Whaddya mean there’s no such thing as an unhackable device? John McAfee sputtered last week. I got a $100K bounty for anybody who can hack my spiffy, new, unbreakable breakthrough, the wowee-wow world’s first and only completely unhackable, most advanced digital thingie ever, cryptocurrency wallet!
For all you naysayers who claim that “nothing is unhackable” & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks. Details on https://t.co/ATFaxwUzQC— John McAfee (@officialmcafee) July 24, 2018
Then, hardware maker Bitfi upped the ante with its own offer of a 250K bounty.
It allegedly took a week. Whether BS walked or pulled up a chair to discuss that $100K… or $250K… is debatable, though, as McAfee is happy to explain.
The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.— John McAfee (@officialmcafee) August 3, 2018
Press are indeed claiming that the Bitfi wallet has been hacked. It was released the week prior to the hack/not-a-hack with great fanfare and greeted with great guffaws, as well as by people who decided to give the breakage a go.
As CNet reported on Friday, a “self-described IT geek in the Netherlands” who goes by the Twitter handle @OverSoftNL tweeted on Wednesday that they’d gained root access to the crypto-wallet. @OverSoftNL went on to say they had help from @cybergibbons, also known as Andrew Tierney, a security consultant at Pen Test Partners, and from Graham Sutherland (@gsuberland)… all three of whom got royally peeved at what Sutherland called a “clueless and misleading attitude to security.”
The wallet comes from antivirus software pioneer, former Belize man-about-town/government spy/fugitive, current US fugitive McAfee, together with hardware crypto-wallet maker Bitfi. McAfee (the man, not the brand owned by Intel Security) and Bitfi had claimed that the thing had “absolute” security.
Ah. Well. For its part, OverSoftNL claims Bitfi cryptography implementation is “terribad.”
Short update without going into too much detail about BitFi:— OverSoft (@OverSoftNL) August 1, 2018
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
For one thing, the “most sophisticated instrument in the world” turns out to be nothing more than a cheap touchscreen Android phone that’s been gutted – particularly, stripped of its cellular connectivity innards. What it has in their place is a touchscreen that uses a protocol that’s easily intercepted. As Pen Test Partners wrote in Part 1 of its Hacking the Bitfi series:
All you need is a logic analyser to capture the finger movements on the screen and therefore the wallet passphrase as it is entered on to the screen.
The upshot, according to Tierney:
* The device isn't a custom designed piece of hardware, it's a stripped back, low-end Android phone with parts missing.— Cybergibbons (@cybergibbons) July 29, 2018
* The processor on it doesn't contain any specific functionality for high-integrity device.
* There isn't any additional hardware on-board to fix this.
A lack of anti-tamper measures means that the back of the Bitfi can be popped off, the hardware reprogrammed or bugged, the case closed up again, and the handheld handed to a victim. Whatever passphrase they then type in can be captured and sent to an attacker via whatever backdoor they’ve built into it.
What gall, Tierney said:
I can't believe the gall of these people. pic.twitter.com/7N7lHApnIZ— Cybergibbons (@cybergibbons) July 29, 2018
…he also shared a link to a USD $35-ish phone using that same chip set.
Regarding those bounties: apparently, Bitfi and McAfee don’t define gaining root access, and patched firmware to be successful “hacking,” they say.
Rather, Bitfi’s bounty program defines a legitimate hack as one in which the hacker receives a Bitfi phone preloaded with $50 in crypto-coins, secured by an unknown passphrase, and gets the coins off the device.
The terms highlight what critics say is the device’s one genuine security feature: it doesn’t store the key needed to access the crypto-currency on the device itself.
But as Tierney put it, that means that the challenge only covers one specific method of theft: getting at the coins on a stolen device. That’s pretty narrow for something to be called “unhackable,” though.
In fact, Tierney says, the bounty is a sham:
The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key.
The only way to win the bounty is to recover a key from a device which doesn’t store a key.
The most obvious way to hack the device, he said:
Modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham.
But there are “many, many more attacks such a device is vulnerable to,” Tierney said.
On Friday, OverSoftNL echoed Tierney, dismissing the bounty as a “sham” and adding that the ability to gain root access does in fact mean that the wallet isn’t secure. Bitfi doesn’t “even have $250k free on hand at this moment,” they claimed.
Bitfi, which hadn’t responded to CNet’s request for comment as of Friday, also offered a second, $10,000 bounty with a plea for help. The tweet from CEO Daniel Khesin:
Dear friends, we’re announcing second bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infosec community, we need help.
OverSoftNL called it chump change. Get real, they said, instead of trying to weasel out of paying for a real penetration test:
Them now offering a 2nd bounty which is MUCH lower is just laughable. They're basically trying to pay pennies on the $ of what a real pentest would cost.— OverSoft (@OverSoftNL) August 2, 2018
So everybody that's asking "when coins sir?" they're not coming.
But would you want to use a BitFi now that you know this?
John McAfee has since appeared in a promoted video (an advertisement) on Twitter explaining that his role is to drum up publicity for the Bitfi device and that there is no easier way to do that than with the instant controversy calling something “unhackable” creates.
So, is he right, and will you be rushing out to buy a Bitfi device to store your cryptocoins?
Image courtesy of bitfi.com