It’s all pretty public stuff. Quick search will find it. The shady bits is him forking the trezor code the locking it back down against the open source license. Then took legal action against Foundation for forking CC before he changed the license type.
Discussion
Seems kinda shitty to do, but does it make it insecure?
That’s a whole other thing. It’s bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.
You mean the stuff about a year ago that someone had managed to extract the secret with some crazy apparatus when having physical access? (can't remember if it was X-ray laser or what it was - expensive thing anyway)
That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet.
Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.
Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.
Thanks for the response and this information. I did a quick search on CC and secure elements, testing, analysis, insecure, etc. but only getting their links and other promo crap...