BitFi Removes “Unhackable” Claims, Closes Bounty Program and Hires New Security Manager.
In a tweet published on the official account of Bitfi, the controversial hardware wallet marketed by Mr John McAfee as unhackable, The development team commented that they would withdraw such claim and at the same time close the bounty program in which 100k USD were offered to every person who could hack the wallet:
“Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers. We acknowledge and greatly appreciate[their] work and effort …
Effective immediately, we will be removing the “Unhackable” claim from our branding which has caused a significant amount of controversy.”
The decision to ” retract ” was followed by a change of personnel. The team commented that they had hired a new Security Manager, without mentioning the name of the new expert who would be joining the Bitfi ranks.
The Un-hackable Hacked Wallet
The Bitfi team commented that they acknowledged the existence of “vulnerabilities” but refrained from commenting on the various hacks published on social networks.
Several hackers have been able to exploit different vulnerabilities in this wallet; however, Mr. John McAfee apparently used a pun to avoid paying the various cybersecurity experts for their successful efforts.
From rooting the wallet and running Doom, to effectively getting the passphrase revealed, Mr. McAfee does not give credit to these hackers. Bitfi said these actions were the efforts of an “army of trolls” hired by other companies like Ledger and Trezor.
In a statement to The Next Web, a Bitfi spokesperson commented:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete … So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails)… All these trolls can do is talk smack all day, but they can’t hack the wallet if their life depends on it.”
Bitfi has been widely criticized for having no security features that make it better than other hardware wallets. After disassembling it, it was found that its processor is a MediaTek MT6580, a brand of inexpensive components. Such news raised doubts about the price of the wallet, which did not offer any special encryption hardware or any sign of an internal cold storage option.
So now we have pictures of the bare @Bitfi6 board.
— Cybergibbons! (Project Zero Hounslow) (@cybergibbons) July 29, 2018
In a final effort to check for security flaws, Saleem Rashid a young hacker managed to film a cold boot attack in which he obtained Bitfi’s passphrase, ensuring that the same attack could be made from an Android device.
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.
it turns out that rooting the device does not wipe RAM clean. who would have thought it!?