Researchers were able to hack the “unhackable” Bitfi cryptocurrency wallet for a second time, forcing the company to drop the unhackable claim for its product. John Mcafee, the creator of the McAfee antivirus company, is the executive chairman for Bitfi.
“Unhackable” Cryptocurrency Wallet Gets Hacked
As many in the security community know, when you claim something is unhackable, that statement quickly becomes an open invitation to security researchers and malicious hackers from all over the world to prove you wrong.
The so-called unhackable Android-powered Bitfi hardware wallet for cryptocurrencies debuted at the end of June, and six weeks later researchers were already able to hack it. McAfee and Bitfi were so confident in their crypto wallet that they offered a $250,000 bug bounty. However, when the researchers proved this hack, McAfee claimed it to be illegitimate because it didn't meet the rules of the bounty program. The Bitfi wallet was supposed to have anti-tampering technology, but according to the researchers its protections were quite weak.
Bitfi Hacked Again
Another group of researchers has hacked the wallet, it was announced this week. This time they were also able to extract the cryptocurrency private keys. In the cryptocurrency world, whoever has access to the wallet's private keys has access to the cryptocurrency coins.
This hack was possible because the keys were kept in RAM longer than Bitfi claimed, which allowed the researchers to apply their exploits without the RAM being reset. Then, it was just a matter of extracting the keys from memory.
Following this second hack, in addition to removing the unhackable claim from its website, Bitfi also closed the $250,000 bug bounty. It's not clear whether or Bitfi will pay the bounty for this latest bug discovery.
Last month, Bitfi won the Pwnie Award for Lamest Vendor Response, an award Black Hat conference organizers give to companies deemed to show the poorest response to security issues.