John McAfee’s “Unhackable” Bitcoin Wallet Is Actually Hackable
The supposedly “unhackable” cold storage Bitcoin wallet had to be hacked twice before the company decided to admit defeat in an August 30, 2018, tweet.
Not Unhackable Anymore
In an announcement made on Twitter, Bitfi, the company that manufactures hardware crypto wallets, said it will be removing the “unhackable” claim from their website effective immediately.
The company also admitted that “researchers” have identified vulnerabilities in their device and that they plan on addressing the issues as soon as possible.
“As part of our ongoing efforts to protect our customers, we have hired an experienced Security Manager, who is confirming vulnerabilities that have been identified by researchers. next week, we will make comprehensive public announcement acknowledging and addressing these issues that have been identified,” the company’s official statement read.
“Effective immediately, we will be removing the “unhackable” claim from our branding which has caused a significant amount of controversy,” the statement continued.
According to CNET, the company took this step to stop the negativity and the anger that ensued on social media, saying that it’s not “healthy.” Bitfi intends to try to fix the wallet by addressing those issues rather than recalling the product or stopping sales. “Whatever issues we discover will be patched for all customers via our push updates,” the company told CNET by email.
Mcafee’s Bounty on the Line
John McAfee, the man behind the infamous uninstallable anti-virus software, partnered with Bitfi to launch a crypto token wallet he described as the “first truly unhackable and open source crypto wallet.”
Following an outpour of adverse reactions to his claim, McAfee issued a challenge in July, offering a $100,000 bounty for anyone who could hack the device. The first official bounty program launched on August 1 and offered a $250,000 bounty to anyone that proves a hack of the BitFi hardware wallet, while the second bounty provides $10,000 to anyone that shows a hack on the firmware of the BitFi device.
Just hours after the initial bounty had launched, Oversoft claimed to have gained root access, patched the firmware and proved that they could still connect to the dashboard.
Security researchers have also developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet.
On August 30, Saleem Rashid and Ryan Castellucci announced that they were able to extract the user-generated secret phrase and “salt” value, which allowed private keys to be generated and the funds to be stolen.
Rashid, a 15-year-old hacker, told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory. From there, he said, an attacker can extract the memory and find the keys, with the entire exploit taking less than two minutes to run.
Andrew Tierney, a security researcher with Pen Test Partners and one of the hackers behind the first Bitfi attack, was able to verify Rashid’s hack.
“This attack is both reliable and practical, requiring no specialist hardware,” he told TechCrunch in an interview.
According to CNET, Bitfi wouldn’t say whether it will award the $250,000 or $10,000 bounties it offered to those who could prove they’d been able to hack the wallet.
McAfee also didn’t respond to a request for comment from CNET, despite being quick to respond to all previous Bitfi attacks on Twitter.