Nostr Web Client

semisol 5mo ago 💬 18

A Pixel phone vs your HWW

Which is more secure?

(in terms of before-first-unlock state)

Reply to this note

Please Login to reply.

Discussion

Kortik 🇦🇲 5mo ago

Pixle phone is sandboxed more secure

semisol 5mo ago

The answer is that most HWW SEs are extremely weak

HODLBurger 5mo ago

There's only like five hardware wallets, do you want to name some names 😁

semisol 5mo ago

The Bitcoin themed nokia

“Cypherpunk” looking “ultra secure” “thing”

The plug-in rectangle that calls itself a box

HODLBurger 5mo ago

I mean the bitbix people are shitcoiners, so but too much surprise corners are cut there. What's the issue with the coldcard elements?

Crusty 👨‍💻 5mo ago

Why? Could you add a bit more context?

semisol 5mo ago

They do not have protections for attacks that have existed for decades

Kortik 🇦🇲 5mo ago

Pixles titan secure element chip has a 10 BTC bounty by google if you can crack it

https://bughunters.google.com/about/rules/android-friends/6171833274204160/android-and-google-devices-security-reward-program-rules

HODLBurger 5mo ago

Wut?

Richard Greaser 5mo ago

It depends how much Mossad has infiltrated your supply chain

acronym 5mo ago

I'll take Coldcard every time over any phone including Pixel on GOS.

semisol 5mo ago 💬 2

you are in for a ride as the secure elements on coldcards have been broken for 4 times now

acronym 5mo ago

Oh wow....good to know thanks. Source?

acronym 5mo ago

Did some searching, what I found was MK2 secure element was compromised with a very expensive lab attack (physical posession of CC) and all they could gut was the access PIN. If this is what you were referring wouldn't worry as shouldn't be running a MK2 and can't call Coldcard broken.

semisol 5mo ago 💬 2

Mk3 is broken

ATECC608B

Mk4 also uses ATECC608B + a DS SE that is also broken.

The ATECC and DeepCover SEs user by the Coldcard lack critical protections aginst LFI/EMFI.

There are also architectural flaws in the design of the Coldcard device that also allow the easy production of counterfeit devices

And these attacks only get cheaper by the day… a reasonable DIY setup may run $1K at most with pretty good capabilities.

casey 5mo ago

nostr:npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl fixes this

semisol 5mo ago

The Coldcard blog conveniently doesn’t mention the Mk3/4 ATECC SE being broken, or the fundamental flaws in the chips they use.

Note: I develop firmware for secure elements, primarily a product I am working on right now.

acronym 5mo ago

OK, thank you. Where can one read about this?

acronym 5mo ago

What say ye nostr:nprofile1qqsw3znfr6vdnxrujezjrhlkqqjlvpcqx79ys7gcph9mkjjsy7zsgygpzpmhxue69uh5ummnw3ezuamfdejsz9thwden5te0v4jx2m3wdehhxarj9ekxzmnymlvvup ?

GS 5mo ago

Pixel 100%. And it doesn’t scream “crypto inside”

Bill Cypher 5mo ago

Whose OS on the pixel?

acronym 5mo ago

Maybe neither is more secure than the other, perhaps trust them equally in a multisig.