Ionut Ilascu* follows the story of the ‘unhackable’ hardware wallet — and the many people who hacked it.
Following weeks of dispute on Twitter, Bitfi has finally admitted what people in the security industry thought from the first moment.
Its “unhackable” hardware wallet is probably not.
Backed by John McAfee, the Bitfi Wallet is a hardware device for safekeeping cryptocurrency, marketed until recently as “the world’s first and only unhackable storage for digital assets”.
In support of the incredible claim, the company offered a $250,000 bounty to anyone who could empty the wallet using “all attack vectors”.
In a long list of tweets at the beginning of August, Andrew Tierney of Pen Test Partners pointed out the many flaws in the device, starting with the hardware components, and moving on to the operating system.
Other hackers joined in and began to toy with the wallet, posting their achievements online.
These included a John McAfee video playing on the device and a 15-year old playing DOOM on it, basically bending it to their will.
Still, Bitfi stuck to its story and refused to accept reality, even when it was awarded a Pwnie (a razzie of the infosec community) for mishandling a security vulnerability “most spectacularly”.
The final nail in the coffin of the “unhackable” claim was a new attack security researchers demonstrated on an unmodified Bitfi cryptocurrency hardware wallet.
In a video released on Twitter, Saleem Rashid, the 15-year old using Bitfi to play DOOM, showed how readily the ‘unhackable’ wallet gave up the user-generated phrase and its ‘salt’ value.
These are the two elements required to generate the private key that protects the money.
A short time after the new hack was posted, Bitfi published a statement saying it had “hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers”.
The bounty offer is now withdrawn, as is the ‘unhackable’ branding of the Bitfi wallet.
The company now plans on launching a conventional bounty program using the Hacker One platform.
*Ionut Ilascu is a freelance technology writer whose focus is all things cybersecurity.
This article first appeared at www.bleepingcomputer.com.
