Cryptocurrency manufacturers, Bitfi, has recently released a wallet that they’ve deemed ‘unhackable’. It is a very bold claim to make, but one that has been backed by eccentric technology personality, John McAfee.
McAfee has claimed that no other security methods are as superior as Bitfi, and that the company ensure that the private key used for accessing the wallet can never be accessed by illicit means.
Bitfi wallets are Wi-Fi connected hardware devices that store crypto-coins. The device requires a passphrase to access the coins, which generates (for a few milliseconds) a private key which is used to unlock the data. It is then discarded. The device has no read/write capabilities.
Bitfi put up a bounty for $100,000 to hackers who could break its ‘unhackable’ system. Within days Bitfi upped the hacker bounty to $250,000.
With such a bold claim, a number of security and tech companies have put the wallet to the test and tried to hack it.
The OverSoft team claimed they had hacked the device:
Update on the BitFi device so far Most of the firmware looks just like a normal MTK phone, including: – A Baidu GPS/WIFI tracker – The well-known Adups FOTA malware suite – The entire Mediatek library of example apps – A tracker, capable of logging all activity on the device 1/2 — OverSoft (@OverSoftNL) July 30, 2018
Later that day, they added:
Short update without going into too much detail about BitFi: We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard. There are NO checks in place to prevent that like claimed by BitFi. — OverSoft (@OverSoftNL) August 1, 2018
However, their claim on the bounty was denied because they failed to hack the device in exactly the way stipulated in the conditions of the bounty.
Bitfi gave very specific requirements over what would be a legitimate hack though. The only way that the bounty can be claimed is by retrieving the security key from the Bitfi device, which doesn’t hold the key. Clever. Conveniently the bounty ignores more obvious types of attack such as modifying the device so that it could record and send the key to a malicious third party.
The bounty also doesn’t take into account the devices being stolen and tampered with, before it reaches the user. The back of the device can be simply taken off by hand, and the hardware bugged and reprogrammed.
The bounty seems to have been setup so that it is impossible to claim, and ignores basic security measures that should be in place. Definitely a lot of lessons to be learnt across the board here.