Tangem Wallet - Apparent issues with seed phrase wallets

[MoparMiningLLC]

I need to - or others can as well - do more research but I wanted to share this as I just saw it.

https://www.reddit.com/r/Tangem/comments/1hq6hyj/if_you_have_a_tangem_wallet_with_a_seed_phrase/

https://www.reddit.com/r/Tangem/comments/1hpj4p2/tangem_come_clean_on_what_happened_with_seed/

https://www.reddit.com/r/Tangem/comments/1hqaj8h/private_key_leak_ios_only_or_android_too/

https://www.reddit.com/r/Tangem/comments/1hpyjjp/just_saw_another_commit_regarding_the_private_key/

[_act_]

The last time I do research about Tangenm wallet, it is a hardware wallet. What if the users that were affect have huge amount on the wallet, thinking that it is a hardware wallet, which is secure than those software wallet that are always connected online. Their coins can be gone in just some seconds or few minutes. This has been one of the reasons I prefer wallet on airgapped devices. I remember in the past that common hardware wallets like Trezor and the now non-recommended Ledger Nano suffer some security breached in the past.

[Hox]

Interesting. It sounds like they were logging the seed phrase on setup. I don't know why they would do this in the first place. Then when submitting a support request these logs were sent, leaking the seed.

I recently got the tangem ring and when setting it up it does warn that using a seed phrase is significantly less secure, but this is another thing entirely. Its a shame, they made some interesting products. I am only interested in collecting and never intended to use them as a wallet, but it sucks to see a company who made such nice hardware make silly software decisions like this.

[MoparMiningLLC]

Interesting. It sounds like they were logging the seed phrase on setup. I don't know why they would do this in the first place. Then when submitting a support request these logs were sent, leaking the seed.

I recently got the tangem ring and when setting it up it does warn that using a seed phrase is significantly less secure, but this is another thing entirely. Its a shame, they made some interesting products. I am only interested in collecting and never intended to use them as a wallet, but it sucks to see a company who made such nice hardware make silly software decisions like this.

I agree - I have used a few of them to test em out, play with etc but I never leave funds on a hot wallet. The only 2 hot wallets I use are Strike (easy conversion of fiat job pay and zero fee sending) and Balletcrypto pro wallet (no risk if wallet is taken as requires a passphrase only the user knows).  Cold storage is non-hardware wallet - total airgap - offline etc

[owlcatz]

Interesting - I have a couple of these - one fairly older one and a newer one, but never really messed with either... I thought they had NFC or maybe that was a different one.

[MoparMiningLLC]

this appears to be only affecting the wallets that used "seed generation" something about if a person used the app to file a ticket or w/e it would send the seed to Tangem who then would send it back via email as an attachment or some crazy thing like that. There are a dozen threads on reddit over the past 2 days about it. Hard to know for sure what is correct or what is not. This appears to be only affecting the new ones. But  I could be wrong.

[owlcatz]

this appears to be only affecting the wallets that used "seed generation" something about if a person used the app to file a ticket or w/e it would send the seed to Tangem who then would send it back via email as an attachment or some crazy thing like that. There are a dozen threads on reddit over the past 2 days about it. Hard to know for sure what is correct or what is not. This appears to be only affecting the new ones. But  I could be wrong.

Oh shit, thanks man. Maybe I'm just better off not reading it at all, since I haven't funded any, I just thought one or two were cool at some point, and the other older one was from @Chib long ago. The older one is a bit different, I'll have to find it and probaly send to mj for auction anyhow..

[dkbit98]

this appears to be only affecting the wallets that used "seed generation" something about if a person used the app to file a ticket or w/e it would send the seed to Tangem who then would send it back via email as an attachment or some crazy thing like that. There are a dozen threads on reddit over the past 2 days about it. Hard to know for sure what is correct or what is not. This appears to be only affecting the new ones. But  I could be wrong.

It's concerning to see how they are mostly ignoring this huge issue and they continue to make celebration posts on their social media and telegram group.
Even their website is not showing anything about this, unless you go to their blog post from December 31.
They are blaming everything on NFC logging mechanism for their app, and they are telling customers to go switch to seedless setup.
I can only imagine what would happen in that case if Tangem goes bankrupt and shuts down 
Much better alternative for Tangem is Satochip.

Stay away from all devices and hardware wallets that are not open source.

[DaveF]

Being discussed here too: https://bitcointalk.org/index.php?topic=5524810

Dave's opinion (and remember what they say about opinions, they are like buttholes everyone has one and most stink): It's not that big a deal. A major screw up for sure, but not something wt over.

For the compromise to happen you would have to create a wallet with a seed (which they advice against) and then do something that involves having your logs sent to them. Before they were overwritten or purged. At a 1000% guess they had the seed shown in the log for testing and someone forgot to turn that off. The logs were in a location on your phone that the Tangem app should have been the only app that had access to. Because:

If you have other things on your phone that are snooping on other logs and reading / scanning / sending that info to malicious people you have many many many larger issues. Since the info was in a location that only the Tangem app should have access to.

However, and this is just me. Most people who use Tangem products have the card in their wallet or the ring on their finger. You know, right next to the phone that has the app. It's a nice layer of security but not as good as having a hardware wallet locked in a safe that nobody knows about.

-Dave

[MoparMiningLLC]

yea - I was reading that this morning - about the slim possibility due to the circumstances needed in order for your key to be exposed. And I agree that while it is a huge fuck up - it could have been much worse.


This is what makes any wallet hard to trust though.

[krogothmanhattan]

  Bought Tangem when they first came out years ago....still sealed inside the envelope they came in. Only as a collectable and thats it.

  I mainly use Paper wallets I generate and Trezor. Been very happy with both.