Seems kinda shitty to do, but does it make it insecure?
Discussion
That’s a whole other thing. It’s bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.
You mean the stuff about a year ago that someone had managed to extract the secret with some crazy apparatus when having physical access? (can't remember if it was X-ray laser or what it was - expensive thing anyway)
That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet.
Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.
Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.