A brief review of Cobo Vault — the most secure hardware wallet

Although we are an exchange and store most of our users’ cryptos in our cold storage securely, we always recommend our users to obtain a hardware wallet because it is the most secure option to store their cryptos.

In this article, we briefly review Cobo Vault, a hardware wallet made by the Beijing based company Cobo.com. It offers top-notch protection from digital hacking attempts, hardware tampering, and physical damage.

What is Cobo Vault?

Just like other hardware wallets, Cobo Vault provides great security mainly because it isolates the wallet private keys from other devices like your mobile phone or computer. But there are unique points of Cobo Vault that make it even more secure.

Cobo Vault's main body looks like a small mobile phone but has no access to the Internet. To eliminate all possible unauthorised access, it is deliberately designed with no USB port, WiFi, NFC or Bluetooth.

The device has only two inputs: the camera and touch screen, and only one output: the screen, which makes all communications between Cobo Vault and other devices tangible. Limiting the inputs and outputs and making them tangible and thus easy to understand seem a great way of improving security.  

The main body is enclosed with water-resistant aerospace metal. The outer case is made from aerospace-grade aluminium alloy. Therefore, they are heavier than other hardware wallets. These make Cobo Vault sturdy and durable like a tank, and thus physical damage is much harder to happen.

Cobo Vault

The Cobo Vault package also contains a Cobo Tablet, which can backup the wallet seed reliably in case you lose or damage the Cobo Vault. You can check our detailed review on Cobo Tablet here.

Cobo Tablet

Besides the aforementioned security features, Cobo Vault also has:

  • Self-destruct mechanism to prevent side-channel attacks
  • Web authentication to prevent supply chain attacks
  • Elimination of all USB ports to prevent active attacks
  • Firmware upgrade via TF card for maximum security
  • Multi-Signature for Added Security

Currently, Cobo Vault supports Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Ethereum Classic, Dash, EOS, and Tron.

How to use Cobo Vault?

The Cobo Vault hardware contains the private keys but it cannot create a transaction alone due to the lack of access to the Internet and the blockchains.

Therefore, it has to be used together with the Cobo Vault mobile app, which is connected to the Internet. The mobile app contains no private keys, and thus removing the app or losing the mobile phone will not affect the crypto assets in the wallet.

Cobo Vault mobile app

To send cryptos, we use the mobile app to create an unsigned transaction represented as a few QR codes and send it to the hardware, and then we confirm and sign on the hardware using the touch screen; the signed transaction is presented as a few QR codes also on the hardware's screen, which are then scanned by the mobile app and broadcasted to the network.

Communicating information using QR codes may not be as convenient as other ways like Bluetooth used by CoolWallet or USB used by Ledger Nano S, but QR codes are tangible and make the device easier to understand and more secure.

Is the transaction sending process secure?

Security is always the most important for any crypto wallet. How about the security of Cobo Vault? Most security features listed above can be verified intuitively. But how about the information sent from the Cobo Vault hardware to the mobile app? Is it possible that the private keys are sent out?

Thanks to the simple communication mechanism, i.e., QR codes, it is easy to verify that Cobo Vault transmits only necessary and insensitive information from the hardware to the mobile app. The following example checks the whole process thoroughly on Litecoin and the result shows Cobo Vault is trustworthy. People who are not interested in the technical details can directly skip to the Conclusion at the end.

Details on creating an unsigned transaction

To send 0.02169946 Litecoin to address LUyTxafLEAPxfRzqiunGh5sAKEWvoSGnuk, we use the mobile app to create an unsigned transaction, which is presented as four QR codes shown below, and then they are scanned using Cobo Vault hardware's camera one by one.  

Unsigned Transaction

To verify the information, we decode the above QR codes and get the following four JSONs, where total is the total number of QR codes, and index indicates the order of the four codes.

{
  "total": 4,
  "index": 0,
  "checkSum": "3784fd22b94fb9c327fdc4bb4b932fcc",
  "value": "H4sIAAAAAAAAA01Qu27cMBD8lQMbFzGgJcWnOheGYdhBjOSCFEEKPpaRYFmUJd7hLsb9e1ZXecFmZoczmP1gR1zWoUys47cs4RqXYa5XzGIJ5ejHQ929L7Ek3M1LqSWWkZHS",
  "compress": true
}

{
  "total": 4,
  "index": 1,
  "checkSum": "3784fd22b94fb9c327fdc4bb4b932fcc",
  "value": "V8+6D9anfXnFTQ1BJBGcUQjgpAjSZS5lsBCkhBREJpImYxutsknHEMBFIy1qLayVZFrPM5LTOvydCMUyTI+J8DhU3ABx2+rKcatRcWgD904YsNgmgT4GLRU3OmTS9unF1560",
  "compress": true
}

{
  "total": 4,
  "index": 2,
  "checkSum": "3784fd22b94fb9c327fdc4bb4b932fcc",
  "value": "Xxvpbhpx0wC9Brag4Y2CuFLSOKGNdcZQpWGdR3/eX3dMAHcNyAbcDkSneMft7gvYDuBT+1pI+fzzvD/5/Hx/93LK3/+9D4fpoVfr3dP9r2P58TAdXunHdkeyFVw7J/Uty7gh",
  "compress": true
}

{
  "total": 4,
  "index": 3,
  "checkSum": "3784fd22b94fb9c327fdc4bb4b932fcc",
  "value": "AEHB64xT8mHElXW/yfR0bWhDjjy1QqLlWkgXhHXcOGhtkJg51WyJEtLQQVE5xTlvMbeqlcG7mPBzqHXOtIS/HerjlPDEOrj8oRqHte77Bde+jBTJYZvL5fIfIJSvYhUCAAA=",
  "compress": true
}

Combine the above four value fields in order and obtain the following gzip-compressed and then base64-encoded data, on which a md5 checksum can be computed and compared against the above checkSum field.

H4sIAAAAAAAAA01Qu27cMBD8lQMbFzGgJcWnOheGYdhBjOSCFEEKPpaRYFmUJd7hLsb9e1ZXecFmZoczmP1gR1zWoUys47cs4RqXYa5XzGIJ5ejHQ929L7Ek3M1LqSWWkZHSV8+6D9anfXnFTQ1BJBGcUQjgpAjSZS5lsBCkhBREJpImYxutsknHEMBFIy1qLayVZFrPM5LTOvydCMUyTI+J8DhU3ABx2+rKcatRcWgD904YsNgmgT4GLRU3OmTS9unF1560Xxvpbhpx0wC9Brag4Y2CuFLSOKGNdcZQpWGdR3/eX3dMAHcNyAbcDkSneMft7gvYDuBT+1pI+fzzvD/5/Hx/93LK3/+9D4fpoVfr3dP9r2P58TAdXunHdkeyFVw7J/Uty7ghAEHB64xT8mHElXW/yfR0bWhDjjy1QqLlWkgXhHXcOGhtkJg51WyJEtLQQVE5xTlvMbeqlcG7mPBzqHXOtIS/HerjlPDEOrj8oRqHte77Bde+jBTJYZvL5fIfIJSvYhUCAAA=

Decode the above data and inflate it, we get the following JSON, which intuitively describe the unsigned transaction data.

{
  "version": 1,
  "description": "cobovalut qrcode protocol",
  "data": {
    "hdToken": "0b2d2b975e00942b49f144b80b440db2f942222fe3c858d6cbb09c748e662884",
    "type": "sign",
    "coinId": "litecoin",
    "signId": "186e5103b1a92708e3d2eacb645176bf",
    "hdPath": "M/49'/2'/0'/0/0",
    "time": 1554792678977,
    "displayTime": "2019/04/09 02:51:18 +08:00",
    "data": {
      "to": "LUyTxafLEAPxfRzqiunGh5sAKEWvoSGnuk",
      "value": 2169946,
      "fee": 20027,
      "spendables": [
        {
          "txId": "8bfc1d324e816249b289179038b4ef15173b28247e3ce5951113ef3534ba9cde",
          "value": 2189973,
          "vOutIndex": 0
        }
      ],
      "dustThreshold": 100000
    }
  }
}

Details on signing the transaction

Using the Cobo Vault hardware camera to read the above four QR codes and confirm and sign it, we obtain two QR codes again, representing the signed transaction.

Signed Transaction

The above two QR codes represent the following two JSONs respectively.

{
  "total": 2,
  "index": 0,
  "checkSum": "1e5c4c7042c8aa960177cf1bda9a7657",
  "value": "H4sIAAAAAAAAA01SS26UMQy+SvWvu/ArdtIbsEfsHcdBlapOmRlKUdW7YyooeBEllv09HL8ez3m+3J8ejzu8PVZe4nz/dH1/H3Gap5tnf/h+vfl2jtPKm6fz6XqK08NRpX714+71uP58yqq93H99zFX535dPqzLYNRsCT/RBBj15UXpMlYamc/+P8fLesRGlde/NvccMIe/cOjnDyOzEu0CiNTbaZjtgLAEB8u1sizMK8ew/Pr8UFBD8DQRcOWI6C7fcyIijZeOwJKFe+gwrP4X7ALQ+",
  "compress": true
}

{
  "total": 2,
  "index": 1,
  "checkSum": "1e5c4c7042c8aa960177cf1bda9a7657",
  "value": "JslQ6ijJhGtHnx9Qhlqn5HDT7sNKgAVQg5XWYMKioTIMXRU3+/4TgM0xCOGfqGHqA0V9c2Q1SvDYnoKIPVRtMCCaQLkF59G7F48Yg5RjgjaDyBcW32oqsL2J2LRW2qmvmuOwmYCziHfZG9k8wklVWDz6O0abLUEUtCeBVGJpWjTqAbx3zF0zC942NLa2yIVNaVlxUdHVXMsR2bAhjh1jG2Z9deJkU2rOjbKrabEhbCwszUQC5DbXKnrmwI9/Ot7ebmvjHtaXj32Ecvz2C1rQf+2hAgAA",
  "compress": true
}

Combine the above two value fields, decode and inflate as before, we get the following JSON, which contains the signed raw transaction. Check the JSON carefully, we find no other sensitive information like private keys or wallet seeds and thus the process is trustworthy.

{
  "version": 1,
  "description": "cobo valut qrcode protocol",
  "data": {
    "type": "signed",
    "signId": "186e5103b1a92708e3d2eacb645176bf",
    "data": {
      "txId": "f11458a85aa8cbc42a83582a309ee823f08ec55372f77fc09d40402afa37d3ec",
      "rawTx": "02000000000101de9cba3435ef131195e53c7e24283b1715efb438901789b24962814e321dfc8b0000000017160014e9a768a97d407c0250de750b0d2964971a661f3affffffff015a1c2100000000001976a9146af3ceb0d4c39fae41118c667930117405370a3988ac0247304402205bc22ad1296d5640fa5447b7524928d14597be01b5a1f15e9e5acca266434ac8022055b5e046068e204205d6e7c528c03ffcbfba3c3f796cf65ced1562d7fa52a54101210279794a181cf71ea92e1b37625a352e8676c8010f1a3c6ee120135bdd05533c1200000000"
    }
  },
  "coldVersion": 10024
}

Put the rawTx field in a Litecoin raw transaction decoder, and we get a standard Litecoin raw transaction represented in JSON. It is easy to confirm that 2169946 litoshis are to be sent to LUyTxafLEAPxfRzqiunGh5sAKEWvoSGnuk. Now we can broadcast the transaction to the Litecoin network to finalise it.

Conclusion

Cobo Vault is durable and water-resistant and has a super cool design. It has great protection from digital hacking attempts, hardware tampering, and physical damage. Transmitting data between the mobile app and the hardware using QR codes takes some time but it is tangible and reliable and can provide better security. After checking the communicated data of the transaction signing process, we see Cobo Vault is trustworthy. In a nutshell, it is the most secure hardware wallet in the market to the best of our knowledge.