It’s been almost 11 months since we showed that the Bitfi Knox MD40 wallet was vulnerable to two quite serious attacks:
- The keys persisted in memory for days, allowing them to be recovered over USB in a few minutes – the cold boot attack.
- The device could be easily rooted and backdoored over USB in a few minutes, allowing an attacker to receive your keys when you used them – the evil maid attack.
In those 11 months, Bitfi have not informed users of their device that they were vulnerable, or if they continue to be vulnerable:
- Is the USB bootloader still open on some or all Bitfi devices?
- Can some or all devices still be rooted trivially?
- Have reasonable precautions been made to wipe the RAM?
- How does a user determine if their device is vulnerable?
Without knowledge of the vulnerabilities on their devices, users cannot take appropriate actions to mitigate risk.
If you take their threat model as truth – that it is safe from nation states – you have no idea if your funds are at risk or not.
This is completely unacceptable, especially when one of their co-founders claims that not informing users of security issues puts lives at risk.
Further to this, Daniel Khesin has stated they believe the attacks take at least 10 minutes and have a 25-30% success rate. In reality, it was 2 minutes, and we didn’t see them fail. This suggests a massive disconnect on Bitfi’s side – they don’t actually understand the issue.
Without acknowledging the ease with which the attacks were carried out, there is no way they can actually fix them properly.
I have some very simple – and reasonable – requests for Bitfi:
- Document the attacks clearly and concisely on your own site, bitfi.com, including which versions of hardware and software are still vulnerable.
- Inform your customers, by way of both email and the dashboard, of these issues.
A company unwilling to take these actions is, by their own words, putting people at risk.
Without these basic courtesies in place, I’m not even going to entertain looking at the devices at Defcon.
Paul M
July 16, 2019 at 8:59amit’s now 2019, why haven’t companies learned the basic lessons of security?
Joao
September 16, 2019 at 1:23pmIt is always nice to see company’s think (emphasis: “think”) they got security right! Just to see it all fall the minute security researchers start digging in there free time because Blackhat or something like that is coming and they need something cool to show… or are just bored that day.
Is it difficult (?) for these company’s to contract a few specialized company’s in electronic security (code review/ hardware review/ test & penetration) to make sure there stuff is really that good. Yes, costs money for the quality insurance part, but at least clients could be confident things at least won’t be to easy for hackers even those with good resources and knowledge.