Wallet Logo

Mycelium Entropy

🔍 Last analysed 29th April 2022 . Leaks Keys Not functioning anymore
28th April 2015

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with Mycelium Entropy  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Background

Mycelium held an indiegogo fundraiser for the Entropy on October 30, 2014. They were able to raise $31,271 out of their target goal of $20,000.

Product Description



Mycelium Entropy is a small USB device with a single purpose: Making it easy to create Bitcoin paper wallets in a secure controlled environment.

Paper wallets are created in 3 simple steps:

  1. Insert Mycelium Entropy into a printer that allows you to print pictures from a USB flash drive.
  2. Select the print option on the printer.

This way the paper wallet has never touched a computer or a network, and as soon as you eject the device the private key is wiped from memory.

Mycelium Entropy is the easiest and most secure way of creating a paper wallet for offline cold storage.

How it Works

When Mycelium Entropy is inserted into a USB socket, it powers up and generates a large random number based on hardware entropy. That number is turned into a Bitcoin private key and a Bitcoin address. The private key and the address are turned into QR codes and and stored in a JPG file, and the USB device presents itself as a USB flash drive. This allows a printer that can print photos off a USB flash drive to print the paper wallet directly off the device.

Analysis

From the Bitcoinist interview,

  1. Is the entropy impervious to viruses or other malicious software?
    By default, yes, because the underlying OS and system files are never exposed to the device accessing it. When Mycelium Entropy is plugged into a printer or a PC, the only thing they see is a JPG file. However, when the device is switched to flash mode, for the purpose of changing device settings or flashing new firmware, all the system files are visible to the PC, and thus may be targeted. Since the device never stores any actual bitcoin keys, a attacker would have to modify the code on the device to have it create private keys he knows about.Running a sha check on the files to compare them to the ones on our site will help prevent this.

The Mycelium Entropy is a USB device that looks to the host as if it were a pen drive with a single document on it but that document is truly random and thus different every time you plug it in.

The firmware is available here.

(dg)

Verdict Explained

This product requires sharing private key material!

As part of our Methodology, we ask:

Does the device hide your keys from other devices? If not, we tag it Leaks Keys!

Some people claim their paper wallet is a hardware wallet. Others use RFID chips with the private keys on them. A very crucial drawback of those systems is that in order to send a transaction, the private key has to be brought onto a different system that doesn’t necessarily share all the desired aspects of a hardware wallet.

Paper wallets need to be printed, exposing the keys to the PC and the printer even before sending funds to it.

Simple RFID based devices can’t sign transactions - they share the keys with whoever asked to use them for whatever they please.

There are even products that are perfectly capable of working in an air-gapped fashion but they still expose the keys to connected devices.

This verdict is reserved for key leakage under normal operation and does not apply to devices where a hack is known to be possible with special hardware.

But we also ask:

Is the product still supported by the still existing provider? If not, we tag it Defunct!

Discontinued products or worse, products of providers that are not active anymore, are problematic, especially if they were not formerly reproducible and well audited to be self-custodial following open standards. If the provider hasn’t answered inquiries for a year but their server is still running or similar circumstances might get this verdict, too.