Earlier this week, cryptocurrency news was full of stories about a new hardware wallet: the Bitfi.
What makes this one any different?
John McAfee claims it is “unhackable”. Not just “harder to hack”, but “unhackable”.
That’s a bold claim. They know it’s a bold claim, so they have set a bounty.
Sounds great, no?
No.
The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key.
The only way to win the bounty is to recover a key from a device which doesn’t store a key.
There are many, many more attacks such a device is vulnerable to. The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty.
Why is this?
Because the bounty is a sham. When it lays unclaimed, Bitfi can say “our device is unhackable”. What it actually means is “our device is not vulnerable to one specific attack”.
I’m going to put a challenge to them.
If their device is unhackable, then change your bounty terms:
- A trusted intermediary is chosen e.g. a lawyer or judge.
- We provide the trusted intermediary with three Bitfi devices, a laptop computer and a WiFi access point.
- The trusted intermediary puts $1,000,000 directly onto each Bitfi device, using the laptop and WiFi access point we have provided.
- They must follow the publicly available documentation, without interference from anyone.
These are much stronger security goals to meet, and much more accurately emulate the real world.
If Bitfi won’t change the terms, it’s clear to me that they don’t stand behind their claims that the device is unhackable.
Jon
July 29, 2018 at 1:31pmCybergibbons- you are awesome. Keep up the good work calling out sham programs hah.
Love your Twitter feed about this too
Bounty for hacking the ‘unhackable’ Bitfi wallet jumps to $250K - Technology Arena
August 1, 2018 at 4:39pm[…] disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet. Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to […]
Bounty for hacking the 'unhackable' Bitfi wallet jumps to $250K | Tech News
August 1, 2018 at 5:03pm[…] disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet. Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to […]
Bounty for hacking the ‘unhackable’ Bitfi wallet jumps to $250K – Tech News
August 1, 2018 at 5:11pm[…] disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet. Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to […]
‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – Charles Milander
August 1, 2018 at 10:51pm[…] the bounty doesn’t reflect reality. As infosec probester Andrew Tierney put it, the challenge only covers one specific method of theft – accessing coins on a stolen device – […]
TX
August 2, 2018 at 5:41amYou’re saying that if Bitfi doesn’t increase the bounty from $100k to $3m their claims are not credible.
'Unhackable' Bitfi wallet circus delights security researchers with hacking challenge – TopTechNewsHub.com
August 2, 2018 at 10:36am[…] device modification so it does store a key and send it to an attacker remotely. Pen Test Partners has dubbed the bounty a […]
«Невзламываемый» криптовалютный кошелек Bitfi Джона Макафи оказался примитивным Android-смартфоном | UA PROTECTION
August 3, 2018 at 3:26pm[…] раскритиковали само задание bug bounty программы. Так, в блоге Cybergibbons известный исследователь Эндрю Тирни (Andrew Tierney) пишет, […]
Meinungs-ECHO KW31: „Crypto Mom“ und Wallet-Wahn | BTC-ECHO
August 5, 2018 at 5:32pm[…] Hackergruppe Cybergibbons indes hält die ganze Aktion für einen Schwindel. Bitfi habe die Bedingungen bewusst so […]
Meinungs-ECHO KW31: „Crypto Mom“ und Wallet-Wahn - Buy Bitcoins in Thailand
August 5, 2018 at 5:41pm[…] Hackergruppe Cybergibbons indes hält die ganze Aktion für einen Schwindel. Bitfi habe die Bedingungen bewusst so […]
‘Unhackable’ Bitfi hardware rooted within a week - Hacker World News
August 6, 2018 at 7:31pm[…] as Tierney put it, that means that the challenge only covers one specific method of theft: getting at the coins on a […]
«Невзламываемый» криптовалютный кошелек Bitfi Джона Макафи оказался примитивным Android-смартфоном — HACKFIX-Информационная безопасность,Этич
August 8, 2018 at 2:06pm[…] раскритиковали само задание bug bounty программы. Так, в блоге Cybergibbons известный исследователь Эндрю Тирни (Andrew Tierney) пишет, […]
Bounty for hacking the ‘unhackable’ Bitfi wallet jumps to $250K - TechnologyNEWS.win
August 10, 2018 at 4:39am[…] disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet. Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to […]
McAfee: Calling Bitfi unhackable may have been ‘unwise’ but it was great marketing – My Blog
August 21, 2018 at 10:59am[…] $250,000 bug bounty has been offered for this kind of attack alone, which Pen Test Partners has dubbed a “sham,” due to its focus not on hacking at large; but rather, simply the […]
AS: McAfee: Calling Bitfi unhackable may have been 'unwise' but it was great marketing - Agencia Soynadie
August 21, 2018 at 11:59am[…] $250,000 bug bounty has been offered for this kind of attack alone, which Pen Test Partners has dubbed a “sham,” due to its focus not on hacking at large; but rather, simply the […]
Bitfi finally gives up claim cryptocurrency wallet is unhackable – My Blog
August 31, 2018 at 9:44am[…] first was dubbed a “sham” by a collective of security researchers called THCMKACGASSCO and required researchers to purchase the device to participate. The $250,000 reward program was so […]
C’mon, if you say your device is ‘unhackable’, you’re just asking for it: Bitfi retracts edgy claim | Unhinged Group
August 31, 2018 at 4:15pm[…] researchers cried sham over Bitfi’s initial bug bounty because it only covered one specific vector of attack, […]
C’mon, if you say your device is ‘unhackable’, you’re just asking for it: Bitfi retracts edgy claim – Charles Milander
August 31, 2018 at 4:21pm[…] researchers cried sham over Bitfi’s initial bug bounty because it only covered one specific vector of attack, […]
Bitfi finally gives up claim cryptocurrency wallet is unhackable - tech-1st
August 31, 2018 at 7:47pm[…] first was dubbed a “sham” by a collective of security researchers called THCMKACGASSCO and required researchers to purchase the device to participate. The $250,000 reward program was so […]
Bitfi finally gives up claim cryptocurrency wallet is unhackable | Make money
September 1, 2018 at 10:20am[…] first was dubbed a “sham” by a collective of security researchers called THCMKACGASSCO and required researchers to purchase the device to participate. The $250,000 reward program was so […]
Bitfi finally gives up claim cryptocurrency wallet is unhackable | Tech News Hero
September 3, 2018 at 12:00am[…] first was dubbed a “sham” by a collective of security researchers called THCMKACGASSCO and required researchers to purchase the device to participate. The $250,000 reward program was so […]
Wallet Bitfi de McAfee : des chercheurs alertent sur le risque "brainwallet" - JournalduCoin.com
March 28, 2020 at 1:19pm[…] dans les faits le versement de la récompense, dans une note de blog détaillée disponible ici. Pour résumer, le portefeuille Bitfi est un brainwallet dans le principe, c’est-à-dire qu’il […]
Wallet Bitfi de McAfee : des chercheurs alertent sur le risque "brainwallet" - Journal du Coin
July 9, 2020 at 6:49am[…] dans les faits le versement de la récompense, dans une note de blog détaillée disponible ici. Pour résumer, le portefeuille Bitfi est un brainwallet dans le principe, c’est-à-dire qu’il […]
Adrian Peirson
December 4, 2020 at 3:38pmIs it true there are code sections in bitif android code that send data to Chinese Servers