[1/π§΅] You've heard of @XummWallet but aren't sure if you can #trust its #security?
You'll learn about @cossacklabs' most recent security assessment and why the #XUMM #wallet strives to maintain the highest security standards.
Follow along in this "all-in-one security π§΅" π
You'll learn about @cossacklabs' most recent security assessment and why the #XUMM #wallet strives to maintain the highest security standards.
Follow along in this "all-in-one security π§΅" π
[2/24] β Outline β
πΈ Basic Introduction
πΈ Hot #Wallet Fundamentals
πΈ #XUMM Wallet Security
πΈ #Security Audit (18.05.2023)
πΈ XUMM @Tangem Cards
πΈ #Tangem Card Facts
πΈ Basic Introduction
πΈ Hot #Wallet Fundamentals
πΈ #XUMM Wallet Security
πΈ #Security Audit (18.05.2023)
πΈ XUMM @Tangem Cards
πΈ #Tangem Card Facts
[3/24] β Basic Introduction β
After hearing the news of #Ledger willingly integrating a π-extraction mechanism into their FW if opted-in, I decided it was time to review #XUMM + @Tangem
This 𧡠is not sponsored in any way, & all of my praise comes from the bottom of my β€οΈ
After hearing the news of #Ledger willingly integrating a π-extraction mechanism into their FW if opted-in, I decided it was time to review #XUMM + @Tangem
This 𧡠is not sponsored in any way, & all of my praise comes from the bottom of my β€οΈ
[4/24] β 1β£ Hot Wallet Fundamentals β
βΆοΈ #XUMM is a hot, self-custodial ("unhosted") mobile-only #cryptocurrency wallet designed exclusively for the XRPL ecosystem, allowing users to securely store their private keys, make payments, and engage with the #XRPL via #xApps.
βΆοΈ #XUMM is a hot, self-custodial ("unhosted") mobile-only #cryptocurrency wallet designed exclusively for the XRPL ecosystem, allowing users to securely store their private keys, make payments, and engage with the #XRPL via #xApps.
[5/24] β 2β£ Hot Wallet Fundamentals β
Regardless of how secure the app is, "hot" desktop & mobile apps have access to the internet & are only as secure as their weakest link.
Keep the following in mind:
πΈ Update your smartphone
πΈ Don't use public WiFis
πΈ Use strong passwords
Regardless of how secure the app is, "hot" desktop & mobile apps have access to the internet & are only as secure as their weakest link.
Keep the following in mind:
πΈ Update your smartphone
πΈ Don't use public WiFis
πΈ Use strong passwords
[6/24] β #XUMM Wallet Security β
β How long would it take an attacker to successfully exploit the app?
πΈ ~99 quadrillion years β secret number
πΈ ~228 years β 6 digit passcode
πΈ There is basically no pw-length restriction for the signing password β 200+ years (16 chars)
β How long would it take an attacker to successfully exploit the app?
πΈ ~99 quadrillion years β secret number
πΈ ~228 years β 6 digit passcode
πΈ There is basically no pw-length restriction for the signing password β 200+ years (16 chars)
[7/24] β 1β£ #Security Audit β
@XRPLLabs had a security assessment performed by #Cossacklabs that required over 240 person-hours of work and was publicly disclosed on 18.05.2023
The main takeaway was:
βοΈ "No critical vulnerabilities or immediate exploits were identified"
@XRPLLabs had a security assessment performed by #Cossacklabs that required over 240 person-hours of work and was publicly disclosed on 18.05.2023
The main takeaway was:
βοΈ "No critical vulnerabilities or immediate exploits were identified"
[8/24] β 2β£ #Security Audit β BEFORE β
During the 1st evaluation, #Cossacklabs noticed that "only" 28 of the relevant 65 standards had been met.
Sounds worse than it is since #XUMM users were never at risk as long as their π± were updated and their passwords were kept safe. π«‘
During the 1st evaluation, #Cossacklabs noticed that "only" 28 of the relevant 65 standards had been met.
Sounds worse than it is since #XUMM users were never at risk as long as their π± were updated and their passwords were kept safe. π«‘
[9/24] β 3β£ #Security Audit β AFTER β
Following the implementation of the solutions, #Cossacklabs verified that 58 of the necessary 65 criteria were met, significantly reducing the number of unresolved issues.
Consider how much effort went into resolving all of that. π₯
Following the implementation of the solutions, #Cossacklabs verified that 58 of the necessary 65 criteria were met, significantly reducing the number of unresolved issues.
Consider how much effort went into resolving all of that. π₯
[10/24] β 4β£ #Security Audit β
Many cryptographic flaws and weaknesses, according to #Cossacklabs, were caused by insufficient security controls that were already in place but did not meet the highest criteria.
Many cryptographic flaws and weaknesses, according to #Cossacklabs, were caused by insufficient security controls that were already in place but did not meet the highest criteria.
[11/24] β 5β£ #Security Audit β
As a result, @XRPLLabs opted to re-implement the whole cryptographic layer, thereby building on existing solid foundations to combat certain sophisticated edge cases.
As a result, @XRPLLabs opted to re-implement the whole cryptographic layer, thereby building on existing solid foundations to combat certain sophisticated edge cases.
[12/24] β 6β£ #Security Audit β
Key takeaways:
πΈ Even #XUMM is not foolproof
πΈ No secrets were ever compromised
πΈ Security has been upgraded based on WASP MASVS v1.5
πΈ @XRPLLabs team is capable of fixing code related security issues
πΈ Hot wallets will inevitably be attacked
Key takeaways:
πΈ Even #XUMM is not foolproof
πΈ No secrets were ever compromised
πΈ Security has been upgraded based on WASP MASVS v1.5
πΈ @XRPLLabs team is capable of fixing code related security issues
πΈ Hot wallets will inevitably be attacked
[13/24] β 1β£ XUMM Tangem β Firmware β
There are @Tangem cards and #XUMM branded Tangem cards that both use one firmware that has been reviewed by #Kudelskisecurity with one exception:
The XUMM-branded #Tangem cards are not designed to sync the keys π
There are @Tangem cards and #XUMM branded Tangem cards that both use one firmware that has been reviewed by #Kudelskisecurity with one exception:
The XUMM-branded #Tangem cards are not designed to sync the keys π
https://twitter.com/WietseWind/status/1659541030163578883
[14/24] β 2β£ XUMM Tangem β Firmware β
Not only can the firmware not be upgraded by design, but the #firmware can never give out your #privatekey because it is physically only feasible to communicate through #NFC while keeping the secret truly offline at all times.
Not only can the firmware not be upgraded by design, but the #firmware can never give out your #privatekey because it is physically only feasible to communicate through #NFC while keeping the secret truly offline at all times.
[15/24] β 1β£ XUMM Tangem β Best Practice β
Here are some guidelines to make your cold storage genuinely secure:
πΈ Create a #PIN / Password on your card using #XUMM
πΈ Purchase 2 cards and configure your "Plan B" using the "Tangem Backup" #xApp within XUMM
Here are some guidelines to make your cold storage genuinely secure:
πΈ Create a #PIN / Password on your card using #XUMM
πΈ Purchase 2 cards and configure your "Plan B" using the "Tangem Backup" #xApp within XUMM
[16/24] β 2β£ XUMM Tangem β Best Practice β
Additional suggestions:
πΈ Use 4 cards (2 #XRPL accounts) to separate your hot & cold wallets
πΈ Do not 'root' or jailbreak your phone and use your cards on it
πΈ Less is more, so use your cold storage to save your funds in the long run
Additional suggestions:
πΈ Use 4 cards (2 #XRPL accounts) to separate your hot & cold wallets
πΈ Do not 'root' or jailbreak your phone and use your cards on it
πΈ Less is more, so use your cold storage to save your funds in the long run
[17/24] β 1β£ XUMM Tangem β Hardware Chip β
The "SE" within the card, which is practically indestructible, is the #S3D350A microchip from #Samsung
Entropy is created from the chip's inherent physical noise source via thermal noise amplification π
The "SE" within the card, which is practically indestructible, is the #S3D350A microchip from #Samsung
Entropy is created from the chip's inherent physical noise source via thermal noise amplification π
https://twitter.com/Tangem/status/1346555757009899520?s=20
[18/24] β 2β£ XUMM Tangem β Hardware Chip β
Now that we know the source of genuine randomness utilized to generate the secrets, what about the #CPU? π€
#Tangem employs the "#Arm #SecurCore SC000 Core," one of the most extensively licensed 32-bit smartcard processors in the world
Now that we know the source of genuine randomness utilized to generate the secrets, what about the #CPU? π€
#Tangem employs the "#Arm #SecurCore SC000 Core," one of the most extensively licensed 32-bit smartcard processors in the world
[19/24] β 3β£ XUMM Tangem β Hardware Chip β
The #Tangem microchip passed the "Common Criteria #EAL6+ Assurance Level," which is required if your chips are to be used in passports.
Fun fact: #Ledger also reached that level.
The #Tangem microchip passed the "Common Criteria #EAL6+ Assurance Level," which is required if your chips are to be used in passports.
Fun fact: #Ledger also reached that level.
[20/24] β 1β£ Tangem Card β Facts β
Here are some mind-blowing #Tangem facts:
πΈ Tangem offers a 25+ year replacement warranty
πΈ Withstands environmental extremes
πΈ Withstands occasional mechanical deformation
πΈ Withstands electromagnetic pulse (#EMP)
. . .
Here are some mind-blowing #Tangem facts:
πΈ Tangem offers a 25+ year replacement warranty
πΈ Withstands environmental extremes
πΈ Withstands occasional mechanical deformation
πΈ Withstands electromagnetic pulse (#EMP)
. . .
[21/24] β 2β£ Tangem Card β Facts β
. . .
πΈ Withstands electrostatic discharge (#ESD)
πΈ Withstands X-rays
π Within limits defined in #ISO7810.
Further:
πΈ #Tangem App, an open-source in-house development, is capable of verifying the installed firmware on the card
. . .
. . .
πΈ Withstands electrostatic discharge (#ESD)
πΈ Withstands X-rays
π Within limits defined in #ISO7810.
Further:
πΈ #Tangem App, an open-source in-house development, is capable of verifying the installed firmware on the card
. . .
[22/24] β 3β£ Tangem Card β Facts β
. . .
πΈ Works from -25Β°C up to 85Β°C
πΈ Works even underwater π
πΈ #IP68 certified
πΈ An Access Code may be set and even adjusted to prevent it from being removed from the card after it is set.
π If you lose this code, you lose everything.
. . .
πΈ Works from -25Β°C up to 85Β°C
πΈ Works even underwater π
πΈ #IP68 certified
πΈ An Access Code may be set and even adjusted to prevent it from being removed from the card after it is set.
π If you lose this code, you lose everything.
[23/24] β TL;DR β
πΈ XUMM security upgraded (MASVS v1.5)
πΈ XUMM Tangem account backup via xApp
πΈ Tangem cards β simple secure offline cold wallet
πΈ Literally indestructible
πΈ XUMM branded cards w/o key-sync
πΈ Cutting-edge certified hardware security
πΈ @XRPLLabs rocks!
πΈ XUMM security upgraded (MASVS v1.5)
πΈ XUMM Tangem account backup via xApp
πΈ Tangem cards β simple secure offline cold wallet
πΈ Literally indestructible
πΈ XUMM branded cards w/o key-sync
πΈ Cutting-edge certified hardware security
πΈ @XRPLLabs rocks!
[24/24] Hopefully, this gave you a solid introduction of #XUMM and #Tangem cards in terms of security.
Rest assured, there is more to come. π₯
Please follow me here:
@krippenreiter π
Feel free to contribute by sharing here: π
Rest assured, there is more to come. π₯
Please follow me here:
@krippenreiter π
Feel free to contribute by sharing here: π
https://twitter.com/krippenreiter/status/1660152428925276161?s=20
@threadreaderapp unroll
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
