A recently released wallet was said to be “unhackable” by its promoters, including John McAfee, and this has naturally triggered security researchers.
When the Bitfi hardware wallet was unveiled in June, its official promotional material called it the “first truly unhackable” wallet, promising “impenetrable security” and an operation “without any risk of loss”. It was also said to offer more security than any other type of storage, including cold storage.
Vouching for the device being indeed “unhackable”, which Bitfi acknowledged is an extremely bold claim, was John McAfee. “Of all today’s elaborate and sophisticated methods for making wallets secure and easy to use, surely none is as epic as that of the new Bitfi wallet. Several of my competitors have pioneered innovative methods to protect private keys, but Bitfi pulled out all the stops to ensure that the private key can never be obtained by illicit means. No other hardware wallet has ever been built to this level of sophistication,” McAfee is quoted as saying.
This level of sophisticated security was supposedly achieved primarily by utilizing a proprietary open-source algorithm that calculates the private key from a user’s own unique secret phrase. “The private key only exists for a fraction of a second, just long enough to approve the transaction and is never stored anywhere.” And the developers added that: “Unlike other wallets, the Bitfi wallet cannot be tampered with. If it is ever lost, stolen, taken apart and forensically analyzed, the private keys cannot be retrieved, making the wallet safe to purchase from anyone within the network of authorized distribution dealers.”
Initial reviews were very unkind to Bitfi, with one security researcher stating: “my conclusion is that their product is most charitably described as a ‘footgun’,” meaning a device designed for shooting yourself in the foot. McAfee, which is known for being a shill in the crypto community but has credibility to lose in the cyber security space as an anti-virus pioneer, shoot back by labeling critics as “haters” and negative reviews as “fake” because they were based on Bitfi documentation rather than examining the actual device. Moreover, he challenged anyone to hack the wallet and receive a $100,000 bounty.
Everyone tells me https://t.co/VJ7qrOxQqL is hackable. Then register as a hacker and do it. We send you the device pre-loaded with $50 in BTC. If you get the BTC we send you $100,000. You will eventually give up. When you do we send you the pass phrase to recover your $50. Do it.
— John McAfee (@officialmcafee) July 28, 2018
So security researchers have now gotten their hands on the device and are tearing it apart trying to answer the hacking challenge. And they already discovered a few interesting things. According to their collaborative efforts, it seems that the hardware of the wallet is basically that of a Chinese mobile phone (Mediatek MT6580) minus the camera and SIM card. And the firmware includes a Baidu GPS/WIFI tracker, a malware suite (Adups FOTA), and a tracker capable of logging all activity on the device.
Allowing us to dump the file system. pic.twitter.com/bDXJuWB4QM
— Ask Cybergibbons! (@cybergibbons) July 30, 2018