On the 27th of July, John McAfee had challenged the crypto-community and hackers worldwide, to attempt to hack the BitFi Hardware wallet. McAfee has more or less claimed on several occasions that no one can steal any funds locked away in the hardware wallet therefore making it unhackable. The initial bounty for anyone who could hack the device was $100,000 but McAfee upped the ante to $250,000 only 4 days later through the following tweet:
We are increasing the bounty for hacking the https://t.co/VJ7qrOxQqL wallet to $250,000. The rules require you to empty the contents of a BitFi wallet that we have pre-loaded and have sent to you. You must pay for the wallet and its contents. Rules at https://t.co/jUUVmH77Mg
— John McAfee (@officialmcafee) July 31, 2018
Alleged hack of the BitFi Wallet
Less than a day after McAfee increased the bounty, @OversoftNL, an ‘IT geek’ from the Netherlands, claimed to have successfully obtained root access to the BitFi wallet. He made the announcement via twitter by stating the following:
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
There has been no official statement from the team at BitFi. They since announced a second bounty on its website that now pays $10,000. The new bounty is meant to help the team at BitFi identify potential security vulnerabilities in the firmware encryption of the BitFi device. The announcement by the team at BitFi goes on to add that:
We would like to ask security researchers in the digital asset community to assist us with this project.
The rules for claiming the bounty :
- The firmware of the Bitfi device is modified
- After the firmware is modified the device still needs to connect to the Bitfi Dashboard
- The device then should be able to transmit either private keys or the users secret phrase to a third party while still functioning normally with the Bitfi Dashboard
Please contact [email protected] if you wish to participate. We would greatly appreciate any assistance on this project from the infosec community. This bounty will be terminated after the first person identifies this security weakness.
@OverSoftNL has since outed the first bounty as being a sham and that the whole thing is a marketing strategy.
Their first bounty is a sham. Me and multiple others have explained this before: it's set up so that it's impossible. Now, if we could get the wallet and return it and then let them use it, that would be a different story.
2/?— OverSoft (@OverSoftNL) August 2, 2018
They deny anything that's not exactly according to their bounty rules, aka: they will never pay a bounty. It's pure marketing.
— OverSoft (@OverSoftNL) August 1, 2018
In conclusion, the BitFi wallet has proven not to be 100% unhackable as earlier claimed. John McAfee has since come out to defend the wallet stating that no one has accessed the money from the wallet. He specifically wrote the following in one of his latest tweet:
Hackers saying they have gained root access to the BitFi wallet. Well whoop-de-do! So what? Root acces to a device with no write or modify capability. That’s as useless as a dentist license un a nuclear power plant. Can you get the money on the wallet? No. That’s what matters.
