Researchers Who Profess To Have Hacked Bitfi Demand Bounty Reward
August 14, 2018 2:42 pm
The Next Web reported on August 12 that a group of researchers claim to have hacked the Bitfi wallet.
The executive chairman of Bitfi, John McAfee called Bitfi “the world’s first unhackable device.” To prove his claim, McAfee also challenged security experts to break-through the device for a $100,000 bounty starting July 24.
As per its specifications, Bitfi is a hardware wallet that supports “an unlimited amount of cryptocurrencies,” and utilizes a user-generated secret phase instead of a conventional 24-word mnemonic seed that has to be addressed down. Bitfi is meant to be “entirely open-source,” implying that the user holds control of their funds “even if the manufacturer of the wallet no longer exists.”
Several efforts to hack the wallet have been made since then, none of them met the bounty’s terms and the wallet has not been fully breached until today. The researchers claimed they could successfully send signed transactions with the wallet, claiming they met the conditions of the bounty program by modifying the device, connecting to the wallet’s server, and transmitting sensitive data with it.
Security researcher Andrew Tierney said:
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy. We believe all [conditions] have been met.”
The researchers reportedly gained full access to the device two weeks ago, after which they have been closely tracking it, including the data being sent from the wallet. They maintain that the device is still connected to the Bitfi server.
“We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
Bitfi CEO Daniel Keshin wrote to a news website earlier this month mentioning the alleged hack by fifteen-year-old Saleem Rashid.
“As of now, we have no evidence that our device can be hacked and if someone succeeds in doing so then we will immediately put out a fix to all devices to address the vulnerability that was discovered and it will be unhackable once again.”