News The Safe-T Hardware Wallet Violates Trezor License

The Safe-T Hardware Wallet Violates Trezor License

-

- Advertisment -

Security Researcher: The Safe-T Hardware Wallet Violates Trezor License

The Safe-T Hardware Wallet Violates Trezor License

In a tweet linking to the web interface for Archos’ new Trezor-compatible hardware wallet, the Safe-T, independent security researcher Saleem Rashid has alleged that the upstart hardware manufacturer is in violation of a Lesser General Public License (LGPL) with the release of their hardware bridge. Bitsonline reached out to Rashid for clarification on the issue, and he laid out exactly what he thought was going on.

Also see: Uphold to Acquire New York Broker Dealer, Applies to Expand Scope of Business

Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts

Cheap, But At What Cost?

The Archos Safe-T is a hardware wallet based on the open-source Trezor wallet, though the Safe-T sells for about half of what the Trezor One does. Indeed, the libraries that support Archos’ device have been forked from the Trezor repositories with only minor modifications. This reality is not itself an issue, as the libraries are free to use as long as the source is released and the LGPL terms are adhered to.

The Safe-T Hardware Wallet Violates Trezor License
The Trezor One hardware wallet.

What researcher Saleem Rashid took issue with is Archos’ distribution of their resulting web interface and “bridge software” — a program that allows secure communication between the Safe-T and the device’s web-based interface. Apparently, both the web interface and the bridge application are just modified versions of their Trezor counterparts, and the source code isn’t available from Archos yet.

Rashid noted:

“They’re clearly distributing a modified copy of the new TREZOR Bridge. All the function names and HTML from TREZOR’s software are in there, but they’ve rebranded everything and changed the port number”

If Archos’ software is, as seems likely, modified Trezor code, then they’re clearly violating the terms of Trezor’s LGPL by not releasing their work for review by the community.

The Road To Hell Is Paved With Bad Implementations

As the device hasn’t seen full release yet, it’d be easy to give the Archos Safe-T the benefit of the doubt. But, given that people are expected to store the keys to their wealth on the device, transparency and openness should be the first priority. Without the source code, users and developers can’t verify that the software they’re using with their hardware wallet is bug free, or that Archos hasn’t built in vulnerabilities or other limitations.

Another issue Saleem brought to our attention is the hardware differences in the Safe-T and the Trezor wallets. The former uses more bleeding-edge hardware with less industry-proven implementations:

“They’re using a fancy ‘PIN-protected EEPROM.’ This class of hardware is a black box, so you have a higher risk of backdoors, and I’ve seen incredibly competent engineers mess up with these, so I’m not too hopeful.”

Neither the firmware nor the device are available at present, so only time will tell if this new hardware wallet is truly secure at a fundamental level. Regardless of outcome, it seems Archos has a few things to answer for with their handling of the Safe-T’s development and release.

What’s your take? Do you think Archos should open up their source code immediately? Sound off in the comments below. 


Images via AVLab, Alzashop



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

Why could GLBrain become a great solution to receive support during the crisis?

To support smaller and medium-sized businesses during the ongoing crisis, GLBrain offers services cost-free for all Austrians....

Make Fast and Secure Trades Using Bitengo.io

Bitengo.io is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...
- Advertisement -The Safe-T Hardware Wallet Violates Trezor License

Fungibility: Bitcoin Mixers Favorite Term That No One Understands

Fungibility, perhaps the most important concept when dealing with a decentralized and anonymous currency, but does bitcoin...

Crypto can’t thrive in the real world – but stablecoins can

We can safely say that the hype about cryptocurrencies is pretty much over. The claims of Bitcoin...

Must read

Make Fast and Secure Trades Using Bitengo.io

Bitengo.io is a Cryptocurrency trading platform that...
- Advertisement -The Safe-T Hardware Wallet Violates Trezor LicenseThe Safe-T Hardware Wallet Violates Trezor License

You might also likeRELATED
Recommended to you