Docs Menu
  • COLDCARD Docs
  • User Guide
  • Other Features and Tools
  • Advanced Topics
  • Specifications
  • Guides by the Community
  • How To Videos
  • Glossary
  • Hardware Wallet Comparison
  • New in Mk4
    • /

    Physical Security Notes

    Defence in Depth

    Defence in Depth means multi-layer security, many layers and many types of protection. We mention defence in depth and physical security frequently because it is as important to us as it is to you.

    You're probably aware of COLDCARD®'s layers like encryption, air gapping, and verifiable software (if not, please browse our documentation). In this section, we focus on COLDCARD's physical security features:

    Security is in the Bag

    The first line of defence is the tamper-evident bag with its colourful and detailed printing, bar code, and water damage indicator. Our Quickstart Guide covers the bag-opening process for new customers.

    Bag Number

    One of the most important features is the bag number. The factory records this number in a secure location within the COLDCARD's flash memory. So, there is an actual link between a COLDCARD and its bag.

    The bag number appears three times: ① in the blue border at the top of the bag, ② with a bar code under the orange Coinkite® text, and ③ inside the bag on a torn-off tab. All three instances of the bag number match.

    Mk3 COLDCARD Bag Number Locations

    Tear-Off Tab

    The tear-off tab inside is another way to confirm factory freshness. The numbered tab gets removed from the top of the bag and sealed inside before shipping. Put the two together and inspect them. You should see the tear-off tab matches the top of the bag.

    Mk3 COLDCARD Tear-Off Tab Matched with Bag

    VOID Seal

    Pulling apart the bag reveals the VOID seal. If you open the bag and don't see the words VOID and OPEN (for example, you cut the bag instead of pulling it apart), you can still make sure the VOID seal is present and genuine by locating the layers and pulling them apart.

    Mk3 Bag V2 VOID Seal

    Mk3 Bag V2 VOID Seal Layers

    NOTE: Tweezers for demonstration purposes only. Tweezers won't pull the layers apart very well.

    Water Damage Indicator

    If the bag has been compromised and exposed to water, the thin white stripe below the VOID seal will wash away, releasing a pale blue dye.

    Compromised Mk3 Bag V2 Dipped in Water

    The left side shows where the water has reached; the right side shows the white stripe intact:

    Compromised Mk3 Bag V2 Water Damage Indicated

    A Clear Case for Security

    Malicious hardware has nowhere to hide. COLDCARDs have see-through cases making physical attempts to alter the hardware glaringly obvious. The case material is tough, impact-resistant plastic. Even if you accidentally drop your COLDCARD, you're still hodling tight and worry-free.

    COLDCARD Front View

    COLDCARD Back View

    GENUINE and CAUTION LEDs

    Attackers discouraged from implanting hardware may consider the firmware route to compromise a COLDCARD. Unfortunately for them, the factory signs every firmware release, and the device looks for this signature on startup.

    COLDCARD Caution LED Glowing Red

    Each time a COLDCARD connects to power, it verifies the firmware signature and checks all data stored in its flash memory. The red CAUTION LED is lit during this process while the screen displays the verification notification message. Once the signature and the flash memory are verified, the green GENUINE LED indicates it is safe to enter your PIN. If the firmware is not factory-signed, the red CAUTION LED stays lit as a warning not to enter your PIN.

    These LEDs also have a role in the firmware upgrade process, which you can read about here.

    Glorious Globs of Epoxy

    The epoxy inside a COLDCARD isn't there just for looks. It defends your secrets in several ways by covering critical components like:

    • The MCU
    • The Secure Element
    • The LED control circuit

    We've used a special case to give you a clearer look at our epoxy.

    On the back of the case, you'll find our most apparent application of epoxy, which covers the MCU and bonds it to the case. This bond ensures splitting the case apart causes visible and functional damage.

    Close-Up of Epoxy Covering COLDCARD MCU

    Flip the COLDCARD over and between the GENUINE and CAUTION LEDs is the second most visible dab of epoxy, the one covering the Secure Element.

    Close-Up of Epoxy Covering COLDCARD Secure Element

    As for the LEDs, epoxy also covers their control circuit. Getting through the epoxy to tamper with the circuit is easily detected.

    Each dab of epoxy is unique, like a fingerprint. A user familiar with the appearance of their COLDCARD's epoxy can treat the epoxy as yet another identifier if their device gets secretly swapped.

    In short, the epoxy globs:

    • Protect the case from being opened without notice
    • Can act as an identifying trait of a particular COLDCARD
    • Prevent the LED circuit from being altered unseen
    • Make it exceptionally difficult to interfere with the connections between components
    • Complicate any attempts to modify, remove, or swap out the protected parts

    One Tough Chip: The Secure Element

    You might not think of physical security as part of a chip's job, but the Secure Element's contribution to the cause is much deeper than the epoxy covering it.

    Secure Element defence highlights:

    • Provides dedicated, purpose-built secure storage for your seed words, physically separated from the MCU
    • Controls the LEDs so malicious software can't change their behaviour
    • Removes the possibility of resetting the device due to its heavy involvement in COLDCARD operations

    It's even willing to take a bullet to protect your secrets. We've marked where to aim - just in case.

    Previous Next

    Search Results for ""

    We've found relevant search results.