The presumably unhackable Bitfi wallet backed by John McAfee has released a statement announcing that the unhackable tag will be removed from their marketing materials. The step comes after the device’s security was compromised by a Twitter user under the name @spudowiar.
The associated bounty program has also been suspended. However, the company has launched the program via the HackerOne platform. The team behind Bitfi wallet has claimed that the reason for this decision of removing unhackable tag is that it has proven to be an “unproductive” strategy.
For all you naysayers who claim that “nothing is unhackable” & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks. Details on https://t.co/ATFaxwUzQC
— John McAfee (@officialmcafee) July 24, 2018
The move comes in a response to the latest discovery from security researchers. According to the findings of researchers Saleem Rashid and Ryan Castellucci, a second attack is possible to obtain all the stored funds from an unchanged Bitfi wallet. Researchers discovered various security flaws in the Bitfi wallet system. To confirm the flaws, a security manager has been hired by Bitfi. The researchers use the name “THCMKACGASSCO” to represent their team.
Basically, the Bitfi wallet is an Android-compatible device that relies upon a user-generated secret code, as well as a “salt” value. This value is quite similar to a phone number and is required to scramble the secret phrase cryptographically. The entire process of using two unique values is to make sure that users’ funds remain protected.
Researchers state that these two unique values can be extracted through ‘cold boot attack’ to allow generation of private keys and steal the funds even if the Bitfi wallet is turned off. A video has been released by the researcher duo that shows Rashid to be setting a secret phrase and salt value and then executing a local exploit to obtain the keys.
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.
it turns out that rooting the device does not wipe RAM clean. who would have thought it!?
? i feel this music is very appropriate for @Bitfi6 ? pic.twitter.com/jpSnYBd9Vk
— Saleem “Unhackable” Rashid (@spudowiar) August 30, 2018
According to Rashid, the keys are stored in a memory that is far longer than the claims of Bitfi, which lets combined exploits to run code on the hardware. This can be performed without erasing the memory. Once this is done, an attacker can extract the memory and find the keys. The whole method of extracting keys takes less than two minutes.
Rashid claims that the attack method is “reliable and practical,” while security researcher from Pen Test Partners, Andrew Tierney, states that the attack is verified and doesn’t require any “specialist hardware.”
Rashid also added that the team has no plans to release the exploit code. However, in a recent tweet, he revealed that Bitfi team did not respond to him or security researchers involved in the feat citing the seriousness of the matter.
still @Bitfi6 have neither responded to myself nor any of the other researchers involved
meanwhile, they’re privately promising customers the issue will be fixed in a firmware update. alas, this is a promise they cannot keep.
— Saleem “Unhackable” Rashid (@spudowiar) August 31, 2018
This is not the first time when Saleem has hacked a crypto wallet. In March this year, Saleem also hacked the hardware cryptocurrency wallet offered by Ledger which was known to be one of the most secure hardware wallets offered by any company in the industry.