'Unhackable' Bitfi wallet circus delights security researchers with hacking challenge

Any claim to be impervious to hacking is just asking for trouble.
Written by Charlie Osborne, Contributing Writer

The Bitfi cryptocurrency wallet, touted as an "unhackable" system, appears to have been hacked a week after launch.

Backed by technology personality John McAfee, the Bitfi cryptocurrency wallet claims to have "fortress-like" security and the product's "security is absolute and that the wallet cannot be hacked or penetrated by outside attacks."

Available for $120, the hardware connects to an online dashboard for users to keep an eye on their funds and access their cryptocurrency. The device and online platform sync through a Bitfi ID and when transactions are made, users input a phrase to generate a private key.

"Your private keys are NEVER stored anywhere except your own brain, and this is precisely why the Bitfi wallet is unhackable," Bitfi says. "The Bitfi wallet is the final and ultimate solution for storing cryptocurrencies and crypto assets."

The Bitfi wallet launched last week and the bold claims connected to the device pushed McAfee to offer up to $100,000 for anyone who could compromise the hardware.

Going further, Bitfi then offered a bounty with a reward of $250,000 for true exploits and attacks -- although, the terms of the bounty are somewhat unusual.

In order to participate, researchers have to buy a Bitfi wallet preloaded with coins. Hackers, without knowledge of the passphrase, then have to exfiltrate the coins and empty the wallet -- but they are allowed to use "all possible attack vectors."

"This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks," the company says. "Rather this program is intended to demonstrate to anyone who claims or believes that nothing is unhackable or that they can hack into the Bitfi wallet, that such attempts are futile and that the advertised claims about the Bitfi wallet are accurate."

The bounty, itself, is arguably flawed as it only includes retrieving a key from a device which does not store a key.

There are far more attack vectors and way to compromise a system, such as through backdoors, supply chain security problems, and device modification so it does store a key and send it to an attacker remotely. Pen Test Partners has dubbed the bounty a "sham."

However, a second bounty now asks for "potential security vulnerabilities in the firmware encryption of the Bitfi device."

The reward on offer is $10,000 and a modified device "should be able to transmit either private keys or the user's secret phrase to a third party while still functioning normally with the Bitfi Dashboard."

While it does not appear that anyone has yet claimed the full $250,000 bounty -- even if the convoluted requirements make it possible -- security professionals have been busy dissecting the device and hacking in other ways.

Pen Test Partners began by breaking down Bitfi. The cybersecurity firm says that the device is based on a Mediatek MT6580 and is "effectively a cut-down Android phone."

TechRepublic: The top 5 security threats posed by ICO projects

Andrew Tierney, security consultant at Pen Test Partners, was then accused of working for cryptocurrency wallet rivals such as Trezor by Bitfi.

Oversoft was quick to follow with root access to the device.

"We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard," the researchers said. "There are NO checks in place to prevent that like claimed by BitFi."

The circus continued.


Going further, Oversoft says the device's firmware -- which "looks like a normal MTK phone" -- has a number of troubling elements, including Baidu trackers, the Adups FOTA malware suite, a tracker, and an entire Mediatek library of example apps.

"At least the Baidu and Adups apps are indeed actively running on the device, including calling home to Baidu and Adups," Oversoft added.

"The rest of the system/vendor partitions include drivers for removed devices like the camera, tcpdump, adbd and several other debugging binaries."

CNET: Initial coin offerings, explained

A group of researchers brought together over BitFi's "unhackable" claim, have also posted Bitfi ROM vendor partition listings and ROM system partition listings on PasteBin.

Ryan Castellicco is no fan of the device, either, suggesting that Bitfi is nothing more than a cheap stripped-down Android phone.

"Someone will probably have Doom running on it by Friday," the security researcher added.

This drew the ire of McAfee technical advisor Rob Loggia, who claimed in a blog post:

"It appears as if the author originally wanted Bitfi to employ him as a security researcher for the product, revealing "vulnerabilities" in return for pay. However, his heavy-handed approach was not met with success. So he raged."

See also: South Korean cryptocurrency exchange hack sees $40m in altcoin stolen

The ongoing drama provoked McAfee, who said on Twitter:

"Stay tuned. Tomorrow I am putting out a definitive video countering all of the nonsense claims instigated and co-coordinated by Bitfi's established, monolithic competitors in the hardware wallet space. I will put this to bed."

In response, data scientist Henry Carless summed up the situation:

"This is getting absurd. Either something's 'unhackable' or it's not. Clearly, as evidenced many times over, the Bifi is not. You can not fix this. You instigated it with a bounty. You literally challenged people to hack it. And they did. Competitors or not, makes no difference."

The challenge of hacking BitFi was taken up with enthusiasm, and while the research has not resulted in the theft of coins through conventional means, the red flags should offer a warning: despite claims to the contrary, we are yet to see a truly "unhackable" device hit the market.

Top tips for investing in cryptocurrency

Previous and related coverage

Editorial standards