[lxgr]

Even more concerning than predictable wallet seeds are covert channels in the form of nondeterministic signature outputs.

Most wallets let you provide your own seed words, which users can derive using diceware themselves, but DSA (and its elliptic-curve variants) need a secure random input, and I'm not sure if all wallets commonly use a deterministic (i.e. provably free of covert channels) construction (like in RFC 6979) for that.

[amenghra]

From the outset, you can't prove that RFC 6979 was used. I.e. RFC 6979 doesn't provide provable security. If you want a proof that there are no covert channels, you need to implement some kind of interactive protocol between the signer and the verifier -- I'm not aware of any standard/popular way of implementing that.

What you can do is use a dice to generate a key and the sign a bunch of messages with your hardware wallet and a piece of software that you trust. You can then compare the two outputs. This gives you a probabilistic trust level (the more messages you check, the higher the likelihood of there not being a backdoor). (note: I implemented this logic [1] to check that three different RFC 6979 implementations were returning the exact same bytes).

[1] https://github.com/alokmenghrajani/decv/

[amenghra]

The best defense against potentially malicious hardware wallets is to set up a multisig scheme. If designed properly (with careful planning related to backup/recovery), you end up with better security properties (i.e. defense in depth).