Cake Wallet's Free 'Cupcake' App Transforms Old Smartphones Into Hardware Wallet \ stacker news ~bitcoin

pull down to refresh

Cake Wallet's Free 'Cupcake' App Transforms Old Smartphones Into Hardware Wallet mpost.io/cake-wallets-free-cupcake-app-transforms-old-smartphones-into-secure-offline-hardware-wallets/

1328 sats \ 14 comments \ @Scoresby 9h bitcoin

I can just hear @nvk getting triggered...

But Cake Wallet's ad copy is pretty good:

Hardware wallets cost $100+ and scream "I have crypto." Old phones are free, ubiquitous, and invisible. Cupcake just leveled the playing field for global self-custody access. More on Cupcake coming very soon 👀

Not enough hardware wallet manufacturers admit that purpose-built bitcoin hardware is a massive target. The fact that they exist and are obviously going to be used to secure large amounts of bitcoin mean every body who wants to steal bitcoin is thinking about how they can infiltrate, impersonate, hack, or otherwise scam them. (To be fair this is true for all software wallets too, just maybe with a smaller attack surface). Having an option that is not obviously going to be used for bitcoin makes a lot of sense.

Maybe somebody will start a seed-signer type of project that tries to disable all the radios in a phone and turn it into a hardware signer.

view all related items

157 sats \ 9 replies \ @justin_shocknet 8h

LOL, isn't Cake supposed to be a privacy wallet?

An Apple thin-client as a HWW... what will these Monerotards come up with next...

22 sats \ 8 replies \ @Scoresby OP 8h

Do you think there is any way a phone could safely be used as a hardware signer?

For example:

if it's running graphene or something
if it has the radios disabled
if you keep it in a place where there is no radio signal (ie cabin in the woods)
if it doesn't do anything else

Or is a phone always insecure? In which case, can a laptop be that much better?

215 sats \ 7 replies \ @justin_shocknet 8h

I'm not aware of any secure phone hardware, the lack of opensource hardware is a problem more generally... keep in mind I also think all HWW's to date are larp and only useful in a multi-vendor/multi-sig setup because they all rely on closed source chips.

"Klepto" is one such example of why disabling radios means nothing because signatures themselves are a potential exfil vector. There are surely others we don't know about.

The asterisk to this is the scope of your threat model. Bitcoin may have liberated us from financial institutions and most nation-states, but not super-powers who's security zones shape supply chains.

Personally I'm not too worried about the NSA opening Pandora's box to steal my 300k sats.

51 sats \ 6 replies \ @Scoresby OP 8h

Well, that's exactly what I'm thinking. I don't need a hardware signer that keeps three letter agencies from taking my bitcoin -- they can take much more than that if they want -- I'm just interested in keeping some sats secure from your average thief...and a big part of that is not getting included in a data breach of people who have paid hundreds of dollars for a device that is specifically made for securing large amounts of bitcoin.

918 sats \ 5 replies \ @justin_shocknet 7h

Yep, and our shared outlook on that would put all HWW vendors out of business if everyone was as lucid. They sell largely on virtue signal and naivete.

If we exclude the NSA et-al from our threat model then running Bitcoin on a clean Linux or BSD install within a militarized network zone wins simply on the commodity footprint.

HWW's add risk to that by removing the benefit of obscurity, and additional software to use them creates vectors beyond what might already exist in operating systems and Bitcoin itself.

Using phones as commodity hardware per Cupcake:

eliminating shipping and supply-chain risks

Yes, I like this and its better than a purpose-built HWW (ignoring the inherent supply chain risk since its commoditized)

a mobile application

Not good, this adds footprint, particularly in an iOS setting where afaik you're not able to actually verify what you're running.

Also phones are not durable and easily misplaced, which highlights that it's solving the wrong problem that is the root of most lost coin: People putting seeds in stupid places either in terms of backup or recovery.

There's good solutions and simple solutions, phone signers feel like the worst of both.

17 sats \ 4 replies \ @Scoresby OP 7h

There's good solutions and simple solutions, phone signers feel like the worst of both.

Nice summary. It is too bad though because phones have a power source, a processor, memory and a camera or nfc, so they have all the tools you might need to be a hardware signer. It's just a bummer they are so owned by the google and apple.

view all 4 replies

102 sats \ 2 replies \ @Solomonsatoshi 8h

Learn how to install linux on a usb stick. https://itsfoss.com/intsall-ubuntu-on-usb/ Learn how to build your own cold storage and how to remotely sign transactions. https://electrum.readthedocs.io/en/latest/coldstorage.html

Long term and secure cold storage free of third party HW gadgets for under $10.

0 sats \ 1 reply \ @Scoresby OP 7h

usb sticks don't have a great lifespan, so you're still backing up your seeds/keys somewhere.

The usb can't sign on its own, so it needs to be stuck in a computer. That becomes the risk.

I don't disagree that there are lots of great ways to do cold storage, but it is probably the case that none of them are risk free or perfect.

0 sats \ 0 replies \ @Solomonsatoshi 7h

'The usb can't sign on its own, so it needs to be stuck in a computer. That becomes the risk.' The USB stick uses the host computers hardware and controls that hardware. A good quality USB stick used only for this purpose should last many decades. The signing is done remotely by transferring the unsigned and signed transactions between the online and offline devices.

Agree you definitely want to back up the seed phrase as well as you should with any cold wallet. The seed phrase storage is the most important set of all and often overlooked by people depending on HWs.

Here is one way to store seed phrase cheaply and conveniently- tip if using this method is to use a pdf ebook version and store it in several locations ie usb stick and maybe on cloud/s storage. https://www.reddit.com/r/BitcoinNewZealand/comments/zyvngp/low_tech_low_cost_secure_seed_phrase_solution/

0 sats \ 0 replies \ @OT 2h

The idea reminds me of this. From memory Peter suggests setting up a multisig with 2 android phones.

My issue would be the firmware. If you leave it in your drawer for 5 years is it going to turn on or push updates before using it? I like how it would be hidden in plain sight though.