INSUBCONTINENT EXCLUSIVE:
The BitFi crypto wallet was supposed to be unhackable and none other than famous weirdo John McAfee claimed that the device & essentially an
Android-based mini tablet & would withstand any attack
Spoiler alert: it couldn&t.First, a bit of background
The $120 device launched at the beginning of this month to much fanfare
It consisted of a device that McAfee claimed contained no software or storage and was instead a standalone wallet similar to the Trezor
The website featured a bold claim by McAfee himself, one that would give a normal security researcher pause:Further, the company offered a
bug bounty that seems to be slowly being eroded by outside forces
They asked hackers to pull coins off of a specially prepared $10 wallet, a move that is uncommon in the world of bug bounties
They wrote:We deposit coins into a Bitfi wallet
If you wish to participate in the bounty program, you will purchase a Bitfi wallet that is
preloaded with coins for just an additional $10 (the reason for the charge is because we need to ensure serious inquiries only)
If you
successfully extract the coins and empty the wallet, this would be considered a successful hack
You can then keep the coins and Bitfi will
make a payment to you of $250,000
Please note that we grant anyone who participates in this bounty permission to use all possible attack
vectors, including our servers, nodes, and our infrastructureHackers began attacking the device immediately, eventually hacking it to find
the passphrase used to move crypto in and out of the the wallet
In a detailed set of tweets, security researchers Andrew Tierney and Alan Woodward began finding holes by attacking the operating system
However, this did not match the bounty to the letter, claimed BitFi, even though they did not actually ship any bounty-ready
devices.Something that I feel should be getting more attention is the fact that there is zero evidence that a #bitfi bounty device was ever
They literally created an impossible task by refusing to send the device required to satisfy the terms of the engagement.— Gallagher
(@DanielGallagher) August 8, 2018Then, to add insult to injury, the company earned a Pwnies award at security conference Defcon
The award was given for worst vendor response
As hackers began dismantling the device, BitFi went on the defensive, consistently claiming that their device was secure
And the hackers had a field day
One hacker, 15-year-old Saleem Rashid, was able to play Doom on the device.Well, that's a transaction made with a MitMed Bitfi, with the
phrase and seed being sent to a remote machine.That sounds a lot like Bounty 2 to me
pic.twitter.com/qBOVQ1z6P2— Ask Cybergibbons! (@cybergibbons) August 13, 2018The hacks kept coming
McAfee, for his part, kept refusing to accept the hacks as genuine.The press claiming the BitFi wallet has been hacked
The wallet is hacked when someone gets the coins
Gaining root access in an attempt to get the coins is not a hack
All these alleged "hacks" did not get the coins.— John McAfee (@officialmcafee) August 3, 2018Unfortunately, the latest hack may have just
fulfilled all of BitFi requirements
Rashid and Tierney have been able to pull cash out of the wallet by hacking the passphrase, a primary requirement for the bounty
&We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.& Tierney said
&We believe all conditions have been met.&The end state of this crypto mess BitFi did what most hacked crypto companies do: double down on
In a recently deleted Tweet they made it clear that they were not to be messed with:I haven&t really been following this Bitfi nonsense, but
I do so love when companies threaten security researchers
pic.twitter.com/McyBGqM3bt— Matthew Green (@matthew_d_green) August 6, 2018The researchers, however, may still have the last
laugh.Claiming your front door has an unpickable lock does not make your house secure
No more does offering a reward only for defeating that front door lock, and repeatedly saying no one has claimed the reward, prove your
house is secure, especially when you&ve left the windows open.— Alan Woodward (@ProfWoodward) August 14, 2018
