Why you don’t need an RFID-blocking… Show More
I DARE YOU! That’s what the term “unhackable” screams at some, raising hackles and having them accept that challenge because there is no such thing as unhackable to a determined attacker.
John McAfee disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet . Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to $250,000. We are increasing the bounty for hacking the https://t.co/VJ7qrOxQqL wallet to $250,000.
The rules require you to empty the contents of a BitFi wallet that we have pre-loaded and have sent to you.
You must pay for the wallet and its contents. Rules at https://t.co/ATFaxwUzQC — John McAfee (@officialmcafee) July 24, 2018
Bitfi also strongly disagrees with the “nothing is unhackable” claim, saying that its “bounty program is not intended to help Bitfi to identify security vulnerabilities, since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks.
”
The rules for claiming the bounty are that you pay an additional $10 for the $120 Bitfi wallet to come preloaded with coins. “If you successfully extract the coins and empty the wallet, this would be considered a successful hack.” Then you get to keep the coins and can cash in on the $250,000 bounty.
Enter the testers — and the drama
Pen Test Partners broke down the wallet and started picking it apart. Andrew Tierney, aka @cybergibbons, claimed the bounty was a sham. That led to Bitfi suggesting Tierney was working for other cryptocurrency wallet providers.
That was followed up by Rob Loggia, a McAfee technical advisor, refuting the “fake negative reviews” of Bitfi; Loggia took particular exception to security researcher Ryan Castellicco saying Bitfi is “a cheap stripped down Android phone” and then adding , “I strongly advise against using one of these devices.” Yep, it’s a drama-fest.
Responding to claims that Bitfi was an “insecure stripped down phone” being pushed “as a secure hardware wallet,” Bitfi tweeted: [ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ] Oh so funny John. It is obviously not a phone but a 3.9” tablet with touchscreen.
It doesn’t even have a speaker so what on earth are you talking about? Since you claim it’s a phone, why don’t you try to make a call on it and let us know how it goes. — Bitfi (@Bitfi6) July 31, 2018
A group of researchers then made Bitfi ROM directory listings public; the list of both the system and vendor partitions are on Pastebin. The researchers did find some troubling apps on the device, including the Chinese app Baidu and Adups malware which seem to be calling home.
The researchers specifically noted :
Most of the firmware looks just like a normal MTK phone, including: A Baidu GPS/WIFI tracker The well-known Adups FOTA malware suite The entire Mediatek library of example apps A tracker, capable of logging all activity on the device At least the Baidu and Adups apps are indeed actively running on the device, including calling home to Baidu and Adups.The rest of the system/vendor partitions include drivers for removed devices like the camera, tcpdump, adbd and several other debugging binaries.
2/2 — OverSoft (@OverSoftNL) July 30, 2018
Responding to the claims of the device coming preloaded with spyware and malware, Bitfi told The Next Web that an “army of trolls” allegedly working on behalf of wallet competitors Trezor and Ledger are behind it.
Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).
Bitfi added:
“There is absolutely no Chinese bloatware whatsoever,” the spokesperson further told Hard Fork. “The device simply has Google and Bidu [sic] to be able to ping something to see if it is connected to the internet or not. Bidu [sic] is there because we have customers in China and Google is blocked in China. So for Chinese customers the device will simply ping Bidu [sic].
Thats all. None of this has anything to do with the security of the device. I mean we are offering a $250,000 bounty.
Do you see any other wallet doing that?”
“All these trolls can do is talk smack all day but they can’t hack the wallet if their life depended on it.”
Other researchers are waiting to see if Bitfi will release the source code, as it is advertised as being an open source crypto wallet.
Meanwhile, McAfee upped the bounty for the “unhackable” Bitfi wallet to $250,000.
Other bounties for hacking Bitfi
McAfee isn’t the only one dangling a bounty as bait. There are currently at least three other researchers offering £600 (roughly $800) to the hacker who can “demonstrate and openly publish a practical attack on Bitfi.” Ken White offered to kick in another £100 if: I’ll kick in another £200. A hundred more if post-exploit, it sends a friendly public confirmation tweet tagging Bitfi and that juice company, from the wallet. (Rate limited and directed to a test account during development, please.) — Kenn White (@kennwhite) July 30, 2018 Next read this.