The crypto hardware wallet was supposed to free you from trusting third parties. So why does every device on the market still need a phone app, a companion software stack, and a leap of faith about where it was made?
The hardware wallet industry has spent a decade selling the same basic pitch: your keys are stored offline, protected by a dedicated security chip, safe from hackers. And that pitch isn't wrong — any reputable hardware wallet is dramatically safer than leaving your crypto on an exchange.
But the pitch leaves a lot out. The uncomfortable truth is that most hardware wallets are only half a product. They're signing devices — some with better screens than they used to have, sure — but they still depend entirely on a companion app running on your phone or laptop to do anything useful. They can't compose a transaction on their own. They can't connect to the blockchain on their own. They can't show you your balances without a phone in the loop. And that dependency reintroduces exactly the kind of attack surface that hardware wallets were designed to eliminate.
We built LurraPay to close that gap. Not by improving the existing model, but by replacing it.
The Companion App Problem
Here's what most hardware wallet companies don't emphasise in their marketing: the device itself can't show you your balances, compose a transaction, browse tokens, or connect to the blockchain. It signs things. That's it. Everything else — the interface you actually look at, the software that constructs the transaction, the network connection that broadcasts it — runs on a separate computer you also have to trust.
That companion app is a full-featured software application running on a general-purpose operating system — the same operating system that runs your browser, your email client, and whatever else you've installed. It connects to the internet. It can be updated. It can be spoofed. It can be replaced by a phishing version that looks identical but substitutes a different recipient address at the moment of signing.
Some newer devices have improved their screens — larger e-ink or colour touchscreens that can display more information. That's a genuine step forward. But a bigger screen on a signing device doesn't change the architecture. The transaction is still composed on your phone. The blockchain connection still runs through a companion app. The device still can't do anything without that second piece of software in the loop. A better screen makes it easier to verify what the companion app is asking you to sign — but it doesn't eliminate the companion app as a point of failure.
LurraPay doesn't have a companion app because it doesn't need one. The 3.7-inch e-ink touchscreen displays full wallet addresses, complete transaction details, and scannable QR codes. The device connects to WiFi, communicates directly with blockchain nodes, and handles everything — from composing a transaction to signing and broadcasting it — on a single piece of hardware. There's no second device in the loop. Nothing to spoof. Nothing to phish.
The Connectivity Problem
The hardware wallet industry started with USB cables — a direct data channel between the signing device and your computer. That connection was always an attack vector: malicious cables, BadUSB firmware exploits, compromised charging stations, juice-jacking. Some companies recognised this and added Bluetooth, allowing wireless pairing with a phone instead.
But here's what Bluetooth doesn't fix: the device is still talking to a companion app. It's still a two-device system. Whether the data travels over a USB cable or a Bluetooth radio, the transaction is still composed on your phone, sent to the wallet for signing, and then relayed back through the companion app to reach the network. Bluetooth changes the transport layer. It doesn't change the architecture.
Bluetooth also introduces its own concerns. Pairing vulnerabilities, downgrade attacks, and proximity-based interception are all documented in the Bluetooth security literature. And beyond the security questions, there's a practical reliability problem that anyone who's tried to use a Bluetooth hardware wallet in the real world knows intimately: Bluetooth is fragile. In a crowded space — a cafe, a conference, an airport — the 2.4 GHz band is saturated with interference from other devices, and Bluetooth pairing simply fails. The wallet won't connect. You're standing there with a device full of crypto and a phone that can't see it. A financial device that becomes unusable in the presence of other people's headphones is not a serious connectivity solution. Trading USB risks for Bluetooth risks — and Bluetooth's real-world reliability problems — is a lateral move, not a step forward.
LurraPay doesn't use USB data or Bluetooth for communication. The USB-C port is wired for charging only — the data lines are physically disconnected at the PCB level. There is no USB data pathway into the device. A malicious cable charges the battery and does nothing else. Instead of relying on any connection to a companion device, LurraPay connects directly to your WiFi network, communicates with blockchain nodes and banking APIs itself, and handles everything locally. No intermediary device. No companion app relaying data. No Bluetooth pairing to manage. Just a direct, self-contained connection from the device in your hand to the network.
The Black-Box Supply Chain Problem
Ask the average hardware wallet company where their device is assembled. You might be surprised. Some of the market's best-known devices — products that trade heavily on their European brand identity — are actually assembled in Vietnam. There's nothing inherently wrong with Vietnamese manufacturing, but when a company's marketing leans on European trust and regulatory rigour while the PCBs are being populated and flashed on a factory floor in Southeast Asia, users deserve to know that. The gap between brand perception and manufacturing reality is itself a supply chain risk — because it means the company has already decided that transparency is optional.
Now go a level deeper. Ask who made the voltage regulator on the PCB. Or the capacitors. Or whether the flash memory chip has any manufacturing exposure to jurisdictions where state-sponsored supply chain interference is a documented concern. You'll get silence, or a vague reference to "industry-standard components."
The crypto industry has spent years educating users about the importance of verifying — don't trust, verify. But that principle evaporates at the hardware level. Users are expected to trust that the dozens of components inside their wallet are sourced from reputable manufacturers, assembled without tampering, and free from backdoors. And they're expected to take that on faith, because virtually no wallet company publishes a meaningful supply chain audit.
LurraPay publishes the manufacturer, headquarters country, and country of origin for every component category in the device. Our processor is from NXP in the Netherlands. Our WiFi module is from Wurth Elektronik in Germany. Our voltage regulation is from STMicroelectronics in Switzerland and France. Our e-ink display is from Pervasive Displays in Taiwan. Our QR scanner is from Marson Technology in Taiwan. Capacitors from Murata in Japan. Connectors from Hirose in Japan. Antenna from Johanson Technology in the USA.
During our design process, we audited every component for manufacturer ownership structure and physical manufacturing location. Components from manufacturers with state ownership concerns or opaque manufacturing provenance were identified and replaced before the design was finalised. Every component in the production device is sourced from a manufacturer headquartered in a democracy with strong rule of law and independent regulatory oversight.
The full bill of materials is available on request.
The Key Storage Problem
Most hardware wallets store your private keys in a dedicated secure element — a tamper-resistant chip designed specifically for cryptographic key storage. This is a genuine security feature and a meaningful improvement over software wallets.
But most secure elements store keys as encrypted data in non-volatile memory. If someone extracts the chip, they have the encrypted keys. The remaining question is whether they can break the encryption, which becomes a question of time, resources, and the specific chip's resistance to side-channel attacks, fault injection, and decapping.
LurraPay uses a different approach. The NXP LPC55S69 processor includes a Physical Unclonable Function (PUF) — a hardware mechanism that derives cryptographic keys from microscopic physical variations unique to each individual chip. These variations are inherent to the silicon manufacturing process and are so subtle that even the chip manufacturer cannot replicate them. Your master key doesn't exist in storage at all. It's regenerated from the physical identity of your specific processor each time it's needed, and it exists only transiently in volatile registers during signing operations.
If someone desolders the processor from a LurraPay board, they have a chip. They don't have your keys. The keys are a function of that chip's physical structure combined with enrolment data — and extracting the PUF response requires the exact environmental conditions and timing of normal operation. It's a fundamentally different security model than "encrypted file stored on tamper-resistant chip."
The Display Problem
The hardware wallet industry has made real progress on screens. Early devices had tiny monochrome OLEDs that could barely render a wallet address. Newer flagship products have moved to larger touchscreens — some even using e-ink — and a few manufacturers now drive their display directly from the secure element, which is a legitimate security improvement.
But even on a device with a beautiful, secure, tamper-resistant screen, the display's role in the traditional hardware wallet architecture is fundamentally limited. It's a verification checkpoint. The screen shows you what the companion app has asked the device to sign. You read it, you approve it, and the signed result goes back to the companion app for broadcast. The display is the last line of defence — but it's not the interface. The interface is the app on your phone.
This creates a subtle problem. Users are being asked to cross-reference two screens — the companion app on their phone and the confirmation display on their wallet — and manually verify that they match. In practice, most people glance at the first few and last few characters of an address and hit confirm. The verification experience is a chore bolted onto a workflow that was designed around the companion app, not around the device in your hand.
LurraPay's 3.7-inch e-ink touchscreen serves a different purpose entirely. It's not a verification checkpoint for another device's workflow. It is the interface. You compose transactions on it. You browse your wallets on it. You initiate swaps, manage staking, and scan QR codes — all on the device itself. There's nothing to cross-reference because there's no second screen.
E-ink also provides a physical verification mechanism that works particularly well in a self-contained device: every transaction triggers a full display refresh — a deliberate two-second pause where the screen blanks and re-renders with your transaction details. This refresh is a physical property of e-ink technology. It can't be suppressed, overlaid, or skipped by software. What you see after the refresh is what the device is about to sign. On a device where the display is the sole interface — not a secondary confirmation screen — that matters more than it does anywhere else.
The "Wallet Plus Phone Plus App" Problem
Step back and look at how most people actually use a hardware wallet today. You want to send some crypto. Here's the workflow:
- Open the companion app on your phone or computer.
- Plug in or wirelessly connect your hardware wallet.
- Unlock the wallet (PIN, passphrase, or biometric).
- Compose the transaction in the companion app.
- The companion app sends the unsigned transaction to the hardware wallet.
- Cross-check the wallet's screen against the companion app to verify the address.
- Press a button on the wallet to sign.
- The signed transaction goes back to the companion app.
- The companion app broadcasts it to the network.
That's nine steps across two devices and one software application. Every handoff is a potential point of failure or interception.
Here's the same process on LurraPay:
- Pick up the device and unlock it.
- Tap "Send." Point the QR scanner at the recipient's code (or enter the address on the touchscreen).
- Review the full transaction details on the e-ink display.
- Confirm with a physical button press.
- Done. The device signs and broadcasts directly.
Five steps. One device. No handoffs. The transaction is composed, signed, and broadcast from a single trusted endpoint — the device in your hand.
Built-In Banking: The Missing Layer
Even the most feature-rich hardware wallets are still just wallets. If you want to buy crypto with fiat currency, you need an exchange. If you want to spend crypto in the real world, you need an off-ramp. If you want to swap between chains, you need a DEX aggregator. Each of these requires another app, another account, another surface area.
LurraPay integrates banking directly into the device. A linked bank account through licensed banking partners gives you an IBAN and the ability to send and receive USD, EUR, and GBP. Buy crypto directly from your bank account. Sell back to fiat instantly. Spend with a linked Visa debit card that converts at the point of sale. Stake supported cryptocurrencies and receive rewards directly to your wallet. Swap across chains with aggregated best rates.
It's not just a wallet. It's a self-contained financial device.
The Bottom Line
The current generation of hardware wallets represented a genuine step forward for crypto security. Some of them now have good screens, wireless connectivity, and polished companion apps. But they were all designed around the same fundamental assumption: that the device is a signer, and something else — your phone, your laptop, a companion app — is the brain. That architecture means every transaction passes through at least two devices, at least one piece of software running on a general-purpose operating system, and at least one wireless or wired handoff that didn't need to exist. The companion app dependency, the opaque supply chains, and the single-function design all create gaps that a purpose-built device can close.
LurraPay is that device. Self-contained. Self-connecting. Fully transparent about what's inside it and where it comes from. Assembled in Germany from components sourced exclusively from democratic, auditable supply chains. With an architecture where the device in your hand is the only device in the loop, and a key management system that means your keys never exist in extractable form.
Your money deserves a device that can stand on its own.
LurraPay Wallet is available for pre-order at $599 from lurrapay.com/shop. Read our full supply chain analysis at lurrapay.com/blog.