Secure Element in Hardware Wallets

[dkbit98]

I see many people talking about Secure Element in hardware wallet like some mythical creature that will protect us from all evil, but in reality Secure Element is just a chip or microcontroller used in a similar way like in SIM cards, SDcards, IDs, Payment Cards or Phones, and they can potentially be exploited by malicious firmware updates.
In Hardware wallets they are used as second chip for storing private keys and seed words.

What are the benefits of Secure Element in Hardware Wallets?

- Seed words never leave device but they stay in Secure Element
- Secure updates
- Generating 'random' numbers
- No tempering

Secure Elements can be open source (can be verified and confirmed) or closed source (any firmware can be used including malicious), certified or not certified.

Current state of Secure Elements is Hardware wallets:

	☵	Name	☵	Open Source	☵	Secure Element	☵	SE Model + Microcontroller	☵	Evaluation Assurance Level	☵

	▮	Trezor Safe 3	▮	YES	▮	YES	▮	Infineon OPTIGA Trust M + Cortex M4 ARM	▮	EAL6+	▮
	▮	Trezor One & T	▮	YES	▮	NO	▮	N/A + STM32F2/STM32F4	▮	N/A	▮
	▮	Keepkey	▮	YES	▮	NO	▮	N/A + STM32	▮	N/A	▮
	▮	Jade	▮	YES	▮	Virtual*	▮	N/A	▮	N/A	▮
	▮	ColdCard Mk3	▮	NO (MIT+CC)	▮	YES	▮	ATECC608B or ATECC608A + STM32L496RGT6	▮	outdated chip 608A	▮
	▮	ColdCard Mk4	▮	NO (MIT+CC)	▮	YES	▮	ATECC608B+Maxim DS28C36B + STM32L4S5VIT6	▮	N/A	▮
	▮	Bitbox02	▮	YES	▮	YES	▮	ATECC608B + ATSAMD51J20A	▮	N/A	▮
	▮	Passport	▮	YES	▮	YES	▮	ATECC608B + STM32H753	▮	N/A	▮
	▮	Ledger Nano S	▮	NO	▮	YES	▮	ST31H320 + STM32F042K6	▮	EAL5+	▮
	▮	Ledger Nano X	▮	NO	▮	YES	▮	ST33J2M0 + STM32WB55	▮	EAL5+	▮
	▮	Ledger Nano S Plus	▮	NO	▮	YES	▮	ST33K1M5C + STM32...	▮	EAL6+	▮
	▮	Ledger Stax	▮	NO	▮	YES	▮	ST33K1M5 + ?	▮	EAL6+	▮
	▮	D'CENT	▮	NO	▮	YES	▮	NXP P60	▮	EAL5+	▮
	▮	Safepal S1;X1	▮	NO	▮	YES	▮	Unknown chip	▮	EAL5+	▮
	▮	CoolWallet S	▮	NO (soon Y)	▮	YES	▮	NXP P5CD081	▮	EAL5+	▮
	▮	CoolWallet Pro	▮	NO (soon Y)	▮	YES	▮	NXP J3R110	▮	EAL6+	▮
	▮	Jubiterwallet	▮	NO	▮	YES	▮	Infineon ?	▮	EAL6+	▮
	▮	Kasse HK-1000	▮	NO	▮	YES	▮	ST31H320 A03	▮	EAL5+	▮
	▮	Keevo	▮	NO	▮	YES	▮	Infineon Optiga Trust-P	▮	EAL5+	▮
	▮	Secux	▮	NO	▮	YES	▮	Infineon CC ?	▮	EAL5+	▮
	▮	Ngrave	▮	N/A	▮	YES	▮	unknown built-in SE + STM32MP157C	▮	EAL7+	▮
	▮	Tangem	▮	NO	▮	YES	▮	Samsung SecureCore microchip ?	▮	EAL6+	▮
	▮	ImKey	▮	NO	▮	YES	▮	Infineon SLE 78CLUFX5000PH	▮	EAL6+	▮
	▮	Hashwallet	▮	N/A	▮	YES	▮	Infineon SLE78	▮	EAL6+	▮
	▮	Opolo	▮	NO	▮	YES	▮	NXP ? + ARM Cortex M4	▮	EAL6+	▮
	▮	OneKey Classic 1S	▮	YES	▮	YES	▮	THD89	▮	EAL6+	▮
	▮	OneKey Pro	▮	YES	▮	YES	▮	TMC THD89 x4	▮	EAL6+	▮
	▮	OneKey Touch	▮	YES	▮	YES	▮	ATECC608A	▮	outdated chip	▮
	▮	OneKey Classic	▮	YES	▮	YES	▮	HSC32I1	▮	EAL6+*/EAL 4+	▮
	▮	OneKey Mini	▮	YES	▮	YES	▮	ATECC608A	▮	outdated chip	▮
	▮	HyperMate	▮	YES	▮	YES	▮	Infineon ?	▮	EAL6+	▮
	▮	KeyStone	▮	YES	▮	YES	▮	ARM Cortex-M0	▮	EAL5+	▮
	▮	KeyStone3 (Pro)	▮	YES	▮	YES	▮	ATECC608B + Maxim DS28S60 (+ Maxim MAX32520)	▮	EAL?	▮
	▮	KeyPal	▮	N/A	▮	YES	▮	NXP MCU + ?	▮	N/A	▮
	▮	Satochip/Satodime	▮	YES	▮	YES	▮	NXP J3H145 and NXP J3R110	▮	EAL6+	▮
	▮	Husky HDW20	▮	NO	▮	YES	▮	ATECC608A	▮	outdated chip	▮
	▮	Prokey	▮	YES	▮	NO	▮	N/A + STM32F205VG	▮	N/A	▮
	▮	Cypherock X1	▮	YES	▮	YES	▮	ATECC608A+NXP JCOP3 and ARM Cortex-M	▮	EAL5+ outdated chip 608A	▮
	▮	Hito	▮	YES	▮	YES	▮	nRF5340	▮	N/A	▮

Note that older hardware wallets models Passport, ColdCard, Onekey may have outdated chip version ATECC608A!

Credits and thanks @SFR10 for making this wonderful table

Let's see some examples how Hardware Wallets got exploited before in presentation Exploiting Hardware Wallet’s Secure Element by Riscure and Sergei Volokitin.

If you can choose, then always go for Open Source.


*EAL = Evaluation Assurance Level

EAL1 - functionally tested
EAL2 - structurally tested
EAL3 - methodically tested and checked
EAL4 - methodically designed, tested, and reviewed
EAL5 - semi-formally designed and tested
EAL6 - semi-formally verified design and tested
EAL7 - formally verified design and tested

**Trezor is working on their own fully open source Secure Element chip and they started separate project for this purpose called Tropic Square.
- Cobo hardware wallet stopped production and renamed to Keystone with some changes in software and hardware.

CC = Commons Clause License
https://commonsclause.com/


- Seed Generation in Hardware Wallets
- Open Source Hardware Wallets

[casperBGD]

interesting topic, must say that I was not aware that Trezor does not have any secure element inside

it is always good to divide complicated things into small parts, for better understanding by community, and educate community as much as possible, that is the only way to decrease number of scams that are inevitable part of every industry, especially growing one, like crypto industry

but, nothing will help you if you do not secure your own data properly, it can not be overstated the importance of securing your own private keys / mnemonic seeds, and not sharing those with anyone, and interacting with proven wallets/exchanges only

[dkbit98]

Sure, Trezor only have one chip and everything is open sourced, but that does not mean that having dual chip and secure element is always better, especially if that chip is using closed source firmware (see posted example for exploits), and yes nothing will help you if you send scammers your seed words.

[Pmalek]

The summary page states that the vulnerabilities discovered in the Ledger Nano S were all fixed. But since it's closed source, it can't be reviewed. Unless there is a newer research that confirms the vulnerabilities are still there, can we assume this is no longer a threat?
As an extra tip, waiting a few weeks before performing a firmware update wouldn't be bad if someone has reasons to believe the servers might be hacked and are storing a fake firmware.

It seems that Ledger has no intention of making the secure element fully open-source.

We're great supporters of open-source and strive to open-source as much of our software as possible. In that light, we will soon open-source the part of the firmware that is responsible of displaying the dashboard where you can see the apps. The parts of the firmware that interact with secure parts of the Secure Element will not be open-sourced, since they are based on proprietary technology, protected by patents and an NDA we signed with the chip manufacturer.

https://www.reddit.com/r/ledgerwallet/comments/e1wh5q/is_ledger_going_to_make_the_firmware_open_source/

[dkbit98]

It seems that Ledger has no intention of making the secure element fully open-source.

NDA with chip manufacturer is very important, but who cares about 'stupid' customer data...it is open for everyone  

They don't want to ever change this, and that is why my open source wallets of choice would be ColdCard mk3, BitBox02 and CoboVault and not in that specific order.

[witcher_sense]

• ColdCard Mk3: Microchip ATECC608A covered by epoxy, open source

I have some questions, not a tech-savvy person, just curious.

What part of Microchip ATECC608A is open source? As far as I know, Microchip has stopped publishing datasheets for their microchips after ATECC508A version, further versions are all NDA. Can I trust these secure elements if data is no longer available for everyone to see and check? How can I be sure that governments haven't forced Microchip to implement some backdoors to steal my crypto?

Found an old topic from Trezor explaining the reasons why they don't use secure elements https://blog.trezor.io/is-banking-grade-security-good-enough-for-your-bitcoins-284065561e9b

[dkbit98]

What part of Microchip ATECC608A is open source?

Some Hardware Wallet manufacturers are using Microchip ATECC608A and they claim Firmware they use is open source. Passport wallet  released everything on their github.
Same chip is used for other devices, not just hardware wallets, and most of it is released on github, but full datasheet is under NDA:
https://github.com/MicrochipTech/cryptoauthlib

No chip or secure element is perfect and there will always be some bugs, but I am not so sure about government backdoors.

[bob123]

What are the benefits of Secure Element in Hardware Wallets?

- Seed words never leave device but they stay in Secure Element
- Secure updates
- Generating 'random' numbers
- No tempering

The mnemonic code (which you are referring to as "seed words") are not stored on the secure element.
The actual seed is stored there. The mnemonic code is only used to generate the seed.

Secure updates and a RNG does not require a secure element. Any crypto co-processor is sufficient for this.

Yes, a secure element helps against tampering.

interesting topic, must say that I was not aware that Trezor does not have any secure element inside

That's the reason the trezor is highly vulnerable to physical attacks.
The trezor needs further protection mechanisms (e.g. strong password) to be sure that an evil maid attack won't make you lose your coins.

[casperBGD]

interesting topic, must say that I was not aware that Trezor does not have any secure element inside

That's the reason the trezor is highly vulnerable to physical attacks.
The trezor needs further protection mechanisms (e.g. strong password) to be sure that an evil maid attack won't make you lose your coins.

but what they are selling, just a piece of hardware with a software open-source light wallet installed on it?
what is the main difference between that solution, and same open-source software on some old laptop, that is not used for anything else, just to have access to your wallet?

why the Trezor is better (just asking, I do not think that it is not) from old laptop? and old laptop sitting somewhere is the basement could be not recognized as hardware wallet, or it would be harder than seeing Trezor as a wallet

what is a main Trezor advantage, in your opinion?

[ranochigo]

but what they are selling, just a piece of hardware with a software open-source light wallet installed on it?
what is the main difference between that solution, and same open-source software on some old laptop, that is not used for anything else, just to have access to your wallet?

why the Trezor is better (just asking, I do not think that it is not) from old laptop? and old laptop sitting somewhere is the basement could be not recognized as hardware wallet, or it would be harder than seeing Trezor as a wallet

what is a main Trezor advantage, in your opinion?

Trezor was one of the first HW wallet maker and it was their choice to not put a secure element within their devices. Their rationale being that the main attack vector is from the net, among various other stuff [1]. I saw this counterargument (by Ledger) years ago and thought that it made more sense[2].

Trezor is designed to not be vulnerable to typical malware and viruses as its primary purpose is to receive and sign transactions, so the attack vector is pretty small. I think their firmware is also signed so that isn't a threat.

I think your final question is about HW wallets in general. As said, the secure element will mitigate the attacks as mentioned. It really depends largely on your usage. Are you confident with handling air gapped storage? Do you want a bit more convenience while ensuring the same level of security (relative)? Do you want to save money on HW wallets?

Personally, I bought a HW wallet not because it's more secure (the threats are largely irrelevant to me) but that it provides much more convenience and portability than an airgapped wallet. Trust me, a hardware wallets makes everything smoother than starting your RPI up and realising your Electrum got corrupted again and having to find and type in the seeds again.


[1] https://blog.trezor.io/is-banking-grade-security-good-enough-for-your-bitcoins-284065561e9b
[2] https://www.reddit.com/r/Bitcoin/comments/52x08n/is_bankinggrade_security_good_enough_for_your/d7odee4/

[dkbit98]

List is updated with CoolWallet S using CC EAL 5+ SE microchip Secure Element but I couldn't yet identify what exactly chip they are using. NXP P5CD081.

You can read what Kraken team found about CoolwalletS HERE in their report.

Secure element can be hacked or exploited like in any other device, that is why Android for example is having bounty program for anyone who exploits secure element in their devices.

...

Let's not forget that Trezor Satoshilabs developers are the first one who created and used BIP39, that is now industry standard and every other hardware wallet is using it.

[dkbit98]

Four more hardware wallets added to the list and they all have various 'secure elements' integrated but like I said before, having secure element does not always make you hardware wallet better or more secure, and I would not recommend buying them:

-Jubiterwallet: EAL6+ SE Infineon, closed source
-Kasse HK-1000: EAL5+ ST31H320 A03, closed source
-Keevo: EAL5+ Infineon Optiga Trust-P, closed source
-Secux: EAL5+ Infineon CC, closed source

[bob123]

but what they are selling, just a piece of hardware with a software open-source light wallet installed on it?
what is the main difference between that solution, and same open-source software on some old laptop, that is not used for anything else, just to have access to your wallet?

why the Trezor is better (just asking, I do not think that it is not) from old laptop? and old laptop sitting somewhere is the basement could be not recognized as hardware wallet, or it would be harder than seeing Trezor as a wallet

what is a main Trezor advantage, in your opinion?

The difference is that your old laptop would be effectively an air-gapped wallet. This means it has to stay offline (not connected to any network) to be secure.
Together with encryption, that's a really solid setup. But the downside is that its not very convenient to use.


A Trezor (or other hardware wallets) have the advantage of them being used togeter with an online PC without the risk of losing coins.
Security-wise its not as good as an air-gapped wallet, but convenience-wise it is so much more pleasant to use.

You can connect your hardware wallet to an infected device without worrying to have your coins stolen since physical confirmation (in form of a button press) is needed to sign transactions.
That's what all good hardware wallets have in common. A downside of trezor is the physical security which can be avoided by using proper password encryption (which is also necessary with an air-gapped wallet btw).

[Coin-Keeper]

witcher_sense : Found an old topic from Trezor explaining the reasons why they don't use secure elements https://blog.trezor.io/is-banking-grade-security-good-enough-for-your-bitcoins-284065561e9b

Great read and accurate as hell.

Spot on!  I did OpSec for a living and I will take full open source hands down.  There is an amazingly high probability that there are engineered backdoors in any close source  "secure element" chip being mandated by Gov agencies.  Tin foil hat, maybe, but the risks have shown to be entirely too prevalent for a wise person to assume them.  BTC is moving to around 30K per coin so the incentive is there!

Here is my spin.  Yep, my Trezor T's don't have a secure element chip.  So I KNOW how they tick and so do all the other coders that care to "hit" them with everything they have in their tool belt.  Along comes Trezor and GitHub and now SD encrypt completely removes the known weakness of the current Trezor T controller.  Its GONE fully, so man up and learn how to use your device.  Its safe and fully open source.  For those that insist on continuing with closed source elements in their devices you have been warned, LOL.  Let me remind members here that there has NEVER been an instance of that one controller weakness "in the wild" for Trezor T's.  The "other guy" with a closed source controller/element has had numerous instances of theft happening with phished app's etc....

[malevolent]

Thanks for the list, OP, for some reason I thought all Secure Elements were closed source.

what is a main Trezor advantage, in your opinion?

I can stick it in my pocket and connect it to my phone to pay someone when I'm away from home or abroad. A lot more convenient than taking a bigger device such as a laptop with me.

[ABCbits]

It seems that Ledger has no intention of making the secure element fully open-source.

Now that i know there are open-source secure element, why don't Ledger migrate from closed-source to open-source secure element? Do they find secure element they currently use is more secure than all open-source secure element?

[dkbit98]

Now that i know there are open-source secure element, why don't Ledger migrate from closed-source to open-source secure element? Do they find secure element they currently use is more secure than all open-source secure element?

Ledger is using ST31H320 and ST33J2M0 secure elements that are EAL6+ level of security but in combination with their normal STM32F042K chip overall security is downgraded back to EAL5+
Some Hardware like Ngrave are promising EAL7+ secure element, but as far as I know only ATECC608A is mostly open source and it can be found even in M5Stack Core2 ESP32 AWS Development Kit.

[igor72]

What are the benefits of Secure Element in Hardware Wallets?

- Seed words never leave device but they stay in Secure Element
- Secure updates
- Generating 'random' numbers
- No tempering

The mnemonic code (which you are referring to as "seed words") are not stored on the secure element.
The actual seed is stored there. The mnemonic code is only used to generate the seed.

If that were true, it would be possible to add a passphrase only during the input/generation of those 12(24) words. But at least in Ledger I can add a passphrase whenever I want.

[casperBGD]

what is a main Trezor advantage, in your opinion?

I can stick it in my pocket and connect it to my phone to pay someone when I'm away from home or abroad. A lot more convenient than taking a bigger device such as a laptop with me.

agree completely, but isn't that what hot wallets are for? to have wallet for your payments, that does not have all your funds in it
with fiat, you also do not hold all your funds, when you have to pay for bread and milk in the store

The difference is that your old laptop would be effectively an air-gapped wallet. This means it has to stay offline (not connected to any network) to be secure.
Together with encryption, that's a really solid setup. But the downside is that its not very convenient to use.


A Trezor (or other hardware wallets) have the advantage of them being used togeter with an online PC without the risk of losing coins.
Security-wise its not as good as an air-gapped wallet, but convenience-wise it is so much more pleasant to use.

You can connect your hardware wallet to an infected device without worrying to have your coins stolen since physical confirmation (in form of a button press) is needed to sign transactions.
That's what all good hardware wallets have in common. A downside of trezor is the physical security which can be avoided by using proper password encryption (which is also necessary with an air-gapped wallet btw).

thanks, that is what I thought as well, they are selling convenience, and that is ok, although if one has more funds, it is better to have several wallets, and use one or two for payments (or other type of hot wallet) and all the other store on the same way, as old laptop (for HODL purpose)

[malevolent]

agree completely, but isn't that what hot wallets are for? to have wallet for your payments, that does not have all your funds in it
with fiat, you also do not hold all your funds, when you have to pay for bread and milk in the store

A different passphrase may be used to access long-term storage funds, or a different physical hardware wallet altogether. When making bigger payments away from home a hardware wallet will still be useful and more convenient.