Security Researcher: The Safe-T Hardware Wallet Violates Trezor License
In a tweet linking to the web interface for Archos’ new Trezor-compatible hardware wallet, the Safe-T, independent security researcher Saleem Rashid has alleged that the upstart hardware manufacturer is in violation of a Lesser General Public License (LGPL) with the release of their hardware bridge. Bitsonline reached out to Rashid for clarification on the issue, and he laid out exactly what he thought was going on.
Story updated June 29 2018, full details below.
Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts
Cheap, But At What Cost?
The Archos Safe-T is a hardware wallet based on the open-source Trezor wallet, though the Safe-T sells for about half of what the Trezor One does. Indeed, the libraries that support Archos’ device have been forked from the Trezor repositories with only minor modifications. This reality is not itself an issue, as the libraries are free to use as long as the source is released and the LGPL terms are adhered to.
What researcher Saleem Rashid took issue with is Archos’ distribution of their resulting web interface and “bridge software” — a program that allows secure communication between the Safe-T and the device’s web-based interface. Apparently, both the web interface and the bridge application are just modified versions of their Trezor counterparts, and the source code isn’t available from Archos yet.
“They’re clearly distributing a modified copy of the new TREZOR Bridge. All the function names and HTML from TREZOR’s software are in there, but they’ve rebranded everything and changed the port number”
If Archos’ software is, as seems likely, modified Trezor code, then they’re clearly violating the terms of Trezor’s LGPL by not releasing their work for review by the community.
The Road To Hell Is Paved With Bad Implementations
As the device hasn’t seen full release yet, it’d be easy to give the Archos Safe-T the benefit of the doubt. But, given that people are expected to store the keys to their wealth on the device, transparency and openness should be the first priority. Without the source code, users and developers can’t verify that the software they’re using with their hardware wallet is bug free, or that Archos hasn’t built in vulnerabilities or other limitations.
Another issue Saleem brought to our attention is the hardware differences in the Safe-T and the Trezor wallets. The former uses more bleeding-edge hardware with less industry-proven implementations:
“They’re using a fancy ‘PIN-protected EEPROM.’ This class of hardware is a black box, so you have a higher risk of backdoors, and I’ve seen incredibly competent engineers mess up with these, so I’m not too hopeful.”
Neither the firmware nor the device are available at present, so only time will tell if this new hardware wallet is truly secure at a fundamental level. Regardless of outcome, it seems Archos has a few things to answer for with their handling of the Safe-T’s development and release.
What’s your take? Do you think Archos should open up their source code immediately? Sound off in the comments below.
Images via AVLab, Alzashop