Help spread awareness for build reproducibility
Please help us spread the word discussing build reproducibility with Cryobit via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
According to the website’s information, the providers aimed to create a cold, secure, and durable wallet. Below is a claim from the card’s description.
Cryo Card is the ultimate solution to offline cold storage of all crypto-currencies. Engineered to withstand anything mother nature can throw at it; Cryo Card’s base layer is constructed of AMS 5524 Stainless Steel, an aerospace grade metal that demonstrates both high heat and corrosion resistance in all environments. It is highly resistant to both acids and bases, fresh and salt water, and temperatures of up to 2500°F (1370°C)
Cryobit presumably would etch the encrypted private keys on the cards. From the same description, it claims to utilize “offline AES-256 encryption”
[…]your newly generated or existing Private Key can never be known to us or any other entity that does not know your personally chosen passphrase. The encryption process is performed in your own browser – not on our servers – so your passphrase is never seen by us. You can even disconnect your device from the Internet while generating and encrypting a new encrypted Private Key (or encrypting an existing one) and re-connect to complete your order. This can help to ensure that your Private Key and chosen passphrase are not potentially compromised.
From the FAQ:
How long is my Wallet Address, Encrypted Private Key, or Passphrase stored by CryoBit?
We store this information for up to 10 days after shipping your order. You may request to have it removed sooner by contacting us with your order number.
Even so, as this wallet is a screen-less smart card users still can’t verify or approve transactions as this product lacks the interface. However, we find its more critical flaw to be the fact that the provider keeps any copies at all of the private key. Even if it’s encrypted and deleted after 10 days, as they claim, this puts an inordinate amount of trust on the provider.
The device gets delivered with private keys as defined by the provider!
As part of our Methodology, we ask:Are the keys never shared with the provider? If not, we tag it Provided Keys!
The best hardware wallet cannot guarantee that the provider deleted the keys if the private keys were put onto the device by them in the first place.
There is no way of knowing if the provider took a copy in the process. If they did, all funds controlled by those devices are potentially also under the control of the provider and could be moved out of the client’s control at any time at the provider’s discretion.
But we also ask:Is the product still supported by the still existing provider? If not, we tag it Defunct!
Discontinued products or worse, products of providers that are not active anymore, are problematic, especially if they were not formerly reproducible and well audited to be self-custodial following open standards. If the provider hasn’t answered inquiries for a year but their server is still running or similar circumstances might get this verdict, too.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/cryobit&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/cryobit&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>