EAL6+ on a Hardware Wallet Box: What It Actually Means - and What It Doesn't

HARDWARE WALLET

4 min read
Share

If you've ever shopped for a hardware wallet, you've seen it: "Secure Element, EAL6+ Certified" On the box, on the website, in a comparison table where the competitor with EAL5+ looks like a budget option.

Most buyers read this as "military-grade protection" and move on. That's a mistake. And a costly one - literally.

This article breaks down what EAL actually means, how the rating is assigned, and why the standard itself explicitly prohibits using it as a security guarantee.

What Are Common Criteria and EAL?

Common Criteria is the international standard for evaluating the security of IT products. Its official designation is ISO/IEC 15408. It has been adopted by 31 countries, including the United States, Germany, Japan, and South Korea. It is a standard, not a certification body - evaluations are conducted by accredited independent laboratories.

EAL (Evaluation Assurance Level) is a scale within Common Criteria ranging from 1 to 7. The number indicates how deeply a product was examined during the evaluation. Not how secure it is - how deeply it was examined.

The distinction is fundamental. And this is not an interpretation - it is the verbatim language of the standard itself.

What ISO/IEC 15408 Actually Says About EAL - Exact Quote

Here is what is written directly in the standard ISO/IEC 15408-1:2022 (Part 1: Introduction and general model):

"The higher the level of evaluation, the more security assurance tests the product would have undergone; however, this does not guarantee that the product is more secure."

- ISO/IEC 15408-1:2022, official standard text Source: iso.org/obp/ui/#iso:std:iso-iec:15408:-1:ed-4:v1:en

The manufacturer prints "EAL6+" on the box. The authors of the standard under which that certificate is issued state that it does not guarantee higher security.

What Is Actually Evaluated During Certification

EAL measures the development process, not the final security level of the device. Here is what is examined at each level:

Контент статьи

The key point: at every level, the evaluator checks whether the documented processes match the stated requirements. They do not search for new vulnerabilities outside the defined scope - they verify that the company did what it claimed to do.

An Analogy: What EAL Actually Resembles

Think of an accreditation system for construction companies.

  • EAL1 - the company showed it has a building plan.
  • EAL4 - an independent inspector reviewed the blueprints, logs, and procedures. Everything complies with building codes.
  • EAL7 - it has been mathematically proven that every structural element meets the calculated load specifications.

But none of these levels answers the question: will the building survive a magnitude 8 earthquake if such earthquakes were not included in the original specification?

EAL certifies the process. Nature doesn't read documentation.

A Real Case: 14 Years, 80 Certifications - Nobody Noticed

In September 2024, researchers at NinjaLab published a vulnerability called EUCLEAK.

The Infineon SLE78 chip - one of the most widely used secure elements in hardware wallets, biometric passports, and bank cards - contained a flaw in its ECDSA implementation. Specifically: non-constant-time execution of a modular inversion operation created a side-channel leak that allowed a private key to be extracted in a few minutes of electromagnetic analysis with physical access to the device.

The vulnerability had existed since the chip's release in 2010. During that time, the chip passed approximately 80 Common Criteria certification evaluations at levels AVA VAN 4 and AVA VAN 5 - equivalent to EAL5+ and EAL6+.

Nobody noticed. Source: ninjalab.io/eucleak

This is not an anomaly. It is a structural limitation: certification evaluates a documented set of threats at the time of evaluation. New attack methods that emerge after the certificate is issued are not covered under the existing certification.

Three Things EAL Does Not Cover

1. The Wallet's Firmware

EAL certifies the chip (Secure Element), not the firmware running on it. A wallet with an EAL6+ chip can still contain firmware vulnerabilities - those fall outside the scope of certification.

2. User Behavior

According to Chainalysis, in the first half of 2025, 59% of all crypto losses stemmed from access control failures - phishing, social engineering, and signing malicious transactions. An EAL6+ chip does not help if the user pressed "confirm" themselves.

3. Post-Update Validity

A certificate is issued for a specific version of a product. A firmware update technically creates a new product that does not necessarily undergo re-evaluation. This means the firmware currently running on your device may never have been certified.

What Actually Matters When Choosing a Hardware Wallet

EAL is not a useless metric. But it is one signal among several - not the primary criterion.

✅ Checklist: How to Read Certification Correctly

  • EAL speaks to process, not outcome. Treat it as one indicator, not a guarantee.
  • Find out the specific chip model. Not just "EAL6+", but the exact part: STMicroelectronics ST33K1M5, Infineon OPTIGA Trust M, ATECC608C - then check CVE databases for that chip over the past two years.
  • The certificate applies to a specific version. Firmware updates may not undergo re-evaluation.
  • EAL does not cover firmware. A public security audit of the firmware by an independent firm (Keylabs, Trail of Bits, Cure53) is a separate and important signal.

✅ Checklist: What to Verify Beyond EAL

  • Blind signing protection: does the device screen show full transaction details - address, amount, contract - rather than just a hash?
  • Company track record: how long have they been in the market, and is there a history of disclosed and patched vulnerabilities?
  • Independent security audit: has the firmware been audited by a recognized third-party security firm?

Conclusion

EAL is not a security rating. It is a scale measuring the depth of process evaluation under ISO/IEC 15408.

The standard itself states explicitly: a higher EAL does not guarantee that a product is more secure.

This does not mean certification is worthless. It means it does exactly what it was designed to do: confirm that a manufacturer followed documented processes at the time of evaluation.

Real security is built from multiple layers: chip quality, company transparency, user behavior - and a clear understanding of what you are actually protecting against.

The number on the box is the beginning of the conversation, not the end of it.

Sources:

  • ISO/IEC 15408-1:2022 - iso.org
  • NinjaLab, EUCLEAK (2024) - ninjalab.io/eucleak
  • Chainalysis, Mid-Year Crypto Crime Report 2025sec-certs, ScienceDirect (2024)

Read more