Help spread awareness for build reproducibility
Please help us spread the word discussing build reproducibility with Memory BOX Pro 2.0 via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.
The Analysis ¶
Announced on twitter on May 17, 2020, it was difficult to find technical information, documentation, reviews and video reviews of the product. It does however have some Chinese language videos from its official YouTube channel:
From what we can see, the device does not have a display.
- Multi-chain support - Maximum 500+ multi-chain wallet with safe storage
- Double backup - Two-way backup stored in SD card, safe and stable
- High-speed transmission - Bluetooth high-speed connection, one-click synchronization
It is also apparently paired with
Start Wallet(EOS, BTC, ETH, TR No Source!
However, going over the StartEOS Memory Box 2 page, it would seem that the Start App is now supposed to be downloaded from their own servers.
Private keys can be created offline - ❓
From this video, it would seem that the Memory Box serves more as a BlueTooth enabled device to back up the StartEOS wallet.
The StartEOS help files redirect to another domain, yuque.com. It is a Chinese language site.
Private keys are not shared - ✔️
From Yuque.com, we have some clues on how the Memory Box handles private keys:
友情提示:Start开发的Memory Box硬件钱包,它将私钥单独存储在一个安全芯片中,与网络彻底隔离。因其不触网,从而杜绝了一切网络黑客入侵方式,是目前最安全的钱包之一。
Translated via Google Translate:
Friendly reminder: The Memory Box hardware wallet developed by Start stores the private key separately in a security chip, which is completely isolated from the network. Because it does not touch the Internet, it eliminates all methods of network hacking, and it is one of the most secure wallets at present.
Device displays receive address for confirmation - ❌
The device does not have a display.
Verdict
This device has no display from which the user can interface with. It can only be paired with an app with an APK downloadable through the StartEOS website.
Verdict Explained
The design of the device does not allow to verify what is being signed!
As part of our Methodology, we ask:
Can the user verify and approve transactions on the device?
If the answer is "no", we mark it as "Bad Interface".These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.
The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.
Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.
The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.
Share on
Twitter Facebook LinkedInOr embed a widget in your website
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/memoryboxpro2&theme=auto&style=short" name="_ts"
style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;">
</iframe>
and
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/memoryboxpro2&theme=auto&style=long"
style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;">
</iframe>