Hardware wallets are generally a more secure option for storing and transferring crypto assets. And while there are already some popular players in the market, like the Trezor and Ledger, a relatively newer candidate actually has the potential to go head to head against these companies over the long run.
The CoolWallet S is the next generation hardware wallet from CoolBitX, released with a host of improvements over the original CoolWallet, which has since been discontinued. Like all other hardware wallets, the primary goal of CoolWallet S is to provide a secure place to store the wallet’s private keys and never expose them under any circumstances.
It is, however, some of the unique features provided by the wallet, that makes it worth taking a look into.
The CoolWallet S has a unique form-factor; its design resembles that of a credit card, feels quite durable to hold, and is flexible enough to bend significantly without any damage. The company also claims the wallet to be waterproof, but recommends users not to have it under water for more than an hour.
It has the ability to operate wirelessly by pairing with an iPhone or Android device over Bluetooth. This provides a more convenient way of accessing your wallet from your mobile device, rather than a computer.
On the surface, the wallet has a small E-Paper display, which is primarily used for displaying device information, such as battery level, pairing status, etc., as well as transaction related information. A single clickable button is used to navigate through, and confirm various operations on the wallet.
There are also two visible connector pins on the wallet’s surface, which connects to the power supply to charge the wallet’s battery via the charging dock (included in the box). The battery takes about one hour to fully charge itself, and can last up to 2 – 3 weeks on a single charge.
Under the hood, the CoolWallet S packs a general purpose MCU, a Common Criteria EAL5+ certified Secure Element (SE) chip, a Bluetooth module (Bluetooth Low Energy 4.0), as well as an NFC chip.
The SE (NXP P5CD081) is primarily used for storing the wallet’s private keys, never exposing them to the outside world. In order to perform a transaction, the SE — after confirmation from the user — signs it with the private key, and sends the signed message to the paired device over Bluetooth. The device (via mobile app), in turn, broadcasts the signed message to the corresponding network via its Internet connection.
CoolWallet S v/s the Trezor/Ledger: Where it excels
The CoolWallet S brings new ways to interact with a hardware wallet, which potentially improves its ease of use, while also offering better security.
First, the build quality of CoolWallet S is more durable than its competitors. It excludes moving parts (except for a small clickable button), and is designed in a way so as to prevent it from being taken apart and put back together.
Note: That being said, the CoolWallet S battery has a lifespan of 2 – 5 years. If your battery is faulty, you can get a full unit replacement from the company within the one year warranty period. If your battery dies after the warranty period, you can still continue using the wallet by plugging it into the charging dock.
Both the Trezor and Ledger, on the other hand, are housed inside plastic chassis, which could be opened up to expose (and possibly alter) their internal hardware components. Their physical components (like buttons, USB ports, etc.) are also relatively more prone to damage with extensive usage.
Second, the CoolWallet S is primarily meant to be used wirelessly with your paired iPhone or Android device over Bluetooth. This enables the user to perform on-the-go transactions conveniently.
The Trezor and Ledger rely on the USB interface for connecting to other devices, and are hence most suitable to be used along with a computer, which kind of limits the on-the-go experience. Both the wallets also do support smartphone connectivity via USB OTG, but then again, it largely relies on third party apps like Mycelium that offer fairly limited functionality, coin support, etc., and works with OTG-enabled Android smartphones only.
And even though the CoolWallet S is smartphone-only as of now, the company believes that it would be much easier for them to support desktops in the future, than that for Trezor and Ledger to bring native, full-featured smartphone experience.
How to setup the CoolWallet S
Like all other hardware wallets, the first step after receiving the CoolWallet S would be to generate the seed word. Here, the process is a bit different from other hardware wallets due to the smartphone-only pairing mechanism that’s fundamental to the CoolWallet S. A more detailed guide can be found in the official website.
Note: Rather than providing a set of english words for the setup seed, the company decided to opt for a numeric, BIP39 compatible scheme, which would be universally accepted. If you need to recover a seed generated by the CoolWallet S on a different BIP39 wallet, you can refer to the number-word mapping table in order to get the equivalent BIP39 word seed.
Security features of CoolWallet S
By its design and working mechanism, the CoolWallet S is built from ground-up to be convenient for use, and yet be secure enough to hold your crypto-assets safely against potential attacks. The wallet only works with paired iOS and Android devices through a cryptographic pairing sequence via Bluetooth. According to CoolBitX, the company uses a top-level encryption to protect the initial communication layers, along with additional ECDSA, ECIES, AES256 protocols to encrypt the data layers.
The company also believes that the smartphone is generally a more secure platform for performing transactions, compared to a computer. On a desktop environment, the access permissions between different apps have limited restrictions. And thus, any app could possibly access, manipulate or steal data from other apps in an unauthorized manner.
On Android and iOS, the apps have limited inter-app permissions, and this is especially true in case of iOS, where they all run in their own isolated sandbox. Moreover, both the App Store and Google Play Store have a strong app review system in place, which restricts the approval of potentially harmful apps. So unless you side-load your apps from third party sources (especially in case of Android), it is less likely that your apps might be compromised.
And since firmware updates on CoolWallet S are delivered over the air via Bluetooth from an App Store / Google Play Store verified smartphone app, there is less chance that the firmware might be compromised as well.
Let us now explore various possible attack vectors and find out how the CoolWallet S holds up against them.
CoolWallet S against remote attacks
The CoolWallet S stores the wallet private keys in a bank-grade Secure Element chip, from which they are never meant to be exposed to the outside world. All transactions performed using the wallet can be verified from its E-Paper display (which can show the receiver’s address) and needs to be confirmed by pressing the physical button on the wallet. The only data that is exposed to any external device is the signed message confirming the transaction. This mechanism protects against any sort of remote attacks.
CoolWallet S against physical attacks
As far as physical attacks are concerned, these could be further categorized into supply chain attacks, theft and evil maid attacks.
Supply Chain Attacks
As discussed earlier, the CoolWallet S has been designed in a way that it prevents physical attacks involving opening up, reprogramming the chip, and reassembling the hardware. Any such attempt is more likely to damage the wallet permanently, in a way that it can’t be sent down the supply chain without the damages getting detected.
Further, the CoolWallet S packaging also accompanies a special sticker to indicate any evidence of tampering along the supply chain.
The CoolWallet S only works with paired iOS or Android devices. In order to store funds in your wallet, you need to pair it up with at least one device. After that, if you want to pair a second device, it has to be authorized from the first paired device, as well as by pressing the physical button on the wallet. At any point of time, it can be paired with up to three iOS or Android devices simultaneously.
If the CoolWallet S gets stolen, it can never be used by any other person without your permission (i.e., approval, from the paired devices).
If the paired iOS or Android device goes missing, it’s easy to reset the wallet, pair it up with a new device and restore the wallet contents using the recovery seed. Resetting the wallet automatically unpairs it with all the previously paired devices.
If both the CoolWallet S as well as the paired device is stolen, the wallet funds are still protected as long as your paired smartphone is secured with a strong passcode, along with biometric authentication (for iOS).
Note: The CoolWallet S partner app on iOS works in such a way that it requires you to authenticate yourself for each transaction via Touch ID or Face ID. But still, if an intruder is able to get your passcode, it is relatively easier for them to add their own biometric data to the iOS device and then access the wallet app without any restriction.
Moreover, any unauthorized person wouldn’t be able to extract the private keys from the wallet with any form of physical attack. The Secure Element chip inside the CoolWallet S, which stores your private keys, eliminates this possibility.
Evil Maid Attacks
The CoolWallet S is fundamentally designed to prevent any possible evil maid attacks. Since it is difficult to open up the wallet, an “evil maid” would not be able to compromise its hardware or load malicious firmware on to the device. Such an attempt might even cause permanent physical damage, rendering the wallet useless.
Current limitations of CoolWallet S
All that being said, the CoolWallet S also has certain limitations in its current form, some of which might be a turn-off for the users.
No desktop/third-party support: Currently the team is focusing its wallet to be used primarily with smartphones. While this could be a convenient way to perform crypto-transactions on-the-go, many third party platforms, such as exchanges or hot wallet apps, are based on the web/desktop platforms.
The company says that it would enable third party integrations with the CoolWallet S via public APIs in the near future. And one of the first CoolWallet integrations to happen would be ShapeShift.
Limited cryptocurrency support: The currency support on CoolWallet S is limited (as of now), to say the least, compared to that on the Trezor or Ledger. Currently, it supports Bitcoin, Ethereum, Litecoin, Ripple, Bitcoin Cash and a few ERC20 tokens. Recently, the company added EOS to their list of supported cryptocurrencies, and the team is aggressively working with others to bring in support for more currencies. Support for NEO is said to be coming soon, followed by Cardano, Stellar, IOTA, Tether and numerous other ERC20 tokens. Zcash integration is planned to happen by early Q3 of 2018.
Also, once third party integrations are enabled, it would be possible for apps like MyEtherWaller to add support for the CoolWallet S, which in turn, would allow users to access almost all ERC20 tokens, and even add custom ones manually, if they want to.
Wallet seed displayed on smartphone instead of on the wallet: The CoolWallet S currently displays the seed (when creating a new wallet) on the paired smartphone instead of the wallet’s E-Paper display. The seed is displayed in a numeric format, rather than the conventional word format. Nevertheless, it is always a good practice to display the seed on the wallet, in order to ensure that it is never transmitted outside the wallet. Showing the wallet-generated seed on the smartphone app can give rise to potential security loopholes in the system.
If this is a security concern for you, we would recommend you to keep using the Trezor or Ledger for cold storage, while transferring only limited funds to the CoolWallet S for transactional purposes (at least for the time being). The company has stated that they would release an update in future that would display the wallet seed on the E-Paper display instead of in the smartphone app.
The apps and firmware are closed-source: In its current state, all the apps as well as the firmware running on the CoolWallet S are closed source.
The company has plans to open source its wallet apps, along with certain parts of the firmware. However the Secure Element and certain parts of the firmware cannot be open-sourced due to intellectual property agreements (similar to Ledger).
Lack of 2FA and Password Manager support: Both the Trezor and Ledger can be used as 2-Factor-Authentication devices for logging into various supported services, such as Google. Also, the Trezor has recently launched an encrypted password manager app (Chrome extension) that uses the Trezor device to log into the password vault. The CoolWallet S does not support these functionalities right now, but could enable this feature in future.
The good news is that all these limitations could be addressed via an over-the-air firmware update, and the company has confirmed that all such firmware updates would be free. So users would get access to the latest wallet features at no extra cost.
Should you switch to the CoolWallet S?
The Trezor and Ledger have both been around for quite a long time, and have been able to establish a significant user base over the years. Both the companies offer decent online and offline support, and provide regular firmware updates to ensure that their devices are in line with the latest features, and address known security vulnerabilities.
Coming late into the market, the CoolWallet S has an uphill task ahead of them to reach the level of trust and support that the competition has established. How CoolBitX is planning to set up their own user base in this competitive scene, remains to be seen. But one thing is for certain, the CoolWallet S is introducing a new take that improves on the usability of hardware wallets, without compromising on the security aspects.
For now, the unique form-factor, durability, security and mobile-friendly features of CoolWallet S might just be enough to at least make you consider using it as a secondary hardware wallet, if not the primary one.
What do you think of the CoolWallet S? Let us know in the comments below.