Wallet Logo

Secure Wallet

🔍 Last analysed 8th December 2021 . Leaks Keys
1st April 2018

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with Secure Wallet  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

NOTE: Secure Wallet is temporarily sold out.

We’re SOLD OUT - New Stock Arriving 2022

This wallet has a companion app: ECOMI Secure Wallet No Wallet

Interface

The device is the size of a credit card and has a small “e-paper” display.

Private keys can be created offline - ❓

(Tutorial for wallet setup)

The device must be paired with the companion app before you can create a wallet and access the recovery seed.

Here’s another third-party video review detailing how the harware wallet generates seeds. The seeds are actually numbers and not words.

Private keys are not shared - ❓

ECOMI claims that the Secure Wallet itself never connects directly to the internet.

Unlike app or web-based wallets, the Secure Wallet is a piece of physical hardware that is never connected directly to the Internet. Instead, the Secure Wallet wirelessy connects through a paired Android or Apple device.

The Bluetooth signal is encrypted with multiple layers of one-way hash functions using the AES256 encryption standard.

However, it appears as though the user must be paired with the companion app on an external device to recover assets.

The best method to keep your private keys safe lies in an offline storage device. The Secure Wallet combines the best of hot and cold storage to provide unparalleled security with the convenience of a bank card. The wallet is never connected to the Internet, however, you can interact with it wirelessly through the companion app. This lets you choose how and when to use the wallet, and provides a means to recover your assets if you lose the device.

Device displays receive address for confirmation - ❓

While the transaction amount needs to be confirmed on the device, it does not mention if the entire address is displayed. Only the amount has been described. On a Medium article guide from ECOMI:

The Secure Wallet will display the amount you are choosing to send on the e-paper screen. You are required to press the physical confirmation button twice before it can be sent (this is the same button you use to turn on the card).

The first time to confirm the amount you are sending is correct, and the second time to confirm the transaction and complete the process.
Using the physical button means there can be no ‘man-in-the-middle’ attacks and your funds cannot leave the Secure Wallet without your confirmation.

Verdict

Although the wallet itself may be completely offline, it still depends on the companion app to view and recover the seed phrase and make transactions.

Moreover, the device’s hardware is powered by the same company that manufactured the CoolWallet S Leaks Keys! . Similarly, the card is paired with a phone app, which displays the seed phrases in sequence.

In the case that the phone itself is compromised, the assets will be at risk.

(ml, dg)

Verdict Explained

This product requires sharing private key material!

As part of our Methodology, we ask:

Does the device hide your keys from other devices? If not, we tag it Leaks Keys!

Some people claim their paper wallet is a hardware wallet. Others use RFID chips with the private keys on them. A very crucial drawback of those systems is that in order to send a transaction, the private key has to be brought onto a different system that doesn’t necessarily share all the desired aspects of a hardware wallet.

Paper wallets need to be printed, exposing the keys to the PC and the printer even before sending funds to it.

Simple RFID based devices can’t sign transactions - they share the keys with whoever asked to use them for whatever they please.

There are even products that are perfectly capable of working in an air-gapped fashion but they still expose the keys to connected devices.

This verdict is reserved for key leakage under normal operation and does not apply to devices where a hack is known to be possible with special hardware.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.