dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
February 17, 2021, 10:28:21 AM |
|
Kraken Security Labs examined latest hyped hardware wallet Safepal S1 and found some serious vulnerabilities and weaknesses in this detailed report. The thing that had most impact on me after reading their report is the fact that Safepal used GPL open source licenses and claimed them as their own making Safepal closed source, and they made licensing violations without giving credits to original creators! Kraken team asked for source code from Safepal but they refused to provide it confirming GPL licensing violations and risking potential lawsuit. There is also possibility that they used firmware check used in Trezor wallet with trezor-license, but this could not be proven at the time of report. Safepal Tamper Detection is ineffective and Kraken team managed to open wallet easy and without any issue, but Safepal later confirmed this in their reply claiming it doesn’t impact the wallet security. Interesting thing when they opened the wallet is that they could not identity Secure Element chip that Safepal claims it's EAL5+ but it's obvious from unknown manufacturer. Downgrade Attack is a big flaw for Safepal as Kraken security team managed to change it's firmware that could be used in some potential attack. Safepal later confirmed this, made a patch and claimed it's non-exploitable. Safepal team made a quick public reply to Kraken in this blog post claiming that funds are SAFU... and that Kraken team failed to extract the seed from device, but their lame reply to license violations is that they will open source Safepal in 2021, let's wait and see. You can read detailed Kraken report here and Safepal reply in this post. My conclusion is that Safepal wallet can not be trusted, as they stole someone else work and claim it as their own and we call that a plagiarism (unless they claim the origianl source) The fact that Kraken didn't manage to extract keys doesn't mean that it will not happen soon and who knows what kind of crap is running inside their toy and their Secure Element is unknown and can not be trusted with holding anything. I would stay away from Safepal and advice anyone not to waste their money and risk your privacy ordering it.
|
|
|
|
|
Max_Headroom
Jr. Member
Offline
Activity: 36
Merit: 10
|
|
February 19, 2021, 05:52:11 PM |
|
the CEO of safepal said she (female) is strongly secure about her beliefs SafePal - #BUIDLers Season 1: Project 3 of 8 https://youtu.be/8olCNqR_2wY
|
|
|
|
FIFA worldcup
|
|
February 20, 2021, 10:45:19 AM |
|
The fact that Kraken didn't manage to extract keys doesn't mean that it will not happen soon and who knows what kind of crap is running inside their toy and their Secure Element is unknown and can not be trusted with holding anything. I would stay away from Safepal and advice anyone not to waste their money and risk your privacy ordering it.
If Kraken were able to extract the keys in future, what would it mean for those who are using the safepal wallets ? Will the funds stored in safepal wallet will be subject to risk if this happens ?
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
February 20, 2021, 11:04:35 AM Merited by vapourminer (1) |
|
SafePal S1 claim their product is EAL5+ level
I know they claim this, BUT problem is that Safepal is the only hardware wallet (except unknown Wookong brand) that I couldn't identify what secure element they are using, and I even wrote them an email and contacted them on social media. I received some generic reply without clear explanation, and imagine when Kraken experts also could not identify their secure element... See the current list of Hardware wallets with identified secure element chips and notice how only Chinese Safepal and Wookong have unknown chips: - CoboVault: EAL5+ (FIPS 140-2) secure element with open source firmware
- ColdCard Mk3: Microchip ATECC608A covered by epoxy, open source
- Bitbox02: Microchip ATECC608A, open source
- Passport: Microchip ATECC608A,open source
- Ledger: EAL5+/EAL6+ ST31H320, ST33J2M0, closed source!
- D'CENT: EAL5+ NXP P60
- Safepal S1: EAL5+ ? unknown chip, closed source
- CoolWalletS: EAL5+ SE microchip NXP P5CD081, closed source
- Jubiterwallet: EAL6+ SE Infineon, closed source
- Kasse HK-1000: EAL5+ ST31H320 A03, closed source
- Keevo: EAL5+ Infineon Optiga Trust-P, closed source
- Secux: EAL5+ Infineon CC, closed source
- Ngrave: EAL7+ STM32MP157C with built-in secure element, ?
- Tangem: EAL6+ Samsung SecureCore microchip, open source sdk
- ImKey: EAL 6+ Military-grade CC security chip, closed source
- Wookong: EAL 4+ ? unknown chip, closed source
- Hashwallet: EAL 6+ Infineon SLE78 secure element
the CEO of safepal said she (female) is strongly secure about her beliefs
Interesting, I didn't know about this. If Kraken were able to extract the keys in future, what would it mean for those who are using the safepal wallets ?
Will the funds stored in safepal wallet will be subject to risk if this happens ?
It would happen the similar thing like for Trezor, Keepkey, older ledger and all other hardware wallets that have some security flaws and extracting keys means they can control and send your crypto. Not your keys - not your crypto.
|
|
|
|
dogtana
Member
Offline
Activity: 845
Merit: 56
|
|
March 04, 2021, 08:56:44 AM |
|
I am sure they can apply security updates!
|
|
|
|
Max_Headroom
Jr. Member
Offline
Activity: 36
Merit: 10
|
|
March 05, 2021, 10:33:53 AM |
|
I am sure they can apply security updates!
if I get proper business contacts I intent to visit their headquarter physically (in real world, not digital); my route plan is: Macau (a.k.a. Asian's Las Vegas) then Hong Kong then Shenzhen (ps Thanks for Google Geo for the tips)
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
March 07, 2021, 05:25:34 PM |
|
I am sure they can apply security updates!
What security updates? They stole GPL licensed open source code and made it closed source and copyrighted so you can't exactly fix that classical plagiarism, and I think they are now more busy making their new Safepal S2 wallet with bigger battery and stronger features... whatever that means. No word about fixing issues or making it open source. Embedded with the advanced SafePal security technology, SafePal S2 pushes the user experience to a new level. Compared to SafePal S1, SafePal S2 is built with a bigger battery and stronger features. Details will be disclosed soon.
For now, SafePal S2 is under mass production and firmware development. We hope to bring it to the community in early May. Stay tuned! https://blog.safepal.io/safepal-weekly-update-week-1-march-2021/
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
March 23, 2021, 09:28:08 AM |
|
I noticed some fishy things about Safepal hardware wallet and near 100% positive feedback on their website. They are using Rivyo app for their feedback, but what is interesting is that last feedbacks you can see are dated on November 30 2020 and they have 97% five starts! There are total of 229 reviews, 221 are 5 stars, 4 are 4 stars, 1 with 3 stars and looks like 3 are deleted. Even funnier are actual reviews like Excellent, As expected, All good, Perfect wallet... https://shop.safepal.io/products/safepal-hardware-wallet-s1-bitcoin-wallet archive: https://archive.ph/UEmDEIs this really possible? I doubt it and I think they are deleting any bad review they receive, and my review for Safepal never got published. But let's look Safepal rating and reviews on other websites they are not controlling 100% like Amazon and Google store, that may also have fake reviews but not 100% positive for sure This is Safepal page on Google Store that have positive and negative feedback that is totally normal and again, that doesn't mean all off this reviews are real. There are more 1 start reviews than 4 start reviews and many recent reviews are negative and with actual issues you don't see on Safepal website. Let's move on to Safepal Amazon page and you can see there are 77% 5 stars, 10% 4 stars and 12% 1 star ratings: It's obvious that Safepal website reviews are rigged and fake and you can test that yourself if you try to write them honest feedback if you ever purchased and used Safepal wallet. If there is anything you don't like about Safepal there is no chance it will actually end up on their website.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
May 10, 2022, 09:25:14 AM |
|
I always said that Safepal hardware wallet is one of the worst cheapest hardware wallets you can buy, but now they are proving with Binance exchange how all that fake decentralized exchanges are just a scam and fake advertisement. Starting from May 12 Binance ''DApp'' will introduce mandatory KYC intermediate verification for everyone who wants to continue using this trading feature. They claim other ''decentralized'' services like send/receive, Swap, Bridge, Earn, DAppstore are not impacted (for now), but by passing KYC you will permanently connect your hardware wallet with your identity. That means Binance will report all your IP, addresses, transactions and all your activity to regulators, just so they can kiss their asses. It should also be mentioned that nothing connected with Binance is decentralized, including their shitcoin chain and fake bitcoin token they created. SafePal is announcing these measures to help support Binance’s efforts in Know Your Customer (KYC) and Anti-Money Laundering (AML) https://blog.safepal.io/important-changes-about-binance-dapp-identity-verification/Term DApp used by Safepal here is fake and means nothing in reality.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
June 08, 2022, 08:38:31 PM |
|
Anyone who owns Safepal hardware wallet should be aware of recent scams related with this hardware wallet. Scammers created fake Safepal Google Chrome Extension that was later reported and removed from google store, but scammers will try to upload something similar for sure. Confusion started after Safepal released their real extension that was not publicly launched, but only as beta test version that works with invitations. https://twitter.com/safepal_support/status/1534430433437679621
|
|
|
|
The Sceptical Chymist
Legendary
Offline
Activity: 3514
Merit: 6985
Top Crypto Casino
|
|
June 08, 2022, 10:55:52 PM |
|
I read dkbit98's post above, and I'm a little confused about the term "decentralized" and I'm wondering if we're all defining it the same way. Take this statement for example: It should also be mentioned that nothing connected with Binance is decentralized, including their shitcoin chain and fake bitcoin token they created.
I assume that's BNB you're referring to? Now I don't claim to be an expert on BNB, but the coin/token has its own blockchain and works on some protocol that I won't pretend to understand--but there are validators for nodes sort of like Tezos, Polkadot, and others, right? If that's the case, then it isn't Binance that's fully in charge of keeping BNB alive, no? I would think that if there are independent validators operating around the world, then that would pretty much qualify BNB as decentralized, regardless of its origins and/or affiliations. If Binance had the power to shut BNB down completely and invalidate all of the coins, then I'd say it's a centralized token. As for the other dapps and crap they're offering, all of that sounds centralized to me--but that isn't necessarily a bad thing on its own. Newegg is centralized, and I think it's a damn good electronics store. It's the KYC part of this Binance thing that's the killer, but those two things aren't one and the same. Anyhow, would you expect Binance to do anything differently now that regulators have crypto under a scanning electron microscope? We all have free will, and those of us who care about privacy won't go anywhere near those Binance services that require you to give up your dox.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3850
Merit: 6583
Looking for campaign manager? Contact icopress!
|
|
June 09, 2022, 09:27:43 AM |
|
If Binance had the power to shut BNB down completely and invalidate all of the coins, then I'd say it's a centralized token.
BNB is a PoS coin and I think that whatever the papers tell nicely, Binance does have that power. Some explanations are here: https://coinmarketcap.com/alexandria/article/what-is-binance-smart-chain#header-3Basically, from my understanding, Binance can easily have more than 50% of the coins (since almost everybody keeps BNB coins in Binance's custody), they are also PoA validators and they probably the ones approving new PoA validators too.
|
|
|
|
The Sceptical Chymist
Legendary
Offline
Activity: 3514
Merit: 6985
Top Crypto Casino
|
|
June 09, 2022, 09:55:59 AM |
|
Basically, from my understanding, Binance can easily have more than 50% of the coins (since almost everybody keeps BNB coins in Binance's custody), they are also PoA validators and they probably the ones approving new PoA validators too.
I didn't want to derail this thread about the Safepal wallet with a diatribe about decentralization, but since you responded....even if Binance's customers keep their BNB there, that doesn't (or shouldn't) give Binance control over those coins with respect to whatever voting can be done with them. Right? That whole thing reminds me of NEO, which used to be a seemingly simple coin that morphed into something with a council that you have to vote for and a new version of NEO that's not traded on many (if any) exchanges. On topic: I don't own a Safepal wallet, but I do appreciate dkbit98's warning about the fake extension. It's so easy for unsuspecting folks to just download something that's available in a browser (especially Chrome), not realizing that it's a trojan horse that could potentially rob you blind. Scary stuff.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
|
June 09, 2022, 07:33:46 PM |
|
I read dkbit98's post above, and I'm a little confused about the term "decentralized" and I'm wondering if we're all defining it the same way.
Dude you are getting off-topic here, but BNB shitcoin is literally CZ and few of his friends running ''nodes'', so I don't see why would you be confused about my statement. They can control everything and reverse transactions, so it's not really a secret that most of the shitcoins are not really decentralized, not just CZ child BNB. Please let's get back on topic now - Safepal hardware wallet. On topic: I don't own a Safepal wallet, but I do appreciate dkbit98's warning about the fake extension. It's so easy for unsuspecting folks to just download something that's available in a browser (especially Chrome), not realizing that it's a trojan horse that could potentially rob you blind. Scary stuff.
I think that Safepal made a mistake with releasing their test browser extension. All other hardware wallets are trying to avoid having extensions and they are going backwards, so scammers only used this situation.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2408
Merit: 7548
|
Disease is officially spreading After ledger made very unpopular move with their new crap Recover feature, now we have another closed source wallet Safepal planning to do something similar, but they are even worse. In upcoming update they want to connect and backup seed phrase with iCloud and GoogleDrive for waller recovery: In our coming update, we will support the iCloud/GoogleDrive key backup mechanism. If users lose their seed phrase, they can recover the wallet via their cloud-end back-ups. Source: https://medium.com/lysithea-ventures/an-insightful-exchange-recap-of-safepal-ama-with-ceo-veronica-3479ee32b796I will repeat again, Safepal is closed source junk and they are doing exactly the same thing as Ledger. This is really strange and it makes me think that same group of people is controlling or commanding this manufacturers what to do. I mean... they can't be so stupid to release this ''news'' in very similar timing like Ledger circus show. Keeping seed phrase in cloud... what could possibly go wrong? Stay away from Safepal, and stop using it.
|
|
|
|
Pmalek
Legendary
Offline
Activity: 2940
Merit: 7538
Playgram - The Telegram Casino
|
|
May 20, 2023, 04:59:06 PM |
|
Wow, just wow. Based on your thread about secure elements in hardware wallets, Safepal also has one but you couldn't find the exact model. Have you managed to find any more information on it in the meantime? Maybe they are also using one of the ST3x models.
This is exactly what I was saying in the Ledger Recover thread. Some (maybe all) secure element chips have been proven to be vulnerable to remote seed sharing. Now it's just a question of who will do it next and in what way and shape. This can't possibly be only their own doing. I guess they have started cooperating with the higher powers to be in a better position when stricter regulations are rolled out.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3850
Merit: 6583
Looking for campaign manager? Contact icopress!
|
|
May 20, 2023, 08:43:17 PM |
|
This is really strange and it makes me think that same group of people is controlling or commanding this manufacturers what to do.
It may be just the hunger for money. They may have been seeing Ledger's crap news and thought "what a wonderful idea, let's do that ourselves and get rich from selling to the idiots monthly subscription on making the seed less secure". Thanks for the heads up, @dkbit98
|
|
|
|
The Sceptical Chymist
Legendary
Offline
Activity: 3514
Merit: 6985
Top Crypto Casino
|
|
May 20, 2023, 09:37:00 PM |
|
Keeping seed phrase in cloud... what could possibly go wrong? Yeah, that's just plain stupid squared--but I guess Ledger and Safepal and anyone else in the future who rolls out features like this are playing to the uneducated masses who think owning crypto is like keeping money in a bank. It just boggles my mind that Ledger (and now Safepal I guess) are doing this, as ostensibly their core customer base consists of people who do know what they're doing in the dangerous world of crypto and never wanted a device from which private keys could be exported. And yeah, I get that Ledger was always known to be closed-source and thus should have been looked upon as not-completely-secure. You've been saying that all along, and I wish I'd taken heed of that the first time I heard it. I'm pretty much soured on all HW wallets now.
|
|
|
|
Volgastallion
Sr. Member
Offline
Activity: 630
Merit: 314
CONTEST ORGANIZER
|
|
May 20, 2023, 10:55:04 PM |
|
I dont know why some people lose one basic thing in enginering, not matter if mechanical engineering, civil engineering, electronic systems etc. and this basic principle its.
"the more simple the less chance to fail".
Lets prove this by an easy example.
If you made a car window lifter with two piece, you have TWO piece who can fail, if you made a window lifter with 5 piece, one servomotor, electronic activation, sensors and an app to control them from outside, you now have XXXXX quantity of things/piece who can fail.
Yes i know you added some new and cool features, but talking about security you added a ton of vector of attack and possibilities of fail.
Well, coming all the way back to our BTC and Wallets things the basic principle still the same, if you start adding things you are making in less or more ways more vulnerable the wallet.
In this case with PHRASE IN CLOUD, yes cool you travel all the way down to the antipode of the planet and you dont have your phrase and now thanks to this tecnology you can acces.... ohhh my god. for that new feature you are now 100000000% more vulnerable to cyberattacks not only to you also to the cloud company who holds the phrase. And no matter how good that was made, encryption or not, you added a new vector of attack.
So KEEP IT SIMPLE AND SECURE.
|
|
|
|
█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ████████▄▄████▄▄░▄ █████▄████▀▀▀▀█░███▄ ███▄███▀████████▀████▄ █░▄███████████████████▄ █░█████████████████████ █░█████████████████████ █░█████████████████████ █░▀███████████████▄▄▀▀ ███▀███▄████████▄███▀ █████▀████▄▄▄▄████▀ ████████▀▀████▀▀ █▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀BitList▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . REAL-TIME DATA TRACKING CURATED BY THE COMMUNITY . ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀List #kycfree Websites▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ |
|
|
|
|