Solid advice but I think SS is over-promising there as they usually claim that the device cannot do evil stuff due to lack of an RF module and being stateless. Adding an RF module solely through software is a new concern that should be taken into account.

That said, an evil maid could have swapped the SS for a different hardware with RF module.

Ok, that's great but it's merely reducing the effectiveness if it even does that. I'm not an expert in electronics but I guess it's not wrong to say that any circuit is an antenna. There's just some that are more efficient than others.

I never said that was not the case. I even brought this point up on Twitter myself today. While I'm generally much more welcoming of @SeedSigner than of ColdCard due to how @DETERMINISTIC OPTIMISM 🌞 treats people (belittles SeedSigner users as "kids", attacks and threatens me, closed the license of the ColdCard, doesn't want a public issue tracker, ...), I mention issues where I see them and think it's fair to consider them. @SeedSigner suggests to use the boards without radio yet we learn that they know since forever that you can have radio on a no-radio RPi. Just how relevant is it to use no-radio? Is there a way to shield the device? Is there actually almost no range due to all pins being used? I don't know and hope to understand this as I really like how the seedsigner makes signing really very transparent to the user and with the right companion app, I don't see how it could exfiltrate seeds ... unless there is merit to the FUD of some software abusing circuits to talk to some globally ubiquitous IOT network.

Couldn’t you put a tamper indicator on the case so if someone opens up the seedsigner to install custom software to do this you would know someone tampered with it by checking the indicator seal?

Well, I guess you could. My perspective is always the average user that is not following this discussion. My project is WalletScrutiny and when reviewing SeedSigner, I took the "no radio" aspect at face value. Hacks like this make me paranoid about the firmware shipping with some LoRa IoT global network leaking the keys while in use. I do not think that SeedSigner would do something like that and suspect there might rather be custom hardware wallets that "accidentally" feature much better antennas that later turn out to be sending seeds since years but "won't be evil" is just not good enough. I try to find "can't be evil" or whatever gets closest to that.

WalletScrutiny

SeedSigner

Review of SeedSigner (verdict: sourceavailable)

Another solution though not as simple to implement as a tamper seal or tamper bag would be to use an actual LoRa device or anything of your own contraption to transmit on the frequency this uses with a weak signal of random data. Less precisely you could try to just make enough noise across the frequency range. Which would attempt to jam the frequency range this technique would use in the short range proximity of your seed signer or other hardware wallet.

I'm pretty sure RF jammers are illegal in many jurisdictions.

“Honest officer this isn’t jamming it’s just accidental interference. How was I supposed to know my maid had put a device in my house that was using this frequency range.” If the “interfering emissions” are weak enough to disrupt LoRa inside the house and within your property but not impede anyone else’s use, then I think it’s kind of a non issue even if techno illegal. Alternatively There are all kinds of retail equipment, (LED lightbulbs, battery chargers, electric motors, etc) that create interference and may even not meet the fcc requirements they are supposed to.