in Trezor Safe 3 and Safe 5.

Thanks for noticing it, I corrected it now.
I had some trouble while making multiple edits on the table and I had to copy stuff to correct some errors.
If anyone spots any other mistakes in table please feel free to report it here.

The OP list shows a NO under Secure Element for the the Trezor Safe 5. But your post above says that it does.

List is updated and information added for NDA-free secure elements.
New device added is Trezor Safe 5 that is using Infineon OPTIGA Trust M (v3) secure element, exact model that was used in previously released  model Trezor Safe 3.
This secure element has EAL6- certification EAL6+ certified, it is transparent, code can be inspected, and there is no NDA signed between chip manufacturer and Trezor.
There is however new microcontroller used in new Trezor Safe 5, that is STM32U5 with security improvements compared to older model STM32F4.

If anyone knows any other NDA-free secure elements that are used in hardware wallets please post them here.
Until them Trezor Safe 3 and Trezor Safe 5 remain only NDA-free hardware wallet devices.

You can find more information on secure elements used in Trezor devices on their website:
https://trezor.io/learn/a/secure-element-in-trezor-safe-devices

Likely source: https://raw.githubusercontent.com/EAWF/BTC-Toolbox/3938785f186c76598989cc0aa017ad351483d3b1/Images/KeyDerivationTechnicalOverview.png

A hardware wallet likely only needs to store the "random" Entropy Source and derivation path used at minimum from which all other stuff can be derived. It likely stores more like the Master Secret Key and Master Chain Code to avoid all computation steps again and again which wouldn't make much sense.

The recovery words (Recovery Phrase in above diagram) are likely not stored as they can easily and rather quickly be computed from the Entropy Source.

The optional mnemonic passphrase (your 13th or 25th optional passphrase in addition to the recovery words) shouldn't be stored on the device as it is only needed to derive the Master Secret Key and Master Chain Code from the BIP32 Root Key Derivation. If the optional mnemonic passphrase is empty ie. not used, the derivation steps still use as default 'mnemonic' as optional passphrase as an input to the 2048 rounds of PBKDF2 mill.

I'm pretty sure this Master Secret Key and Master Chain Code are stored and secured by a hardware wallet. If Ledger crap e.g. has a dedicated unlock pin for a wallet with optional mnemonic passphrase then, that unlock PIN secures that unique Master Secret Key and Master Chain Code of a derivation with that optional mnemonic  passphrase. This adds some convenience but hides security of a complex optional mnemonic passphrase in addition to the security of the Entropy Source behind a short PIN (security-wise not such a big issue as you have very limited number of tries to enter such a unlock PIN). I would still recommend to have an unlock PIN at least eight digits long or using more complexity.

Don't take my words for granted as I haven't read a lot of the firmware source code of open source hardware wallets. I'm just interpreting what I would do if I were a developer. Do not choose a hardware wallet with closed source firmware, thus Ledger should be out of competition for various reasons.

Try to get behind the security model of other hardware wallet competitors and how they cope with attack vectors and securing the important secrets of your wallet.


To understand HD wallets better, I recommend working through pages at https://learnmeabitcoin.com/technical/keys/hd-wallets/.

Hi everyone.

can't understand what exactly is stored on the device, judging from what I read on them.

What do I really want to know - what is stored on the device?
- The entropy
- Seed phrase (mnemonic)
- Master seed (bip39 seed)

It sounds reasonable to store master seed (bip39 seed) - it's not human readable, you can derive keys from it, it can be restored via mnemonic, yet it can't be used to generate addresses for some coins (doge coin for examlple) or use the passphrase (another question i have).
But as far as I understand, Trezor keeps the seed phrase in it.
So the question remains... Specifically I'm interested in how it's implemented in keystone, trezor, ledger and onekey.

Another question - passphrase.
To use it after the wallet is created - you need the seed phrase to be present on the device, right? otherwise how would you use it as a 13 / 25 words?

I'd appreciate the help a lot! struggling with the choice and understanding right now

Yeah it should be like that, Trezor website also added that information recently, thank you for noticing it.
I added EAL6+ certification for Trezor 3 Safe, and if you are free to report anything else that is missing or incorrect in this list.
Hardware wallets are changing stuff al the time, so there could be some information that is outdated.

It probably should. According to the chip specifications here, it shows the certification type as EAL6+. More precisely, "CC EAL6+ high for HW." That description is for model SLS32AIA.

@dkbit98
You might probably find the missing certification types for some of the chips by googling the model followed by 'EAL', then just search and see if it says EAL5, EAL6, or something else.

Very helpful post!
Should Trezor safe 3 with Infineon OPTIGA Trust M be EAL6+? The table shows it's N/A.

This list is now cleaned up and updated with new information.
I removed few devices that are not available anymore, and I identified secure element for Imkey hardware wallet as they released this inpublic.
Imkey Pro is using SLE 78CLUFX5000PH chip made by Infineon and it has CC EAL6 certification.


https://imkey.im/

Other hardware wallet manufacturers (Trezor, SecuX, HyperMate, Hashwallet, Keevo, Jubiterwallet) are using secure elements made by Infineon, but this exact model SLE 78CLUFX5000PH is used only for Imkey Pro.
If you notice any mistakes or if you have additional information about secure elements please post it here.

I made a small update in the list and changed Jade wallet secure element from NO to Virtual.
Reason for this is because this is different approach from all other hardware wallets that don't have any physical secure element by default, and as far as I know nobody uses anything similar like Jade.
This approach is not the same like regular secure elements available in market today, but it manages to keep everything reasonably safe and fully open source.

You can find more information about Jade Virtual secure element and watch few minutes long video explanation on their website:
https://help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element-

So basically nothing really changed in their hardware, but they decided to change and increase EAL certification just because they can do it and for them it sounds better like this
I will update information in table, but like I said before, nobody cares about this, especially not for ledger wallets, they already destroyed any leftover reputation they had.

We are from KriptoBR Official Reseller of Ledger, Trezor, SecuX and BitBox in Brazil.

We received the email from Ledger notifying us, that's why I informed them here, I asked if the chip had been changed and no, they confirmed that there hadn't been, it was just the update.

They even changed the website where EAL6+ already appears

This is only for Ledger Nano S Plus and for Ledger Stax, but it means nothing to you or me.
If they changed EAL certification that usually means they made some changes with secure elements, but I didn't see any news about that.