Bitfi’s executive chairman, cybersecurity veteran John McAfee, has previously called it “the world’s first unhackable device.” To prove his claim, and generate hype around the security system McAfee challenged security experts to breach the device for a $100,000 bounty starting July 24.
After cracking the Bitfi wallet to play a game DOOM on it, the researchers were able to successfully send signed transactions with the device. Despite the unhackable security mechanisms, Bitfi has in place to prevent attackers from manipulating the network, the attackers were successful in the attempt to breech.
Bitfi is a physical hardware wallet device, which supports “an unlimited amount of cryptocurrencies.” It is centered around a user-generated secret code instead of a conventional 24-Alpha mnemonic seed that has to be punched in to gain access.
It is celebrated to be “completely open-source,” this means that the user stays in control of their funds even if the manufacturer of the wallet no longer exists. This is becoming a beguiling marketing tactic to attract clients and users.
Several attempts to hack the wallet have been made since the John McAfee’s claims. The hackers or the researchers have not been successfully able to breach the network until this time.
Bitfi’s website elaborates on the bounty program. A number of requirements have been listed.
- Those who wish to participate have to purchase a Bitfi wallet that is preloaded with coins for an additional $10. Also, the wallet itselfs costs $120.
- The ultimate goal for the participant is to successfully extract the coins and empty the wallet. The company grants anyone who participates in this bounty permission to use all possible attack vectors, including their servers, nodes and infrastructure.
The researchers who planted the breach believe they have fulfilled the conditions of Bitfi’s $10,000 bug bounty. According to the bounty program, researchers should have been able to prove that they can modify the device, connect to the Bitfi server, and send sensitive data with the device.
The researchers claimed they could successfully send signed transactions with the wallet, claiming they met the conditions of the bounty program by modifying the device, connecting to the wallet’s server, and transmitting sensitive data with it in the same order as required by the bounty. Security researcher Andrew Tierney said:
We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy. We believe all [conditions] have been met.
The researchers reportedly obtained complete access to the device two weeks ago. Bitfi has been closely tracking it since. The researchers claim that the device is still connected to the Bitfi server. Making the break in legitimately possible by other hackers and attackers. Tierney said:
We intercepted the communications between the wallet [and Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.
According to the Tweet found on the recent most (only successful) break in:
Well, that’s a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
According to the researchers modifying the device has been easy. The hackers gained complete root access to it two weeks ago. A tweet surfaced this earlier this month to verify:
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
— OverSoft (@OverSoftNL) August 1, 2018
While the firm has rejected all claims about break ins so far, seems like this one is really up for the promised bounty.