Do you know a thing or two about compiling stuff? Do you care about people not getting rug-pulled by their Bitcoin wallets? Please help us stay on top of all these wallets!
We now list more than 6000 products and also those with a top verdict - reproducible - are thankfully getting more and more but that also means more and more on-going work as we test reproducibility not only once but ideally with every new release and for every build artifact (Bitcoin only edition and the shitcoins-included edition and x86_64 and armeabi, ...)
The latest tests performed - and all found to be reproducible - were for these three:
* https://walletscrutiny.com/android/de.schildbach.wallet/
The re-design is finally live!
Great thanks to
* Spiral for sponsoring us
* the Bitcoin Design Community for awesome improvements that we have refined over 16(?) calls and who knows how much research between the calls
* nostr:npub1vwufmh57qdhrvgwlwdcyclgv4kpzuhmuq49ta7zt8gp2g4uw0edsgmzl6z who implemented the very challenging changes over 350 commits!
Check it out at https://walletscrutiny.com/
Please be gentil. We probably have missed many details. Bug reports and feature requests are as always welcome at https://gitlab.com/walletscrutiny/walletScrutinyCom/-/issues
PSA: If you use Atomic Wallet, **do not** open it with an internet connection. You **will lose your funds**.
Restore your backup in a compatible wallet and move the funds to a different seed.
So we were just released from our web hoster's DMCA jail. We had to temporarily remove Foxbit's listing but we brought back https://walletscrutiny.com/android/br.com.mercadobitcoin.android/ which was the reason for a similar down-time last year.
What should we do about a bad actor making it to the top of our list? We don't test for being honest. We only test for source code transparency.
Will Ledger recover from "Ledger Recover" backlash? Probably. Most customers will not notice. Most that do, will not understand what's going on. It will blow over but some will level up and learn what was long common knowledge for experts.
#ledgerrecover
Many users claim to prefer Ledger hardware wallets as they use a so called "secure element" or SE. This chip is advertised to resist sophisticated physical attacks but part of the defense of these chips is legal in nature - talking about flaws or details is forbidden.
To use an SE, companies have to sign NDAs and are required to not share aspects of the chip. This also includes to not share the code they run on said chip.
If you can't verify, you have to trust. Trust the claims of the provider. And these claims were unequivocally clear:
https://void.cat/d/PLsKyxPtoxzuR2adcKDhhy.webp
Yesterday Ledger announced a new product, enabled with a firmware update that does just what prior was advertised as being impossible: Send your keys to trusted parties with https://www.ledger.com/recover.
While many take aim at the potentially insecure storage of keys with such third parties and criticize the KYC required for it, the main issue here is that of trust. If this is possible and undetectable, have they maybe already built in legal confiscation features?
If you believe in "Don't trust. Verify!" your only option is to use verifiable tools. We list those and follow up with them. Check how transparent your preferred Bitcoin wallet is at https://walletscrutiny.com/
Now with the bootloader compromised as was the case with this Trezor Model T, even all these measures might not be enough if the bootloader hot patches firmware updates.
Firmware providers could counter that by either making binary patching hard or by detecting modifications in likely areas of patches.
Kaspersky took apart a modified Trezor Model T. Key take aways:
* The modification was not detectable upon visual inspection
* The device performed like a normal device
* It had "firmware 2.0.4" installed, which to a normal user would not raise suspicion
* It used poor entropy - a set of only 20 possible seed phrases. This entropy is so small it probably is designed to let the user get new keys on demand but different victims would probably have different sets of keys as to not find other people's coins
* It prevented effective passphrase protection by only considering the first letter of a passphrase - the user would feel protected by seeing different wallets for different passphrases but the hacker could trivially brute force all possible passphrases
https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155
Trezor wallets are always sold without firmware. If it has a firmware, it probably is not new and might have been tampered with. If it apparently has no firmware, it might still be tampered with but that's another story.
When installing/updating the firmware, verifiability is key! Trezor is fully open source and this sophisticated modified hardware would have turned into a useful tool for its user, had he updated to a genuine version but for that, some checks have to be possible:
1. The firmware has to be built from public source code so its code can be audited. Trezor is open source.
2. The firmware has to be **reproducible** so the firmware is provably built from the public source code. Trezor is reproducible.
3. The device has to show the cryptographic fingerprint of the about to be installed firmware so the user can make sure he is installing the correct firmware. A version number is not enough! Trezor did this, recently failed to do this but closed an issue about this recently so we are not sure about the situation.
4. The newly installed version has to contain visible changes that a hacker can't trivially anticipate. Showing an incremented version number is **not enough**.
Kaspersky took apart a modified Trezor Model T. Key take aways:
* The modification was not detectable upon visual inspection
* The device performed like a normal device
* It had "firmware 2.0.4" installed, which to a normal user would not raise suspicion
* It used poor entropy - a set of only 20 possible seed phrases. This entropy is so small it probably is designed to let the user get new keys on demand but different victims would probably have different sets of keys as to not find other people's coins
* It prevented effective passphrase protection by only considering the first letter of a passphrase - the user would feel protected by seeing different wallets for different passphrases but the hacker could trivially brute force all possible passphrases
https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155
Case study: fake hardware cryptowallet
Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.
https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/
You really can't be paranoid enough. Unless there is no single points of failure, losing all your coins is always an option.
Those links used to be all with the universal 🌐 globe symbol. Now the most common brands are easier to spot ...
So [Trust being closed source](https://walletscrutiny.com/android/com.wallet.crypto.trustapp/#analysis), this is either/or:
⚠️ a fork of many years back when it was still open source
⚠️ an app built from the decompiled Trust app
And then there is
⚠️ [last reviews all bad and scam accusations](https://play.google.com/store/apps/details?id=com.simplehold.app&gl=de) to one of which they replied to "Please write to us at simplehold@support.io", a domain that is currently for sale?
The app appears to claim you forgot your password once you deposit funds.
52 new verdicts were released today.
* 25 products were custodial
* 8 were closed source
* 8 were wallets but not for #Bitcoin
* 5 turned out to be no wallets at all
* 2 were vapor ware
* 1 did not support sending or receiving Bitcoin - only speculating on its value
* 1 was not released yet
* 1 was do-it-yourself
* 1 will need more investigations
Cypherock X1 joins the group of reproducible Bitcoin wallets.
The philosophy with WalletScrutiny always was to monitor what people actually are installing and with App- and Play Store that was straight forward. A verdict was relevant for all users but with 23 verdicts associated with the same brand, it's just too complex for a user to understand even if we had the man power to assign the 23 verdicts.
In the past ten days we published **64 new wallet reviews** and another **60 updates** to verdicts.
Most of the research was done by #[0] and verified by #[1]
Our stated mission is to look into Bitcoin Wallets and with bearer tokens like the [Opendime](https://walletscrutiny.com/bearer/opendime/) we already ventured into products that clearly are not wallets but they are meant to keep your private keys safe, so users want to know: Do they really keep you safe from loss?
Now we came across products that are marketed as "crypto vaults" but they are more akin to [password managers](https://en.wikipedia.org/wiki/Password_manager) like LastPass - a general store of important data. By being marketed to keep your important data safe, they clear are being used for Bitcoin, too. The crypto-themed one we are looking at right now has 100k installs on Google Play.
Should we look into those or is that mission creep?
From the start we wanted to look into desktop wallets but it's really hard. For example for Electrum there is 23 different ways of getting the binary and those are probably +20 different binaries.
* We do not have the resources to check them all with every release.
* We have no idea how to communicate our findings to the user.