Posts

Expectations Meet Reality: "Unbiased" Review of COBO Vault Airgap Wallet

avatar of @edicted
25
edicted
@edicted
·
0 views
·
10 min read

I received my COBO Vault in the mail about a week ago.

I was pretty excited, considering it was a technology I didn't even know existed yet, and I thought of it myself all on my own.

I remember thinking:

"There's no way no one hasn't thought of this yet... it's too good of an idea."

And I was right :D

Hive Airgap Wallet Idea

In any case, I get this thing in the mail, and already I'm pretty impressed. When you peel off the tape on the sides it leaves behind a glittering 'void' label so you "know" it hasn't been tampered with.

So the battery pack on this thing is pretty cool. It takes 4 triple A batteries (I have a bunch of rechargeables) and it attaches to the back using only magnetic force, making it very easy to remove and reattach.

So I turn the thing on and get a message saying I need to verify the security of the device. I head on over to https://cobo.com/hardware-wallet/web-authentication, where I was met with the following screen:

Apparently, this is how it works:

https://medium.com/cobo-vault/web-authentication-a-counter-to-supply-chain-attacks-68e7d12647e3

Each Cobo Vault has a pair of public and private keys pre-installed in the Secure Element during manufacturing that is used solely for the purpose of Web Authentication. This pair of keys has nothing to do with the public and private master key pair generated from physical entropy by the Secure Element for the HD wallet during initialization of the Cobo Vault.

To spoof this process, attackers would need a considerable amount of resources. Not only would the HSM server have to be hacked, but the device’s Secure Element would also have to have been compromised. We are using AWS’s HSM server, which in our evaluation has the highest degree of security. With the Secure Element’s strong track record of being notoriously difficult to directly hack into, it is extremely improbable that both would be compromised at the same time.

Nice work, COBO!

Also, apparently the 12, 18, or 24 word seed phrase is generated using "true random number generation".

TRNG

My understanding of random number generation (RNG) using "physical entropy" is...

https://en.wikipedia.org/wiki/Hardware_random_number_generator

In computing, a hardware random number generator (HRNG) or true random number generator (TRNG) is a device that generates random numbers from a physical process, rather than by means of an algorithm. Such devices are often based on microscopic phenomena that generate low-level, statistically random "noise" signals, such as thermal noise, the photoelectric effect, involving a beam splitter, and other quantum phenomena. These stochastic processes are, in theory, completely unpredictable, and the theory's assertions of unpredictability are subject to experimental test. This is in contrast to the paradigm of pseudo-random number generation commonly implemented in computer programs.

So this thing is basically generating TRUE random numbers (TRNG) that are unpredictable because they are created using microscopic flaws located directly in the hardware. Pretty crazy if you ask me. I didn't even know this existed.

Trouble in paradise?

So of course I proceed to scan the QR code with the Vault's camera. Unfortunately, the QR code will not scan. The QR code is too big and the camera can not focus. The camera is only in focus at a certain distance.

Confused, I asked my roommate to print out the QR code on a physical piece of paper so I could try again. That also did not work. Shortly after, I took a screen shot of the QR code and pasted it into MS Paint. I made the QR code smaller in Paint and that ended up 'working'. Later I found out that the reason the QR code was so big was that I had hit CONTROL + a few times to make everything bigger in Chrome. Hitting CTRL - a couple times also fixed the problem.

DAFUCK!?!?!

Okay, so this was my second try at trying to verify the integrity of my device, and I figured I messed something up when I restarted in the middle of the first try. On the third try it worked fine, so I figured this error was just some kind of weird glitch.

I continued to journey onward, setting up the password and picking the coins I wanted the wallet to display on the main screen (BTC, LTC, ETH). However, during this process the touch screen started bugging out and spamming random buttons.

Oh, great.

I turned the screen on and off and that "fixed" it, but the accuracy of the touch screen is really bad. In fact, it was pretty much impossible to type in my password without miss-clicking buttons (tried over a dozen times). It's about this time that I'm thinking:

Wow! This thing is a hunk of shit!

But wait! There's more!

ARE YOU FUCKING SHITTING ME?!?!?!

They straight up sold me a device with outdated firmware. THE WHOLE GOD DAMN POINT OF THIS AIRGAP WALLET WAS TO AVOID CONNECTING TO THE INTERNET. WHAT'S THE FIRST THING THEY TELL ME TO DO? CONNECT TO THE INTERNET TO DOWNLOAD FIRMWARE! FUCK!

That's right, fuckers!

I shamelessly shilled my own blog to a damn tech support guy in Hong Kong!
NO SHAME IN MY GAME!

Kek!

Speaking of Hong Kong... I didn't even realize where this device was coming from. It got me thinking: do I really trust some random Podunk operation out of China to secure my crypto? Am I an idiot for buying this stupid thing?

https://cobo.com/about

Not exactly a lot of info here.

And I was also charged a randomly weird amount like 79 cents or something.

International Service Fee Assessed $0.79 on $99.00 Trace: xxxxxxxxxxx at COBO, HONG KONG, HK 1 at $0.79

Weird

They actually did add this slider bar to the website that changes the size of the QR code in response to my email. So that's something.

Alright

So the reason why my device said it had been hacked was not because I did something weird. It was because of the touch screen spazzing out. In fact, the COBO vault doesn't know it's been hacked. It's mainly up to the website to tell you a hack has occurred. Therefore, when the Vault told me to tell it if everything was okay or not, the poor touch screen randomly happened to hit the "failed" button and that's why the hacked error message came up. So I guess that's a relief... but still... what the hell.

Wanna guess how the firmware is updated?

I guess I already gave that away in the support emails. https://support.cobo.com/hc/en-us/articles/360046064053-Upgrading-Firmware

Preparation

  1. Micro SD card (Requirements: Default FAT 32 format and capacity not exceeding 32GB. Other Micro SD cards won’t be detected by the Cobo Vault. Micro SD card not included with Cobo Vault.)
  2. Computer: Used to download the firmware upgrade file.
  3. Micro SD card reader (Not necessary if your laptop can read Micro SD cards.)
  4. Cobo Vault with battery level kept above 70%.

Speaking of the battery

Before I upgraded the firmware, the device seemed to have no idea how much charge was left on the battery. The percent kept ping ponging all over the place. Every time the screen was activated and turned on you'd see a new number and that number would often drain fast and then get reset to a higher number after the screen turned off and on again. So that's fun.

I think this is why the 70% battery requirement is so high to upgrade firmware (device literally won't let you do it, I was at 67%). If the device lost power at the wrong time in the middle of a firmware update it would almost certainly get bricked (going from second-hand experience here). The actual firmware upgrade didn't take long and didn't use a lot of power.

But I'm getting ahead of myself.

Because I haven't even upgraded the firmware yet. Jesus Christ lol.

So it turns out I originally read the SD card requirements incorrectly. I thought it said I needed a card with more than 32 gigs and it's actually the opposite.

Luckily, I actually did have such an SD card!

Remember that Raspberry Pi Zero I was messing with?
I actually bricked it the other day trying to change the password. Apparently I typed in the wrong password twice in a row and I couldn't figure out what the error was.

As luck would have it, bricking my Pi Zero caused me to buy an SD card-reader so I could connect it to my PC and fix the issue. I almost tried to download the firmware .zip file directly to the SD card without deleting the operating system, but then I realized I was being an idiot. Am I really going to try and upgrade the firmware of my airgap crypto wallet using an SD card that literally has an operating system installed on it? That's just stupid. I deleted all the partitions and reformatted it to FAT32 so it was compatible. After that I downloaded the .zip file to it.

As we can see in the picture above, getting the SD card into the device isn't that straightforward. See how it's poking out like that? That's where the battery is supposed to go. Turns out you can push it all the way inside the device and it is spring-loaded so when you remove the battery pack it comes back out automatically.

I dropped the SD card on the ground twice due to the weird spring-loaded action and I dropped the entire device on the ground once fumbling around with this bullshit. At this point I'm pretty annoyed, if you can't tell. Luckily the device is very study and dropping it on the ground didn't put a scratch on it. SD cards are surprisingly resilient as well.

Like I said before

I try to upgrade the firmware but the battery power is at 67% (minimum 70%) so I had to grab some more batteries really quick. No problem. The firmware upgraded without any further hitches. At this point the accuracy of the keyboard is greatly improved, but it is still very difficult to type in my password without a misclick. I would say the upgraded firmware (1.0.5) prevented around 75% of the misclicks I would have sustained with 1.0.4. Instead of typing the wrong button 4 to 8 times this was reduced to 1 to 2 times. This is an obviously vast improvement, but also still annoying considering how accustomed we are to touch screens being amazing these days.

At this point I'm simply trolling their support line. I know damn well that the security they have for this thing is better than an MD5 hash.

But wait! I'm not done trolling!

The screw was probably just so rogue screw on my desk that got stuck to the battery pack. I vaguely remember there being a tiny black screw on my desk for some reason. Although it was pretty weird that it looked identical to the other screws and it just appeared out of nowhere while I was trying to get the damn SD card into the device.

Alright I'm finally done trolling them.

I'm now ready to pair this thing to my phone!

During this process my COBO Vault creates a series of QR codes in order to pair it to my phone. There were 3 QR codes in total, cycling quickly. I assume each QR code represented the 3 assets I wanted to use (BTC LTC ETH). These would have been my public keys.

After the process had completed I realized something.

The COBO app is 100% required for the COBO Vault to work. What would happen if the company were to go out of business? What would happen if I no longer had access to the app? This would make signing transactions much more difficult (or even impossible). Something to think about.

In any case, I get the app up and running and ready to finally test it out.
I decided to go with Litecoin, for obvious reasons.

As we can see, the average cost for a Bitcoin transaction is pretty high. Over the last few years the lowest it ever got was like 15 cents per transaction. Just last week it cost $6 for a transaction.

Guess how much it cost me to transfer Litecoin?

0.00000225 Litecoin to make a transaction. It literally cost me one hundredth of a penny to transfer Litecoin directly on the blockchain. This should give you some idea of how undervalued this sleeper asset is.

Sure, Binance charged me a lot more than that to move LTC off their platform (0.001), but even that is only 5 cents.

Perhaps you're wondering if I found any problems with the phone app.

Notice anything?

The numpad doesn't even have an option for a decimal point (".") LOL you can't type a period. Period. . . . . . . .

So what you end of having to do if you want a decimal point is to fill in one side with a whole number, and the other other side auto-fills with a decimal point and you can modify it from there.

Also the default currency was CNY (Chinese Yuan) reminding me once again where I purchased this thing from and how much I can trust it.

Trust in a trustless environment.

The most important lesson I learned from all this is that we can never 100% trust these companies to secure our funds for us. Everyone claims that these hardware wallets are so secure, but are they really?

What happens when crypto goes mainstream? What happens when the government cracks down on COBO and forces them to build some kind of backdoor into the system? At that point it doesn't matter how good their security is because they are the ones breaking it.

This entire process made me realize I can't depend on a single hardware wallet, just like I can't depend on a single exchange or blockchain. To achieve maximum decentralization and mitigate my exposure to risk, I need to branch out and have assets all over the place, secured in many different ways. Decentralize your holdings! Wow! Look at all these shitcoins I was interested in back in the day! May 2018 post!

So what happened next?

I transferred Litecoin to my COBO public key from Binance. Then I used to COBO to send a little Litecoin back to Binance.
Then I typed in the password wrong 5 times which wipes the device.
Then I used the seed to regenerate all my keys and tested it again.
Back and forth... Everything worked.

Conclusion

It's impossible to be fully objective and unbiased on a review. My experience will not necessarily be the experience of others. However, that being said, I think I've been pretty fair with this one.

If anything, this entire experience has taught me that our reliance on authority is overwhelming. We are constantly put into situations where we absolutely have to trust institutions that are not necessarily trustworthy. As we forge this path through the spectrum of decentralization, it should get better over time, but there will be many trials and tribulations along the way.

There are a lot of problems with the COBO Vault, but at the same time it is also a very neat little gadget with full on airgapped security. It is nearly impossible for a hacker to breach this security. Personally, I'm more worried about governments themselves or corporate insiders. A single forced firmware update is all it takes.

I believe this airgap technology will obviously become the standard. If I end up acquiring the resources, I will work to create this same tech as outlined in my own post using Raspberry Pi hardware to secure the Hive blockchain. Unlike other hardware wallets, this technology could be fully implemented by the users themselves so that the amount of trust required is greatly reduced.