John McAfee’s immensely hyped Bitfi bitcoin wallet has allegedly been hacked after putting up a $250,000 bounty claiming it to be ‘unhackable’.
Bitfi has been touting the wallet’s security as being “fortress-like,” and gotten internet security specialist John McAfee to endorse the claims. In the past few days, McAfee has found himself on the receiving end of a tirade of attacks from skeptics of his Bitfi ‘unhackable’ claim, with many dismissing it as a marketing gimmick.
The device is Android-powered, which allegedly makes it vulnerable to a long list of vector exploits, including keylogging, malware, rooting, and different forms of firmware tampering.
OverSoft Hacks Wallet
According to a July 30 update on vulnerabilities found on the device by OverSoft, its use of a Baidu GPS/WIFI tracker was a major weakness. This is not to mention the presence of the notorious Adups FOTA malware suite, and “a tracker, capable of logging all activity on the device.”
Update on the BitFi device so far
Most of the firmware looks just like a normal MTK phone, including:
– A Baidu GPS/WIFI tracker
– The well-known Adups FOTA malware suite
– The entire Mediatek library of example apps
– A tracker, capable of logging all activity on the device
— OverSoft (@OverSoftNL) July 30, 2018
On August 1, the OverSoft team revealed that it had obtained root access and installed patched firmware. The team, however, declined to provide further details but has promised to release a video revealing details of the process. They also found that the Baidu location tracker and Adups service were not only pinging but actually running. OverSoft could not get the bounty, as apparently, they didn’t hack the device as outlined in the guidelines.
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
— OverSoft (@OverSoftNL) August 1, 2018
As such, the team deduced the whole exercise as nothing more than a marketing ploy, saying, “They (Bitfi) deny anything that’s not exactly according to their bounty rules, aka: they will never pay a bounty. It’s pure marketing.”
Not One Bounty, but Two
After the OverSoft hacking claim, Bitfi created a second bounty. This time, rules for claiming the bounty included modifying the firmware on the device, ensuring that after this, it could still connect to the Bitfi dashboard. With that, a hacker needs to demonstrate that the private keys and the user’s secret phrase can be transmitted to a third party. This is required to be done while ensuring uninterrupted dashboard functionality.
The bounty will apparently be withdrawn after one person accomplishes this. That said, OverSoft got a formal invitation to assist the Bitfi team in hacking the ‘unhackable’ device.
The whole debacle led some to conclude that Bitfi won’t be paying out the bounty, with one user declaring, “Affy (McAfee) won’t pay you (OverSoft) a single dime he’ll just say thanks for showing us the problems. They’ll then patch it and again claim it’s unhackable. Sorry about that.”
John McAfee likened the rooting claim by OverSoft to trying to use a dentist’s license on a nuclear power plant, reiterating the fact that the alleged hackers still couldn’t get the money out of the wallet.
This stirred up critics to no end, with some pointing out that root access could be used to uncover non-root exploits. Middleman vulnerabilities such as hacking wifi access and logging screen input could also do the trick.
The Bitfi device security has yet to be officially verified by an established third-party cyber-security company.