Wallet Logo

YubiKey 5Ci by Evercoin

🔍 Last analysed 29th April 2022 . Bad Interface
12th November 2019

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with YubiKey 5Ci by Evercoin  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Background Information

Evercoin has released an article on Medium with information on the hardware wallet and mobile app.

Today, at NYC Consensus Invest, we announced Evercoin 2, the safest wallet, now with hardware security by YubiKey.

YubiKey 5Ci by Evercoin is meant to provide “hardware security” to the existing Evercoin app: Evercoin: Bitcoin, Ripple, ETH No Source! Stale! It was also created in partnership with YubiKey.

Evercoin today announced the introduction of hardware security by integrating with YubiKey.

Interface

YubiKey 5Ci is the newest addition to the Yubikey 5 series with support for USB-C and a lightning connector. It is able to connect to iOS and Android devices. It has no screen display or button for signing transactions.

On the other hand, the blog post linked above claims that it’s the app that has to make and confirm transactions.

Because Evercoin is mobile-first, it means we can benefit from the phone’s in-built security features. This means, unlike traditional hardware wallets, we can benefit from biometric features on the phone to accentuate the security of your wallet. So, fingerprint ID or face ID can be used where appropriate as an additional biometric authentication factor.

On Private Keys:

The traditional wallet back up scheme is to take a 12- or 24-word passphrase and store it in a safe place. Unfortunately, this procedure is provably prone to user error. According to Fortune magazine, Chainalysis stated that as many as 3.79M bitcoins are likely to be lost forever due to mishandling private keys.

The problem is developing a service that enables a user to back up and restore their private keys (and therefore their wallet and all their assets) but in which the service provider (in this case, Evercoin) never has the private keys.

In this case, this is achieved by splitting the key into two shards — neither of which on their own can restore the private key. One of the shards is stored in a special URL that is generated by the user’s device and sent directly to the user’s email (so Evercoin never sees this shard). The other shard is held by Evercoin. Because of this patent-pending approach, whenever the user loses their phone, their Yubikey, their pin, their password they can be helped and they can recover their assets.

We feel that the traditional hardware wallet is very secure… but we assert that it is unsafe, and that user error can cause total loss of funds. Still, because traditional hardware wallets are so secure, we want to further make the case that we are practicing safer crypto.

Analysis

The next thing that’ll happen is actually pretty exciting, which is you remove, so when you pull the Yubikey, the wallet now enters this cold storage mode.

So, the cold storage mode basically means now that the private key is now no longer anywhere on the phone to be found.

This is from an article with instructions on how to use Yubikey with Evercoin. The wallet is meant to enter an offline or a “cold storage mode” when the YubiKey device is disconnected. The article claims this makes it so that the private key won’t be found anywhere on the phone.

YubiKey 5Ci by Evercoin must be connected to an external device, thus it risks exposing the keys. Although the providers state that the wallet enters a cold storage mode, there is still the risk of the app being compromised in the first place. There’s also the fact that this product has no interface meaning it can’t make transactions by itself and relies on the app to do so.

(dg)

Verdict Explained

The design of the device does not allow to verify what is being signed!

As part of our Methodology, we ask:

Bad Interface!

Can the user verify and approve transactions on the device?

If the answer is "no", we mark it as "Bad Interface".

These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.

The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.

Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.

The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.