If you've shopped for a hardware wallet, you've probably seen specs like "EAL5+ secure element" or "EAL6+ certified chip" in the marketing. The acronyms are easy to skim past. They sound like industrial certifications, the kind of thing nobody outside the manufacturing world cares about.
They matter more than you'd think. EAL ratings are the difference between a chip that takes a sophisticated lab to crack and a chip that gives up its secrets to a determined hobbyist with a few hundred dollars of equipment.
This is a plain-English guide to what EAL ratings mean, why they matter for crypto, and what to look for on a spec sheet.
EAL stands for Evaluation Assurance Level. It's part of the Common Criteria framework, an international standard for security certification of hardware and software. The framework runs from EAL1 to EAL7. Each level requires more rigorous testing than the one below it.
A chip rated EAL1 has been tested at a basic level: documentation review, simple functional tests, no real adversarial pressure. A chip rated EAL7 has been formally verified, meaning the design has been mathematically proven correct against its specification.
The "+" in ratings like EAL5+ or EAL6+ means the certification includes additional testing on top of the base level. Most secure elements you'll see in payment cards and hardware wallets sit at EAL5+ or EAL6+. The plus is where the side-channel and fault-injection testing happens.
EAL5+ and EAL6+ chips aren't unique to crypto. The same components live in:
These are environments where a successful chip-level attack would mean compromising a payment system, a national identity infrastructure, or a person's medical record. The certification regime developed around those use cases. Crypto hardware wallets are riding on the same chips and the same testing.
Three concrete capabilities, each of which addresses a real attack class.
Side-channel resistance. When a chip performs a cryptographic operation, it draws power and emits electromagnetic radiation. The pattern of those signals leaks information about the operation. A non-resistant chip might leak the bits of the private key one at a time as it signs a transaction.
EAL5+ certification requires testing against power analysis, electromagnetic analysis, and timing analysis. The chip's circuitry is designed so that signing a 0 looks the same (in power and EM) as signing a 1.
Fault injection resistance. A determined adversary won't just observe the chip. They'll attack it. Fault injection means deliberately causing the chip to make an error mid-computation, in the hope that the erroneous output reveals something about the secret it's protecting.
The most common fault injection methods are:
EAL6+ certification requires hardware countermeasures against all four. The chip detects anomalies and either shuts down or returns garbage instead of revealing data.
Tamper response. If somebody manages to physically open the chip (a process called decapsulation, which removes the chip's protective packaging to expose the silicon), the chip should detect the intrusion and erase its secrets before they can be read.
EAL6+ chips include active and passive tamper detection: meshes of wires that detect cuts, light sensors that detect packaging removal, and temperature sensors that detect cryogenic attacks (some chips can be slowed enough by liquid nitrogen to read out their state).
A wallet without a certified secure element is relying on software to defend the keys. Some good wallets work that way. The trade-off is that physical attacks become much cheaper.
Researchers have demonstrated key extraction from non-certified hardware wallets using $200 of equipment and a few hours. For example, the wallet.fail team showed real hardware wallet hacks at the 35C3 security conference.
If your threat model includes physical access to the device (a stolen wallet, a brief unattended period during a hotel stay, an evil-maid attack), the EAL rating is the first line of defense.
If your threat model is just remote attackers and malware, you can get away with less. But the device cost difference between certified and non-certified chips is small enough that there's no good reason to settle.
EAL ratings cover the chip. They don't cover:
A wallet can have an EAL6+ chip and still be compromised by a malicious firmware update, a tampered shipment, or a phishing transaction you sign yourself. The chip is one layer.
That's why the rest of the device matters. A clear, large screen for verifying transactions. Firmware that's signed and verified by the device before running. A direct-to-consumer supply chain that doesn't pass through unknown resellers.
When evaluating a hardware wallet, three EAL-related questions are worth asking.
What's the certification level? EAL5+ is acceptable. EAL6+ is the current top tier in commercial chips and worth paying for if you can.
Who's the chip vendor? Infineon, NXP, and STMicroelectronics make most of the certified chips in this space. Knowing which vendor and which specific chip lets you check independent assessments.
Is the rating audited? Common Criteria certifications are issued by independent labs, not by chip vendors. The certificate is publicly available. If a wallet claims an EAL rating, you should be able to find the actual certification document. If you can't, the claim is marketing copy, not a real certification.
Ryder One uses an EAL6+ Infineon secure element. The same class of chip used in chip-and-pin payment cards and biometric passports. The certification is auditable.
Hardware is one layer. The device pairs the EAL6+ chip with a 1.6-inch AMOLED touchscreen for transaction verification, signed firmware, and a direct-to-consumer supply chain.
Backup is the layer most users underestimate. A standard hardware wallet's backup hinges on a single seed phrase, often stamped on a single piece of metal. That metal plate is more durable than paper, but it's still a single point of failure for the entire wallet. TapSafe Recovery splits the backup across a battery-free Recovery Tag, your phone, and an optional circle of Recovery Contacts. The seed phrase is on-device as a last resort, so you're never locked in.
EAL ratings are the difference between a chip a hobbyist can crack and a chip that takes a sophisticated lab. EAL5+ and EAL6+ chips defend against side-channel attacks, fault injection, and physical tampering, the three categories of attack that target the chip itself.
If you're storing more than pocket change in self-custody, the EAL rating on your hardware wallet's secure element is the first spec to check.
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: