Add Coldcard Q

[siim-m]

Adds Coldcard Q to the list of hardware wallets.

[crwatkins]

Thanks for the submission! What's the current status of the Coldcard Q?

• Is there user documentation available? I couldn't find any Coldcard Q usage documentation on the Coldcard web site.
• Are there any specifications published such as QR code compatibility and companion wallet app compatibility?
• Has the Coldcard Q been officially released? When is/was the release date?
• Where are the firmware release tags for Coldcard Q deterministic builds? I found the branch, but could not find any tags.

[scgbckbone]

Thanks for starting the review.

Thanks for the submission! What's the current status of the Coldcard Q?

Already shipping and thousands of units already shipped out. Due to higher demand than anticipated we haven't switched from reservation mode in the store just to manage the inflow. Hopefully in a few weeks should be switched.

• Is there user documentation available? I couldn't find any Coldcard Q usage documentation on the Coldcard web site.

It's very similar to Mk line, being slowly improved and more features added. They share the same firmware and architecture with the extra hardware capabilities. (more already there since this thread started)

• Are there any specifications published such as QR code compatibility and companion wallet app compatibility?

• Address verification is "text" so everything already works, and it also supports BIP-21 url format
• QR PSBT binary or base64, Signed TXN hex already works
• BBQr PBST is bbqr.org has a support table (sparrow & Nunchuk and zeus on public master and with more wallets coming)
• SeedsQR also capable
• Bar code capable

• Has the Coldcard Q been officially released? When is/was the release date?

We've had units commercially out for over 3 months now, with test units out for many months.

• Where are the firmware release tags for Coldcard Q deterministic builds? I found the branch, but could not find any tags.

Thanks for noticing, although it is reproducible we didn’t have the tags there when you first reviewed, they were subsequently added https://github.com/Coldcard/firmware/tags

As a note we have already merged the Q & Mk branches into master as they are the same code base with different hardware targets.

[crwatkins]

In regards to the documentation, let me be clear that there aren't any specific listing criteria relating to documentation, so these are just some observations.

It's very similar to Mk line, being slowly improved and more features added. They share the same firmware and architecture with the extra hardware capabilities. (more already there since this thread started)

Given the fact that thousands of units have been shipped out, I'm surprised to find no mention of the device in any of the Getting Started guides listed on the website printed on the box. As a "new user", the guides I was referred to told me to plug in the USB and it would power up. It didn't. I was concerned the device was faulty, so I put in batteries. It would have been nice to have had suggestions or requirements relating to the batteries (alkaline, lithium, NiMH). I looked for a power button and pressed it and the screen didn't come on. Now I was really concerned the device was faulty. It turns out I didn't press the power button long enough. After some more fumbling it came on. All of this could have been avoided by trivial updates to the existing documentation.

Likewise, given the fact that one of the major new features is the QR scanner, it was disappointing to note that Coldcard Q is actually not QR compatible with most of the wallets listed on the Compatible Wallets page. Scanning transactions displays the text "Above is text that was scanned. We can't do any more with it." I believe that even the most minimal amount of guidance for new users could eliminate a lot of confusion and frustration.

[nvk]

Thanks for the feedback Craig.

1. You raised some good specific items that should be added (battery and power button). Aside from the very few specific things, it's the same flow and features as mk4. Those getting started guides were written years after Mk was launched. We don't build docs and devices in unison because the amount of community generated content and team bandwidth. Ben Sessions and others already have videos on setup. But more is coming!

2. re: QR, Just as with PSBT had no adoption when Mk was launched, it takes years to push standards. It's a low time preference game. The market has grown alot and I doubt that all things will be compatible with all things. look at BitKey, which will be massive but only works with their own app. On the bright side there is alot of work being done to integrate QR and NFC in some of the clients on that list. Heck core didn't do PSBT support till recent. And we still don't have a QR BIPs...

nice example of third party video by Unchained https://x.com/unchainedcom/status/1786397489676845243

[crwatkins]

What is the official release date that should be used in the review?

[nvk]

We never really announced it, just started shipping. I think we can use Feb 8th 2024 as it was likely the most we talked about shipping public.

[crwatkins]

I have reviewed the Coinkite Coldcard Q wallet based on the current wallet requirements criteria and my evaluation is below. The summary is that the wallet passes on security and overall design, however because the HSTS preload directive is missing on the website, I cannot at this time recommend it for listing. I will be glad to recommend Coldcard Q for listing once this website issue is resolved.

I try not to editorialize on issues not specifically related to the listing criteria, and there are no criteria related to QR code support, but it is hard not to comment on a device that was seemingly named for its QR code support. I have to say that I am personally fairly disappointed at the lack of support in Coldcard Q for existing QR standards such that the currently stated compatibility includes only two wallets which support the Coldcard Q's new format. In addition, Coldcard Q failed a multisig QR code configuration import during the review (since reported and fixed) with the one supported wallet I was testing with.

Note that as a "hardware wallet," only the hardware and firmware components of the device were evaluated. Wallet software that runs externally to the Coldcard Q device was not evaluated in this review. Sparrow Wallet was used during this review, but not evaluated.

I concur with the scoring in 1111efd. Historically wallets that have been released less than six months ago receive the transparency score checkfailtransparencynew however given that the crypto codebase of the Coldcard Q is the same as the codebase of the Coldcard Mk4 which is older than six months, I would recommend waiving this requirement.

---

Coldcard Q

Firmware v1.2.0Q

Review Version 2024062401

The wallet list is based on the personal evaluation of the maintainer(s) and
regular contributors of this site, according to the criteria detailed below.

These requirements are meant to be updated and strengthened over time.
Innovative wallets are exciting and encouraged, so if your wallet has a good
reason for not following some of the rules below, please submit it anyway and
we'll consider updating the rules.

NOTE The hardware device used for testing was provided by Coinkite at no cost.

NOTE Only the hardware/firmware is being evaluated here. Wallet software running external to the device is not being reviewed.

Basic requirements:

• Sufficient users and/or developers feedback can be found without concerning
  issues, or independent security audit(s) is available

  PASS Sufficient feedback was found on Reddit, Twitter/X, Bitcointalk, and YouTube.

• No indication that users have been harmed considerably by any issue in
  relation to the wallet

  PASS No indications for the Coldcard Q

  NOTE However there have been indications reported with the Mk4 model. On the current website, Coinkite claims the model Q is "Same as the COLDCARD Mk4" so these reports should be noted, even though the Coldcard Q is a new model.

  https://www.reddit.com/r/coldcard/comments/17epqk8/040_bitcoin_taken_instantly_from_my_coldcard/
  https://www.youtube.com/watch?v=oj_W3xOlt6U (see also the comments)

  It appears that users have lost funds when using the dice roll feature. A previous version of the firmware warned, but allowed, users to use the wallet with completely insufficient entropy (number of dice rolls). The firmware has been subsequently updated to avoid this situation.

• No indication that security issues have been concealed, ignored, or not
  addressed correctly in order to prevent new or similar issues from happening
  in the future

  PASS No indication

• No indication that the wallet uses unstable or unsecure libraries

  PASS No indication

• No indication that changes to the code are not properly tested

  PASS No indication. Tests at https://github.com/Coldcard/firmware/tree/master/testing

• Wallet was publicly announced and released since at least 3 months

  PASS Released on 8 Feb 2024

• No concerning bug is found when testing the wallet

  PASS No concerning bugs were found.

  NOTE Some bugs involving tracebacks and a crash were reported during review and were fixed

• Provides a bug reporting method on the website and/or in the app

  PASS https://coldcard.com/docs/trouble/ suggests emailing support@coinkite.com

  NOTE This information should be much easier to find on the website than is currently possible

• Website supports HTTPS and 301 redirects HTTP requests

  PASS http://coldcard.com redirects to https://coldcard.com/

• SSL certificate passes Qualys SSL Labs SSLtest

  PASS https://coldcard.com Rating B (could be better)

• Website serving or linking to executable code or requiring authentication uses HSTS

  • Existing listings: With a max-age of at least 180 days
  • New listings: With a max-age of at least 1 year, and preload and includeSubDomains directives to qualify for browser preload list inclusion
    e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  FAIL https://coldcard.com does not use HSTS

• The identity of CEOs and/or developers is public

  PASS Coldcard is made by Coinkite, a long standing member of the community with their principals well known and a legal contact at https://coinkite.com/terms

  NOTE A more direct reference to details about the company or individuals would be preferred

• Avoid address reuse by displaying a new receiving address for each transaction
  in the wallet UI

  N/A Addresses and paths are chosen by wallet software

• Avoid address reuse by using a new change address for each transaction

  N/A Addresses and paths are chosen by wallet software

• Uses deterministic ECDSA nonces (RFC 6979)

  PASS A transaction signed by Coldcard Q created the same signature as Sparrow Wallet

• User has access to private keys for all major components of the wallet

  PASS User has access to BIP39 seed

• If private keys or encryption keys are stored online:

  N/A Keys are stored on the device

  • Refuses weak passwords (short passwords and/or common passwords) used to
    secure access to any funds, or provides an aggressive account lock-out
    feature in response to failed login attempts along with a strict account
    recovery process.

• If user has exclusive access over its private keys:

  • Allows backup of the wallet

    PASS Allows manual copying of the BIP39 phrase at startup, as well as a passphrase encrypted backup to microSD card

  • Restoring wallet from backup is working

    PASS BIP39 phrase restored correctly

  • Source code is public and kept up to date under version control system

    PASS https://github.com/Coldcard/firmware

• If user has no access to some of the private keys in a multi-signature wallet:

  N/A

  • Provides 2FA authentication feature
  • Reminds the user to enable 2FA by email or in the main UI of the wallet
  • User session is not persistent, or requires authentication for spending
  • Gives control to the user over moving their funds out of the multi-signature
    wallet

• For hardware wallets:

  • Uses the push model (computer malware cannot sign a transaction without user
    input)

    PASS Uses keyboard for confirmation

  • Protects the seed against unsigned firmware upgrades

    PASS It is possible for the firmware to set a "high water mark" such that downgrading is not possible. This is enforced in bootloader firmware (not the secure element) and was not tested.

  • Supports importing custom seeds

    PASS A custom seed was imported

  • Provides source code created for all open components and provides detailed specification for blackbox testing of
    any closed-source secure elements

    PASS https://github.com/Coldcard/firmware

Optional criteria (some could become requirements):

• Does not show "received from" Bitcoin addresses in the UI

• Website serving executable code or requiring authentication is included in the
  HSTS preload list

  FAIL HTST is not supported at https://coldcard.com

• If user has exclusive access over its private keys:

  • Supports HD wallets (BIP32)

    PASS Supports BIP32

  • Provides users with step to print or write their wallet seed on setup

    PASS Provides the seed on setup

  • Uses a strong KDF and key stretching for wallet storage and backups

    PASS Uses a crypto based memory chip and uses strong KDF for backups

  • On desktop platform:

    • Encrypt the wallet by default

    N/A

• For hardware wallets:

  • Prevents downgrading the firmware

    PASS It is possible for the firmware to set a "high water mark" such that downgrading is not possible. This is enforced in bootloader firmware (not the secure element) and was not tested.