Our approach to security has always been consistent: build with care, and invite open verification. Before Passport Prime ships, we commissioned a full third-party security audit and made the results publicly available for anyone to review.
We took the same approach with Passport Core, which was also independently audited. The earlier audit set the precedent for how we handle security at Foundation: by opening our devices to outside scrutiny before they reach users, and by publishing the results in full. Passport Prime continues this same commitment, proving that transparency isn’t a one-time exercise, but an ongoing standard for every product we build.
Today, we’re outlining what was tested, what was discovered, how we addressed it, and where you can explore all the details for yourself.
Who Conducted the Audit — and What They Tested
The audit was performed by Keylabs (Nedos Consulting EMEA FZ-LLC), a specialist security firm focused on wallet technologies, embedded device audits, and secure storage systems.
Their team includes researchers known in the hardware wallet security community, including involvement in the wallet.fail presentation, which exposed vulnerabilities in wallets like Ledger and Trezor. With a track record of finding real flaws in the hardware wallet industry, Keylabs approached Passport Prime with the same rigor, giving us confidence that the evaluation reflected genuine attack scenarios and industry-leading standards.
The audit examined every layer of Passport Prime. From hardware and firmware to system architecture, to assess its resilience against real-world attack scenarios:
- Threat modeling & architecture
- Keylabs defined likely adversaries and reviewed how Passport Prime’s layered design is intended to protect against them, validating that the architecture aligns with our security goals.
- Firmware review
- They examined PIN authentication, key handling, memory clearing, secure boot behavior, and many other aspects.
- Hardware testing
- They evaluated components such as the ATECC608C secure element, SECURAM volatile memory, tamper detection, and PCB layout, including the accessibility of debug/test interfaces.
- Physical attack considerations
- The team assessed side-channel considerations, fault-injection feasibility, and what a skilled attacker with direct device access might realistically attempt.
This overview is only a snapshot of what was audited. The full report below goes much deeper and covers every component and process in detail.
Results Summary
No critical or high-severity vulnerabilities were found. All observations were low severity, requiring physical access and advanced tooling to attempt exploitation.
Keylabs concluded:
“The overall architecture demonstrates exceptional security design principles and sophisticated implementation.”
and further:
“The proactive approach to security demonstrates Foundation’s dedication to transparency and continuous security improvement. This results in a highly secure hardware wallet architecture that exceeds industry standards for protecting users’ digital assets.”
The findings themselves were focused on best-practice hardening recommendations:
- Randomizing PIN verification timing to reduce side-channel risk.
- Clearing memory more aggressively after failed attempts and on boot.
- Ensuring Shamir shares are wiped immediately after use.
- Zeroing SECURAM when PIN retries are exhausted.
- Reducing exposure of non-essential debug pads on the PCB in future hardware revisions.
These are refinements rather than structural flaws, and all have already been addressed.
Our Response
We treated every observation from the audit as an opportunity to strengthen Passport Prime before it ships.
- PIN verification — we implemented changes to add timing randomization and mitigate side-channel analysis.
- Memory clearing — firmware was updated to ensure more aggressive zeroization on boot and after failed PIN attempts.
- Shamir shares — handling was improved to guarantee that temporary shares are securely wiped immediately after use.
- SECURAM behavior — logic was updated so volatile memory is cleared when PIN retries are exhausted.
- Debug/test pads — while already hidden and protected by tamper detection, future hardware revisions will reduce or eliminate exposure further.
Our goal isn’t to pass an audit once, but to keep raising the bar. A complete, detailed breakdown of how we addressed each point is provided in our official response below.
Full Report & Response
Both documents are available in full and open for public review
Closing Thoughts
Security is never “finished.” What matters is building systems that can evolve, improve, and stand up to constant inspection. Every observation has been addressed or planned for, and publishing the results ensures anyone can examine the process for themselves.
We are proud of these results. The audit confirmed that Passport Prime’s architecture is not only resilient, but in the words of the auditors demonstrates “exceptional security design principles” and “a highly secure architecture that exceeds industry standards.”
As Passport Prime begins shipping, this audit is an important step in our commitment to transparency and verifiable security. It confirms what we’ve built: not just another hardware wallet, but a security platform whose architecture has been recognized as exceptional, sophisticated, and ahead of industry standards.