Pages:
Author

Topic: Safepal S1 wallet have serious flaws! - page 2. (Read 519 times)

legendary
Activity: 2212
Merit: 7064
February 20, 2021, 06:04:35 AM
#5
SafePal S1 claim their product is EAL5+ level

I know they claim this, BUT problem is that Safepal is the only hardware wallet (except unknown Wookong brand) that I couldn't identify what secure element they are using, and I even wrote them an email and contacted them on social media.
I received some generic reply without clear explanation, and imagine when Kraken experts also could not identify their secure element...

See the current list of Hardware wallets with identified secure element chips and notice how only Chinese Safepal and Wookong have unknown chips:

  • CoboVault: EAL5+ (FIPS 140-2) secure element with open source firmware
  • ColdCard Mk3: Microchip ATECC608A covered by epoxy, open source
  • Bitbox02: Microchip ATECC608A, open source
  • Passport: Microchip ATECC608A,open source
  • Ledger: EAL5+/EAL6+ ST31H320, ST33J2M0, closed source!
  • D'CENT: EAL5+ NXP P60
  • Safepal S1: EAL5+ ? unknown chip, closed source
  • CoolWalletS: EAL5+ SE microchip NXP P5CD081, closed source
  • Jubiterwallet: EAL6+ SE Infineon, closed source
  • Kasse HK-1000: EAL5+ ST31H320 A03, closed source
  • Keevo: EAL5+ Infineon Optiga Trust-P, closed source
  • Secux: EAL5+ Infineon CC, closed source
  • Ngrave: EAL7+ STM32MP157C with built-in secure element​, ?
  • Tangem: EAL6+ Samsung SecureCore microchip, open source sdk
  • ImKey: EAL 6+ Military-grade CC security chip, closed source
  • Wookong: EAL 4+ ? unknown chip, closed source
  • Hashwallet: EAL 6+ Infineon SLE78 secure element

the CEO of safepal said she (female) is strongly secure about her beliefs
Interesting, I didn't know about this.

If Kraken were able to extract the keys in future, what would it mean for those who are using the safepal wallets ?

Will the funds stored in safepal wallet will be subject to risk if this happens ?

It would happen the similar thing like for Trezor, Keepkey, older ledger and all other hardware wallets that have some security flaws and extracting keys means they can control and send your crypto.
Not your keys - not your crypto.

full member
Activity: 1134
Merit: 105
February 20, 2021, 05:45:19 AM
#4
The fact that Kraken didn't manage to extract keys doesn't mean that it will not happen soon and who knows what kind of crap is running inside their toy and their Secure Element is unknown and can not be trusted with holding anything.
I would stay away from Safepal and advice anyone not to waste their money and risk your privacy ordering it.


If Kraken were able to extract the keys in future, what would it mean for those who are using the safepal wallets ?

Will the funds stored in safepal wallet will be subject to risk if this happens ?
jr. member
Activity: 36
Merit: 10
February 19, 2021, 12:52:11 PM
#3
the CEO of safepal said she (female) is strongly secure about her beliefs

SafePal - #BUIDLers​ Season 1: Project 3 of 8
https://youtu.be/8olCNqR_2wY
jr. member
Activity: 36
Merit: 10
February 19, 2021, 09:04:54 AM
#2
Thanks OP for the post. It is already one of my favourite post about hardware wallet .

SafePal S1 claim their product is EAL5+ level

https://docs.safepal.io/safepal-hardware-wallet/security-features/hardware-security/independent-crypto-element

regards to EAL and hardware side .. it makes me wonder about RISC-V open standard instruction set architecture (ISA);

Gosh..

Quote
but their lame reply to license violations is that they will open source Safepal in 2021, let's wait and see.

 Roll Eyes Cheesy
legendary
Activity: 2212
Merit: 7064
February 17, 2021, 05:28:21 AM
#1
Kraken Security Labs examined latest hyped hardware wallet Safepal S1 and found some serious vulnerabilities and weaknesses in this detailed report.

The thing that had most impact on me after reading their report is the fact that Safepal used GPL open source licenses and claimed them as their own making Safepal closed source, and they made licensing violations without giving credits to original creators!
Kraken team asked for source code from Safepal but they refused to provide it confirming GPL licensing violations and risking potential lawsuit.
There is also possibility that they used firmware check used in Trezor wallet with trezor-license, but this could not be proven at the time of report.

Safepal Tamper Detection is ineffective and Kraken team managed to open wallet easy and without any issue, but Safepal later confirmed this in their reply claiming it doesn’t impact the wallet security.
Interesting thing when they opened the wallet is that they could not identity Secure Element chip that Safepal claims it's EAL5+ but it's obvious from unknown manufacturer.

Downgrade Attack is a big flaw for Safepal as Kraken security team managed to change it's firmware that could be used in some potential attack.
Safepal later confirmed this, made a patch and claimed it's non-exploitable.

Safepal team made a quick public reply to Kraken in this blog post claiming that funds are SAFU... and that Kraken team failed to extract the seed from device, but their lame reply to license violations is that they will open source Safepal in 2021, let's wait and see.



You can read detailed Kraken report here and Safepal reply in this post.

My conclusion is that Safepal wallet can not be trusted, as they stole someone else work and claim it as their own and we call that a plagiarism (unless they claim the origianl source)
The fact that Kraken didn't manage to extract keys doesn't mean that it will not happen soon and who knows what kind of crap is running inside their toy and their Secure Element is unknown and can not be trusted with holding anything.
I would stay away from Safepal and advice anyone not to waste their money and risk your privacy ordering it.
Pages:
Jump to: