Memory BOX Pro 2.0🔍 Last analysed 8th December 2021 . Bad Interface
Help spread awareness for build reproducibility
Please help us spread the word discussing build reproducibility with Memory BOX Pro 2.0 via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
Announced on twitter on May 17, 2020, it was difficult to find technical information, documentation, reviews and video reviews of the product. It does however have some Chinese language videos from its official YouTube channel:
From what we can see, the device does not have a display.
- Multi-chain support - Maximum 500+ multi-chain wallet with safe storage
- Double backup - Two-way backup stored in SD card, safe and stable
- High-speed transmission - Bluetooth high-speed connection, one-click synchronization
It is also apparently paired with
However, going over the StartEOS Memory Box 2 page, it would seem that the Start App is now supposed to be downloaded from their own servers.
Private keys can be created offline - ❓
From this video, it would seem that the Memory Box serves more as a BlueTooth enabled device to back up the StartEOS wallet.
The StartEOS help files redirect to another domain, yuque.com. It is a Chinese language site.
Private keys are not shared - ✔️
From Yuque.com, we have some clues on how the Memory Box handles private keys:
Translated via Google Translate:
Friendly reminder: The Memory Box hardware wallet developed by Start stores the private key separately in a security chip, which is completely isolated from the network. Because it does not touch the Internet, it eliminates all methods of network hacking, and it is one of the most secure wallets at present.
Device displays receive address for confirmation - ❌
The device does not have a display.
This device has no display from which the user can interface with. It can only be paired with an app with an APK downloadable through the StartEOS website.
The design of the device does not allow to verify what is being signed!
As part of our Methodology, we ask:Can the user verify and approve transactions on the device? If not, we tag it Bad Interface!
These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.
The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.
Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.
The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/memoryboxpro2&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/memoryboxpro2&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>