Although open source code enables a kind of “audit” on your product’s security, benefits are highly dependent on the scale of community involvement and you are ultimately making it easier for cybercriminals to discover loopholes. Still worse for hardware wallets, vulnerabilities can be exploited to produce counterfeit products with malicious code that the majority of users won’t use open source code to verify the authenticity of.

In light of the security concerns inherent in releasing source code, Cobo Vault has introduced a different type of “auditability” through the transparency of QR codes. In excluding Bluetooth, Wi-Fi, USB, NFC, and other opaque means of data transmission from our product design, we have made it easy for users to verify that their hardware wallet is not revealing their private keys or other sensitive information in any way.

How Transactions Are Created with the Cobo Vault
The Cobo Vault is an offline storage device (cold end) that cannot construct transactions without the help of an online mobile device (hot end) running the Cobo Vault app. Because private keys are stored on the offline device and remain there the entire way through, the user’s assets won’t be affected if this mobile device is damaged or lost.

Transactions are constructed and signed through QR code communication between a mobile device and the Cobo Vault in the following way:

The Cobo Vault mobile app generates a QR code containing the data of a newly created unsigned transaction.
The camera on the Cobo Vault (cold end) scans the QR code to obtain the transaction data.
The transaction is confirmed on the Cobo Vault touchscreen, signing the transaction and outputting the signed transaction data in the form of a QR code.
The camera on the hot end mobile device scans the QR code on cold end to obtain the signed transaction data.
The hot end broadcasts the transaction to the blockchain network.

More information on auditing the code is here: https://medium.com/cobo-vault/ever-wondered-what-your-hardware-wallet-inputs-and-outputs-ac78ec3ce331?source=activity---post_recommended

Are you looking for a wallet to store your cryptocurrency?

If you want to buy some crypto or you have already purchased some on an exchange, then the next step is researching and deciding the type of wallet you’d like to use to store your coins.

Since hot wallets are connected to the Internet, funds are more accessible for day to day trading or payments, but on the other hand, they’re also more prone to hacking. Examples of hot wallets include exchange wallets, mobile wallets, and web wallets. If you bought your crypto from a centralized exchange like Coinbase, you’re actually using their hot wallet service.

Cold wallets are not connected to the Internet; therefore, any crypto stored in them is hard to use, but on the upside, hackers cannot get to your funds easily. If your intention is to store your cryptocurrency for a long period of time, then look no further than cold wallets. Examples of cold wallets are hardware wallets and paper wallets.

If you wish to know more about the different types of hot wallets and cold wallets, here's a nice explanation: https://medium.com/cobo-vault/hot-cold-mobile-web-paper-wallets-understand-the-difference-90c124fe1a55

An aspect of security hardware wallet owners need to be keenly aware of is zero-day attacks. In zero-day attacks, the period of time between when a previously unknown vulnerability is exposed or announced and when it is fixed presents a perfect window of opportunity for a hacker to carry out an attack.

Because vulnerabilities in hardware wallets are often resolved through firmware upgrades, it usually takes a while after official security patches have been released for users to actually install them and fix the issue. With some users who, after having set up their hardware wallet, don’t open it for months or even years, exposure to zero-day attacks is dramatically increased.

Perhaps counterintuitively for those experienced with open source software development, a black box, or device with a closed source code, is more secure than a white box with an open source code.

There's more here: https://medium.com/cobo-vault/should-hardware-wallets-be-open-source-52209e046cf2?source=collection_home---4------0-----------------------

It's a very interesting opinion!

The core component of the Cobo Vault's security chip has been open sourced on GitHub. https://github.com/cobowallet/Cobo-Vault-Security-Chip-Firmware
After looking at the source code, I saw how much the development team values security. In the source code, when using critical data comparison, custom memcmp_ATA () is used instead of the C language implemention memcmp().

Code:

/**memcmp Anti-Timing-Attack*/
bool memcmp_ATA(const uint8_t *buf1, const uint8_t *buf2, uint16_t len)
{
	uint16_t i = 0;
	bool bIsDiff = false;
	
	for (i=0; i<len; i++)
	{
		bIsDiff |= (buf1[i]^buf2[i]);
	}
	
	return bIsDiff;
}

This prevents timing-attacks when comparing critical information, which effectively protects user data.