In spite of bullish promotion, the so-called ‘unhackable’ Bitfi cryptocurrency wallet has seen a new, more serious hack
The Bitfi cryptocurrency wallet, vocally promoted by security industry veteran John McAfee as being ‘unhackable’, has seen another claimed hack.
In perhaps a predictable series of events, given the US$ 100,000 (£78,391) bug bounty prize for compromising the Android-based wallet claimed to be impregnable, researcher Andrew Tierney, Security consultant at Pen Test Partners, posted a series of tweets claiming to have compromised the device’s security.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.— Ask Cybergibbons! (@cybergibbons) August 13, 2018
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
Bitfi had laid out three criteria to claim the reward: that researchers should be able to prove they can modify the device, subsequently connect to the Bitfi server, and finally send sensitive data with the device.
"We have sent the seed and phrase from the device to another server — it just gets sent using netcat, nothing fancy." said Tierney. "We believe all [conditions] have been met."
Researchers were quick to claim root access to the device some weeks ago, including information security expert @OverSoft who claimed root access - and posted the wallet’s ROM directory listings - back on 1 August, but it has taken considerably longer for more serious claims of compromise to emerge. Initial reports of root were brushed aside by Bitfi, in spite of researchers insisting that such a compromise opened up users to man-in-the-middle attacks. Such an attack would theoretically require planting a rooted device (by intercepting or modifying and reselling) or obtaining physical access to a victim’s hardware.
The company subsequently won a ‘Pwnies’ award for 'Lamest Vendor Response' at Black Hat:
Ed Williams, director EMEA, SpiderLabs at Trustwave told SC media that the whole incident has not done the wider security community any favours: "In my opinion, this whole episode has been a publicity stunt and really shows the security community in a negative light. We should know better. Security in all its forms is hard and when we start bickering between ourselves no one wins, least of all the security community. Hopefully, with this final outcome, we can move forward and start to help each other rather than engage in pointless back and forth."
Joseph Carson, Chief Security Scientist at Thycotic echoed the sentiment, telling SC Media that:
"Cyber-security is only as good as the human’s protecting and configuring it, if they are easily tricked then nothing is ‘unhackable’."
In other bug bounty news, The US Department of Defense (DoD) has announced the sixth bug bounty program, Hack the Marine Corps, in association with HackerOne.
The challenge will focus on Marine Corps’ public-facing websites and services, and kicked off on 12 August with an event in Las Vegas, coinciding with Black Hat. Hackers filed 75 unique valid security vulnerability reports during the event alone, garnering more than US$ 80,000 (£62,792) in bounties in the process. The program will finish on 26 August, 2018.