Firmware security

What is a Security Suffix?

The security suffix is a security feature added from App version 1.2.0 and firmware version 1.0.12. It is a combination of 3 characters(letters and numbers) used to prevent attacking scenario where someone besides the user resets the hardware wallet without the owner noticing it. Once the SafePal device is paired with a SafePal App, the security suffix will be updated and shown in the App.

The security suffix is generated based on device information and mnemonic phrase inside the hardware wallet. The suffix is unique to every SafePal device and serves as a measure to identify the acquaintance attack. Once the wallet is reset and new mnemonic phrase is generated by the embedded TRNG(True Random Number Generator), the security suffix will change and thus the wallet owner will notice the wallet information has been altered.

Please remember your unique security suffix. If you notice that the suffix is changed, for asset security, please reset this device and recover your wallet with the correct mnemonic phrase.

Secure upgrade procedure

Firmware upgrade is an important feature to ensure every SafePal user can access the latest product features or newly added currencies.

SafePal S1 is embedded with firmware verification program that examine the genuineness of every uploaded firmware. And the device only runs official firmware released through SafePal official website. If there is any malicious firmware loaded to the device, the device will show warnings.

Please always download a SafePal firmware from the official website.

Pre-upgrade authentication and Privacy protection features

Before a firmware upgrade and the first time viewing asset information after each boot, SafePal S1will be a PIN code verification.

Downgrade limitation

SafePal only supports firmware upgrade rather than downgrade, thus to protect any potential attacks from lower version.

Tamper-proof mechanism

During every starting-on of SafePal S1, the multi-verification mechanism embedded in SafePal S1 will authenticate the complete program. Should there be any un-authorized changes detected during this process, even as small as a byte, the device will fail to start up normally, thus to prevent any potential attacks from supply chain or logistics scenarios.