The design of the device does not allow to verify what is being signed!
As part of our Methodology, we ask:
Can the user verify and approve transactions on the device?
If the answer is "no", we mark it as "Bad Interface".These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.
The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.
Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.
The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.
The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.Help spread awareness for build reproducibility
Please help us spread the word discussing build reproducibility with UKISS Hugware® via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.
The Analysis ¶
Updated Analysis 2022-11-09
The UKISS Hugware® is unique in its security implementation. Most of the mainstream devices are stand-alone or paired with a mobile phone.
The two devices:
- Have no interface
- Have to be connected to a desktop computer with the UKiss Hub Software installed (currently at v.1.1.3) or the UKiss app when connected to a mobile phone.
- Require user registration to activate 5-year warranty
- Does not use recovery phrases
Hugware comes in a pair. During setup, the master seed is generated in the Authentication Key (A-Key) and synchronised with the Rescue Key (R-Key). Use the A-Key to manage your crypto assets and keep your R-Key for when you need to recover access in the future.
Our state-of-the-art key pairing feature lets users do away with recovery phrases, thereby minimising instances of human error, phishing, and theft. However, it is your responsibility to ensure the security of your Hugware. Store your devices in a safe location and guard your authentication with a strong PIN.
| KEY FUNCTIONS | ||
|---|---|---|
| Authentication-Key | Rescue-Key | |
| Add wallet | ✅ | ✘ |
| Import wallet | ✅ | ✅ |
| Create account | ✅ | ✘ |
| Remove account/wallet | ✅ | ✘ |
| Add asset | ✅ | ✘ |
| Add token | ✅ | ✘ |
| Move asset | ✅ | ✘ |
| Send asset | ✅ | ✅ |
| Add contact | ✅ | ✅ |
| Reset PIN | ✅ | ✅ |
| Recover key | ✅ | ✅ |
| Duplicate keys | ✅ | ✅ |
Setup
Notes
If the user loses the A-key device (Authentication) which contains the master key, the user can request the manufacturer to send a replacement. Once the replacement arrives, the A-key and the R-key are then synchronized.
The desktop software and firmware are both not source-available.
Verdict
Both the A-key and the R-key do not have a display or an interface the user can interact with. Both devices are intended to be plugged in via USB-A or USB-C.
Documentation
Product Description
The UKISS Hugware® is comprised of a pair of USB devices, the A-Key and the R-Key. The A-Key or the Authentication Key, generates and stores private keys and authenticates transactions. The R-Key or the Rescue Key, resets passwords and restores the A-Key. UKISS is also slated to release the UKISS Suite which will add some features to the Hugware®:
- Crypto swaps
- Liquidity mining
- NFT trading
- Staking
- Yield farming
Integrated Digital Security Solutions
- Data encryption
- Password management
- Ransomware protection
- Secure social messaging
UKISS also makes the claim that the recovery words are deliberately eliminated from use in the device. We asked them on Twitter if it was possible if they can share the product specification sheet and whether the project is Open Source.
As of today March 15, 2022, the UKISS hugware is still in the middle of its soft launch. The site still asks for an email address for Pre-Order discounts and promos. Documentation, tutorials and other technical information such as private key generation are still not readily available online.
(dg)
Share on
Twitter Facebook LinkedInOr embed a widget in your website
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/ukiss.hugware&theme=auto&style=short" name="_ts"
style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;">
</iframe>
and
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/ukiss.hugware&theme=auto&style=long"
style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;">
</iframe>