I learned about a cold wallet called SafePal.Please help! How about this wallet?

[dkbit98]

I don't have any problem in testing new hardware wallets.
We don't live in stone age that we have to use one wallet all life, and for sure something new and better will show up.

I think Safepal is still cheapest hardware wallets, and it is better than regular mobile wallets for sure.
Ledger is better for sure, but Safepal have some advantages, and nothing wrong with having several hardware wallets.

[o_e_l_e_o]

nothing wrong with having several hardware wallets.

Sure, but be aware that if you are mirroring the same wallet(s) across multiple hardware wallets, then your coins are only as secure as the least secure of all the wallets.

Lets say you buy a handful of different hardware wallets, and restore from the same seed on each one. One of them turns out to be either a deliberate fraud or simply poorly designed. The next time you use it, it leaks your private keys to an attacker somewhere. All your other hardware wallets are moot at that point. It would be like importing your seed from your Ledger device to a web wallet. You've essentially negated the entire point of the hardware wallet.

Both gentlemand and DaveF are correct. I'm also never going to buy a brand new hardware wallet like this, or at least, if I did it would be for experimenting only for very small amounts of bitcoin, and never as a main hardware wallet. What's the point in taking the risk on an untried and untested device? But at the same time, it makes it very difficult for new providers to enter the space, which is a bad thing. Catch-22 situation.

[dkbit98]

nothing wrong with having several hardware wallets.

Sure, but be aware that if you are mirroring the same wallet(s) across multiple hardware wallets, then your coins are only as secure as the least secure of all the wallets.

Why would anyone do that?
People should know to NOT reuse addresses or use it only in rear situations, and importing private keys/seeds should NEVER be done, except if you need to recover wallet.
New wallet - New seed words.
How can anything 'leak' from Safepal when it has no internet connection (that could not be said for Ledger or Trezor) and it is 100% offline?

I would also not use it as main hardware wallet now, but I would not say it is not tested, as Binance exchange is using it and sponsoring it.

[o_e_l_e_o]

Why would anyone do that?

Because people are dumb and/or careless.

People should know to NOT reuse addresses or use it only in rear situations, and importing private keys/seeds should NEVER be done, except if you need to recover wallet.

Correct, but people also frequently lose their coins from inputting their seed phrases in to random websites or storing them online.

How can anything 'leak' from Safepal when it has no internet connection

It has a USB data connection to flash the firmware, so the claim that it is completely disconnected from everything is false. We also have no idea what security it has against physical attacks since that hasn't been tested yet, unlike Ledger and Trezor devices.

but I would not say it is not tested, as Binance exchange is using it and sponsoring it.

Well, that depends on how much you trust Binance. I trust any centralized exchange only marginally more than I trust Craig Wright, so I'm afraid that endorsement doesn't mean much to me.

[dkbit98]

So you 'trust' Ledger and Trezor because somebody unknown tested it, and it is connected to internet each time you plug USB in your PC ?
That means you trust people who tested it.
Some say that LedgerLive is maybe reporting your total balance and who knows what more each time you open it.

I could say that I don't trust any wallet manufacturer or any exchange, not just Binance or Safepal.
Hackers did hack both Ledger, Trezor and Binance (in specific situations)

[Lucius]

Hackers did hack both Ledger, Trezor and Binance (in specific situations)

Show us examples of someone hacking a hardware wallet (Ledger&Trezor) that resulted in the loss of funds from that wallet? You will certainly not find something like that because it has always been about theoretical vulnerabilities that required physical access to the device, sophisticated equipment and a certain degree of knowledge in order to carry out the attack. When it comes to remote attacks that would involve hacking devices and successfully extracting seed/private keys, this is still in the realm of science fiction.

I personally do not have 100% confidence in Ledger or Trezor, but I have a lot more than in some completely unknown hardware wallet that is closed source. The only people successfully hacked while they used hardware wallets are the ones who have somehow exposed their seed, but that's another story.

[o_e_l_e_o]

So you 'trust' Ledger and Trezor because somebody unknown tested it

Never said that. What I did say was that Ledger and Trezor devices have been extensively attacked and penetration tested by a variety of different third parties, researchers, companies, etc., and by definition, any new wallet has not had that.

and it is connected to internet each time you plug USB in your PC ?

The hardware wallet itself is not connected to the internet, and the keys do not leave the device during normal operation anyway. If you are still concerned about it, then you could just use it with an offline computer.

Some say that LedgerLive is maybe reporting your total balance and who knows what more each time you open it.

Good thing I don't use it then.

Hackers did hack both Ledger, Trezor and Binance (in specific situations)

Absolutely. There is no security set up which is 100% safe, but there's a big difference between needing to physical steal a Ledger wallet and have access to a scanning electron microscope to interrogate the secure element, and hacking in to a Binance account with a simple phishing email.

[dkbit98]

Show us examples of someone hacking a hardware wallet (Ledger&Trezor) that resulted in the loss of funds from that wallet? You will certainly not find something like that because it has always been about theoretical vulnerabilities that required physical access to the device, sophisticated equipment and a certain degree of knowledge in order to carry out the attack. When it comes to remote attacks that would involve hacking devices and successfully extracting seed/private keys, this is still in the realm of science fiction.

I personally do not have 100% confidence in Ledger or Trezor, but I have a lot more than in some completely unknown hardware wallet that is closed source. The only people successfully hacked while they used hardware wallets are the ones who have somehow exposed their seed, but that's another story.

Can you show me examples of hacking Safepal and losing funds also?
There is nothing theoretical about fact that Trezor wallet was hacked
https://steemit.com/bitcoin/@tomshwom/lessons-from-the-trezor-hack

Similar hack happened with Keepkey wallet recently.

If you hold devices, you can do wonders.

Good thing I don't use it then.

You don't use it but 99% of people do use it.

Absolutely. There is no security set up which is 100% safe, but there's a big difference between needing to physical steal a Ledger wallet and have access to a scanning electron microscope to interrogate the secure element, and hacking in to a Binance account with a simple phishing email.

Well Binance hold funds in cold wallets, so it is not 'simple phishing email' hack.
If it is so simple please hack it and hire hacker .... just for fun, you can return funds later, and get bounty from them  

[Lucius]

Can you show me examples of hacking Safepal and losing funds also?
There is nothing theoretical about fact that Trezor wallet was hacked
https://steemit.com/bitcoin/@tomshwom/lessons-from-the-trezor-hack

Similar hack happened with Keepkey wallet recently.

If you hold devices, you can do wonders.

Why are you pointing out that something was hacked and not stating how it was done? Once again, this is something that requires physical access to the device, and the whole article actually comes down to one sentence: "The TREZOR hack should be a stark reminder that physical security is still extremely important."

You completely ignore the Trezor reputation and the fact that it is open-source, with something completely unknown and closed source. I consider this a significant difference, everything else is a matter of choice.

I also disagree that 99% of people who own Ledger S / X use Ledger Live, I use Electrum. As far as privacy is concerned, even Electrum does not offer protection against someone finding out your coin addresses, IP address and the amount of coin you have in your wallet. Of course, this can be achieved by using Tor or VPN, but from the wallet creation itself onwards.

Binance holds coins in cold wallets, but also in hot wallets - just like any other crypto exchange. Do you think it would be possible to do business if all the funds were in a real cold wallet? I can't say what percentage of coins Binance holds in a hot wallet, but with Coinbase it is 2%.

[dkbit98]

Why are you pointing out that something was hacked and not stating how it was done? Once again, this is something that requires physical access to the device, and the whole article actually comes down to one sentence: "The TREZOR hack should be a stark reminder that physical security is still extremely important."

You completely ignore the Trezor reputation and the fact that it is open-source, with something completely unknown and closed source. I consider this a significant difference, everything else is a matter of choice.

I also disagree that 99% of people who own Ledger S / X use Ledger Live, I use Electrum. As far as privacy is concerned, even Electrum does not offer protection against someone finding out your coin addresses, IP address and the amount of coin you have in your wallet. Of course, this can be achieved by using Tor or VPN, but from the wallet creation itself onwards.

Binance holds coins in cold wallets, but also in hot wallets - just like any other crypto exchange. Do you think it would be possible to do business if all the funds were in a real cold wallet? I can't say what percentage of coins Binance holds in a hot wallet, but with Coinbase it is 2%.

So what if trezor software is open-source?
Open source is not holy grail, it just means that anyone can read and fork the code.
I am waiting for you to also show me hack for Safepal wallet.

Maybe you are not in 99% of people, but if you don't trust me you can contact Ledger support, and ask them for statistic to see how many people use LedgerLive. You will be amazed.
You can disagee as much as you want.

Disclaimer:
I don NOT have Safepal.

[o_e_l_e_o]

Open source is not holy grail

Sure, an open source wallet isn't automatically better than a closed source one, but at least with an open source one you are able to evaluate it and decide, rather than just trusting.

I am waiting for you to also show me hack for Safepal wallet.

Of course no one is going to be able to provide that yet. It's only just been released, and according to their website, there is currently a shipping delay until at least February 3rd. No one is going to be able to security test a device without having the device.

Trezor have been around for over 5 years. I'm absolutely certain that at some point in the next 5 years, someone will discover a vulnerability in SafePal, because as I said above, no device or set up is 100% safe.

[dkbit98]

Sure, an open source wallet isn't automatically better than a closed source one, but at least with an open source one you are able to evaluate it and decide, rather than just trusting.

I agree, but as far as I know Ledger is NOT open source software, and even for open-source you need to trust other people if you can't read the code.

Of course no one is going to be able to provide that yet. It's only just been released, and according to their website, there is currently a shipping delay until at least February 3rd. No one is going to be able to security test a device without having the device.

Trezor have been around for over 5 years. I'm absolutely certain that at some point in the next 5 years, someone will discover a vulnerability in SafePal, because as I said above, no device or set up is 100% safe.

Let me give you one info.
Every shipping from China/Hk is delayed due to Chinese New Year and outbreak of new virus.

I agree with you - no device is 100% safe.
Every wallet can be hacked if hacker have it in his hands.

[usingbitcoin]

I use this wallet and I have not had any problems. This hardware wallet might be my favorite out of all of my hardware wallets. I do not own a Ledger or Trezor though, as I prefer all of my hardware wallets to never be connected to a device while the device is connected to the internet.

[o_e_l_e_o]

I do not own a Ledger or Trezor though, as I prefer all of my hardware wallets to never be connected to a device while the device is connected to the internet.

There is no requirement for a Ledger or Trezor to be connected to an internet enabled device. You can use your hardware wallet to set up a wallet using a client such as Electrum on a permanently airgapped device, and then also use Electrum to create a "watch only" wallet on an internet enabled device. Create a transaction on the internet enabled device, transfer it the airgapped device, plug in your hardware wallet to sign it, and then transfer it back to your internet enabled device to broadcast it.

Having said all that, it kind of defeats the point. Half of the point of a hardware wallet is that you can use it on any internet enabled device, even one bursting with malware, and your private keys are not at risk and no transaction can be made without your approval. And if you are going through the effort of setting up an airgapped wallet anyway, then why not just encrypt the wallet? What does adding a hardware wallet in to that set up achieve?

[usingbitcoin]

I do not own a Ledger or Trezor though, as I prefer all of my hardware wallets to never be connected to a device while the device is connected to the internet.

There is no requirement for a Ledger or Trezor to be connected to an internet enabled device. You can use your hardware wallet to set up a wallet using a client such as Electrum on a permanently airgapped device, and then also use Electrum to create a "watch only" wallet on an internet enabled device. Create a transaction on the internet enabled device, transfer it the airgapped device, plug in your hardware wallet to sign it, and then transfer it back to your internet enabled device to broadcast it.

Yeah, I know. I just wanted to make it easier for the non-tech people around me. It is a pretty slick little device and I did update the firmware only once when I got it. I used an online device to download the firmware and then I copied the file to a airgapped device and then connected the wallet to the airgapped device to copy the file to the wallet. Then I installed the update via the wallet interface after disconnecting from the airgapped device. This might be a little overkill, but it was fun.

Shoot, I didn't even let the device create the wallet for me since I restored an existing wallet, all while offline. I do have one disclaimer though, I have only sent bitcoin to it and I have not used the wallet to send any bitcoin. I guess if all of my bitcoin disappears after I send some, then I'll know this wallet isn't any good. The only way that I could think that could happen though, is when I'm am scanning the QR code on the wallet with the Safepal app on my phone and it somehow transmits my seedphrase/private keys through the QR code to the app and sends it to hacker.

But shouldn't I be able to scan the QR code with a different device to see what it is transmitting and be able to see if it is transmitting my seedphrase?

[ranochigo]

Shoot, I didn't even let the device create the wallet for me since I restored an existing wallet, all while offline. I do have one disclaimer though, I have only sent bitcoin to it and I have not used the wallet to send any bitcoin. I guess if all of my bitcoin disappears after I send some, then I'll know this wallet isn't any good. The only way that I could think that could happen though, is when I'm am scanning the QR code on the wallet with the Safepal app on my phone and it somehow transmits my seedphrase/private keys through the QR code to the app and sends it to hacker.

But shouldn't I be able to scan the QR code with a different device to see what it is transmitting and be able to see if it is transmitting my seedphrase?

You could. You can decode QR codes easily to see what information is being communicated. However, being able to understand what the string of letter means is a whole other issue altogether. The seeds could be discretely obfuscated and you wouldn't be able to tell without close inspection.

Being extra careful with your wallet is sometimes not enough; addresses/seeds being generated could still be intentionally weakened for others to steal. Doubt it would happen very often but it has happened before.

[usingbitcoin]

You could. You can decode QR codes easily to see what information is being communicated. However, being able to understand what the string of letter means is a whole other issue altogether. The seeds could be discretely obfuscated and you wouldn't be able to tell without close inspection.

I'll try sending some bitcoin from this wallet and check the QR code it generates on the wallet before scanning it with the phone app. I may or may not be able to tell what's in there as they claim the QR code is encrypted. The app on the phone acts as a watch-only wallet where I can check on my balance, so I'll be able to tell pretty quickly if the wallet seedphrase is stolen and my bitcoin goes missing. I'll report back here with the sending results and any theft or non-theft results.

[usingbitcoin]

I sent some bitcoin out of my Safepal wallet last weekend and everything went fine. I did notice the QR codes it creates is encrypted, so only the Safepal app knows what I'm transmitting. Also, since I didn't use the wallet for 5 months, I had to recharge it before using it. I also upgraded the firmware from an offline device before sending some bitcoin out of it.

According to the Safepal app, the remaining bitcoin in the wallet is still there. So everything is still good. I'll come back here in the future and post anything suspicious from using the wallet.