John McAfee’s Crypto Wallet Keeps Getting Hacked

Researchers were able to hack the “unhackable” Bitfi cryptocurrency wallet for a second time, forcing the company to drop the unhackable claim for its product. John Mcafee, the creator of the McAfee antivirus company, is the executive chairman for Bitfi.

“Unhackable” Cryptocurrency Wallet Gets Hacked

As many in the security community know, when you claim something is unhackable, that statement quickly becomes an open invitation to security researchers and malicious hackers from all over the world to prove you wrong.

The so-called unhackable Android-powered Bitfi hardware wallet for cryptocurrencies debuted at the end of June, and six weeks later researchers were already able to hack it. McAfee and Bitfi were so confident in their crypto wallet that they offered a $250,000 bug bounty. However, when the researchers proved this hack, McAfee claimed it to be illegitimate because it didn't meet the rules of the bounty program. The Bitfi wallet was supposed to have anti-tampering technology, but according to the researchers its protections were quite weak.

Bitfi Hacked Again

Another group of researchers has hacked the wallet, it was announced this week. This time they were also able to extract the cryptocurrency private keys. In the cryptocurrency world, whoever has access to the wallet's private keys has access to the cryptocurrency coins.

This hack was possible because the keys were kept in RAM longer than Bitfi claimed, which allowed the researchers to apply their exploits without the RAM being reset. Then, it was just a matter of extracting the keys from memory.

Following this second hack, in addition to removing the unhackable claim from its website, Bitfi also closed the $250,000 bug bounty. It's not clear whether or Bitfi will pay the bounty for this latest bug discovery.

Last month, Bitfi won the Pwnie Award for Lamest Vendor Response, an award Black Hat conference organizers give to companies deemed to show the poorest response to security issues.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • totalinsanity4
    Wow. Sore losers, much?
    Reply
  • gggplaya
    In regards to time, how much longer in ram was it?? Like 5 minutes, like 20 minutes, like 30 days?????? Because if you steal someone's wallet, you'd need to access it and break into fairly quickly to upload your exploit to access the ram. It's generally not that realistic of an attack. Depending on how long it remains in ram.
    Reply
  • hellwig
    21282291 said:
    In regards to time, how much longer in ram was it?? Like 5 minutes, like 20 minutes, like 30 days?????? Because if you steal someone's wallet, you'd need to access it and break into fairly quickly to upload your exploit to access the ram. It's generally not that realistic of an attack. Depending on how long it remains in ram.

    Depends on who you don't want accessing that data. In theory, a police officer with their handy plug-in hacking tools could steal your crypto keys and currency only seconds after taking the phone from you. Civil Asset Forfeiture is a terrible abuse of power, but until we can get those laws changed, it's not just remote people in Russia or North Korea you have to worry about stealing from you.
    Reply
  • quilciri
    John Mcafee is the Fred Durst of AV.
    Reply
  • rfague
    He ought to know better by now, nothing is unhackable no matter how much someone thinks they know about security.
    Reply
  • rantoc
    Sure its possible to make an product harder to hack but like some wise (NOT McAfee apparently) said - There is always an way in
    Reply