Skip to content
Naked Security Naked Security

‘Unhackable’ Bitfi hardware rooted within a week

Getting root access and patching firmware doesn't count as successful hacking, apparently.
Written by
August 06, 2018
Naked Security Bitfi bug bounty cryptocurrency John McAfee

Whaddya mean there’s no such thing as an unhackable device? John McAfee sputtered last week. I got a $100K bounty for anybody who can hack my spiffy, new, unbreakable breakthrough, the wowee-wow world’s first and only completely unhackable, most advanced digital thingie ever, cryptocurrency wallet!


Then, hardware maker Bitfi upped the ante with its own offer of a 250K bounty.
It allegedly took a week. Whether BS walked or pulled up a chair to discuss that $100K… or $250K… is debatable, though, as McAfee is happy to explain.

Press are indeed claiming that the Bitfi wallet has been hacked. It was released the week prior to the hack/not-a-hack with great fanfare and greeted with great guffaws, as well as by people who decided to give the breakage a go.
As CNet reported on Friday, a “self-described IT geek in the Netherlands” who goes by the Twitter handle @OverSoftNL tweeted on Wednesday that they’d gained root access to the crypto-wallet. @OverSoftNL went on to say they had help from @cybergibbons, also known as Andrew Tierney, a security consultant at Pen Test Partners, and from Graham Sutherland (@gsuberland)… all three of whom got royally peeved at what Sutherland called a “clueless and misleading attitude to security.”
The wallet comes from antivirus software pioneer, former Belize man-about-town/government spy/fugitive, current US fugitive McAfee, together with hardware crypto-wallet maker Bitfi. McAfee (the man, not the brand owned by Intel Security) and Bitfi had claimed that the thing had “absolute” security.
Ah. Well. For its part, OverSoftNL claims Bitfi cryptography implementation is “terribad.”

For one thing, the “most sophisticated instrument in the world” turns out to be nothing more than a cheap touchscreen Android phone that’s been gutted – particularly, stripped of its cellular connectivity innards. What it has in their place is a touchscreen that uses a protocol that’s easily intercepted. As Pen Test Partners wrote in Part 1 of its Hacking the Bitfi series:

All you need is a logic analyser to capture the finger movements on the screen and therefore the wallet passphrase as it is entered on to the screen.

https://twitter.com/cybergibbons/status/1023667374153773057
The upshot, according to Tierney:
https://twitter.com/cybergibbons/status/1023680079178727424
A lack of anti-tamper measures means that the back of the Bitfi can be popped off, the hardware reprogrammed or bugged, the case closed up again, and the handheld handed to a victim. Whatever passphrase they then type in can be captured and sent to an attacker via whatever backdoor they’ve built into it.
What gall, Tierney said:
https://twitter.com/cybergibbons/status/1023668310393716736
…he also shared a link to a USD $35-ish phone using that same chip set.
Regarding those bounties: apparently, Bitfi and McAfee don’t define gaining root access, and patched firmware to be successful “hacking,” they say.
Rather, Bitfi’s bounty program defines a legitimate hack as one in which the hacker receives a Bitfi phone preloaded with $50 in crypto-coins, secured by an unknown passphrase, and gets the coins off the device.


The terms highlight what critics say is the device’s one genuine security feature: it doesn’t store the key needed to access the crypto-currency on the device itself.
But as Tierney put it, that means that the challenge only covers one specific method of theft: getting at the coins on a stolen device. That’s pretty narrow for something to be called “unhackable,” though.
In fact, Tierney says, the bounty is a sham:

The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key.
The only way to win the bounty is to recover a key from a device which doesn’t store a key.

The most obvious way to hack the device, he said:

Modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham.

But there are “many, many more attacks such a device is vulnerable to,” Tierney said.
On Friday, OverSoftNL echoed Tierney, dismissing the bounty as a “sham” and adding that the ability to gain root access does in fact mean that the wallet isn’t secure. Bitfi doesn’t “even have $250k free on hand at this moment,” they claimed.
Bitfi, which hadn’t responded to CNet’s request for comment as of Friday, also offered a second, $10,000 bounty with a plea for help. The tweet from CEO Daniel Khesin:

Dear friends, we’re announcing second bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infosec community, we need help.

OverSoftNL called it chump change. Get real, they said, instead of trying to weasel out of paying for a real penetration test:


John McAfee has since appeared in a promoted video (an advertisement) on Twitter explaining that his role is to drum up publicity for the Bitfi device and that there is no easier way to do that than with the instant controversy calling something “unhackable” creates.
So, is he right, and will you be rushing out to buy a Bitfi device to store your cryptocoins?


Image courtesy of bitfi.com

Read Similar Articles

8 Comments

They forgot a fundamental rule of information security: don’t crow about your security unless you’re 100% ready for the best and brightest in the industry to hammer on it mercilessly.

“there is no easier way to do that than with the instant controversy calling something “unhackable” creates”
This is a very sad attempt at covering up a very big mistake. Would have been better if he just admitted he made a mistake, and moved on.
The logic he is using is no publicity is bad publicity, and if history proves anything, it is that this notion cannot be used in the world of IT security. What is this guy doing in the position he is in?

What position? He resigned from McAfee (the company) in 1994, and has since been doing ever more crazy publicity stunts. He’s not a security professional, he’s just a name that the public associate with computer security.

Sorta – but they don’t want to PAY for the review, so they are just making wild claims in the hope they will get the security review for free. Didn’t work out that way though….

Did they get the coins?
Someone could hold a gun to your head and get the coins that way.
It would be unfair to say a device is hackable in those circumstrances.
If someone produces an unhackable device and I get the lcd out and plat doom on it,
have I hacked the device
The key question is did they get the coins.
Perhaps, I’m agreeing with you, no device or technology is unhackable then,
the word unhackable perhaps shouldn’t exist.

As the pentesters note, the bounty was effectively offered for recovering data (the key) from the device that wasn’t stored on the device in the first place, which is a bit of a pointless test. Kind of like sending a safety inspector into a house that turns out to be awash in dangerous electrical faults but saying that the final report proves nothing about the overall safety of the property because there were no problems with the gas supply, given that the house wasn’t connected up for gas at all.
In real life, a so-called secure device that can trivially be rooted could almost certainly be reprogrammed to attack the user once it’s in active use, and doesn’t sound like a “secure device” worth relying on, in the same way that you wouldn’t want to live in a house that would very likely electrocute you one day, even if you knew it would never blow up due to a gas leak.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?