Bounty Hunt Gone Wrong: ‘Unhackable’ Wallet Bitfi Denies It Has Been Hacked
In July, cryptocurrency hardware wallet manufacturer Bitfi’s executive chairman, John McAfee, claimed that Bitfi was “the world’s first unhackable device,” urging security experts to breach its security for a $100,000 bounty.
Since then, a number of reports emerged that suggested Bitfi is not, in fact, “unhackable,” only to be dismissed by the wallet service as well as McAfee himself, steadily making the bounty hunt seem like a tasteless PR stunt.
What is Bitfi?
Essentially, Bitfi is a physical device — or a ‘hardware’ wallet — supporting “an unlimited amount of cryptocurrencies” that costs $120, as per its website. Although no actual contact details (apart from email addresses) are listed there, the company is registered in London, according to Companies House data. Bitfi’s CEO is 38-year-old American entrepreneur Daniel Khesin.
The project first surfaced in July, when the infamous investor John McAfee — who once promised to “eat [his] own dick on national television” if Bitcoin’s price doesn’t reach $500,000 by 2020 — premiered the crypto wallet on his Twitter. He called Bitfi “a Colt 45 of the crypto world” and “the world’s first unhackable device.” To prove his point, McAfee announced a bounty hunt: $100,000 would go to the first person to hack the new device. “Money talks, bullshit walks,” he taunted the skeptics and later raised the bet up to $250,000.
Notably, unlike the majority of other hardware wallets, Bitfi doesn’t put such a strong emphasis on private keys, according to its website:
“The Bitfi hardware wallet solves this security problem once and for all in the most elegant way possible — the private keys are simply not stored anywhere, ever. This is another layer of security that goes beyond keeping the private key outside the computer environment or from devices with internet access. So even if your Bitfi hardware wallet is seized or stolen, there is nothing that anyone can do to extract the private keys because they are not on the device in the first place.”
Instead, its security system revolves around a user-generated secret phrase — that can supposedly be memorized — instead of a conventional 24-word mnemonic seed that has to be written down, which allegedly contributes to the safety of the stored assets. That way, the Bitfi team argues, private keys are not held on the device at all:
“On the Bitfi wallet, your private key is calculated using our algorithm every time you type in your secret phrase. Once a transaction is approved, the private key is not stored anywhere in local memory. The private key does not exist on the device until you type in your secret phrase again. Therefore, if your device is stolen or seized, there is no way to gain access to the private key because it is not on the device and your funds always remain safe and there is absolutely no reason for alarm or concern if your device is lost of stolen.”
Finally, Bitfi argues that their product is “completely open-source,” meaning that the user allegedly stays in control of their funds in any scenario, as long as they remember the aforementioned secret phrase. The wallet also doesn’t have room for “human error,” the creators claim, because it’s strictly updated automatically via WiFi and the user doesn’t get to download any software manually.
Bounty hunt quickly went wrong
Bitfi’s website elaborates on the bounty program, listing a number of “rules”: Essentially, those who wish to participate have to purchase a Bitfi wallet that is preloaded with coins for an additional $10 (the wallet itselfs costs $120, as mentioned above).
The ultimate goal for the participant is to successfully extract the coins and empty the wallet, while the company allegedly grants “anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes and our infrastructure.”
“The above is what we consider a successful hack,” the Bitfi website reads, “Nothing else will qualify.”
McAfee announced the hunt on July 24. Within a week, hacking reports started to emerge. On Aug. 1, crypto personality from the Netherlands OverSoft tweeted (referencing other users, namely Saleem Rashid, the alleged fifteen-year-old who revealed a security vulnerability in fellow hardware wallet Ledger in 2017, and Andrew Tierney, a security consultant at Pen Test Partners firm): “We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.” OverSoft later posted BitFi ROM directory listings.
Bitfi did not respond to OverSoft’s original tweet directly. Nevertheless, the wallet soon announced a second bounty hunt — this time with a much more modest $10,000 reward — altering the rules and proceeding to claim that all reported security breaches did not meet the bounty’s conditions and, therefore, the device has not been hacked: “Rooting [i.e., getting administrative access to] the device does not mean it has been hacked,” the Bitfi team argued.
Soon, BitFi wrote on Twitter that the person handling their account was “dismissed because of many cocky [and] insulting remarks to smart researchers,” but continued to reinforce the idea that their service has not been “hacked.” “Your bounty only covers a single attack vector and excludes backdooring the device,” Tiernay replied.
“Cheap, stripped down Android phone”
Pen Test Partners, which posted a blog series regarding the hacking of Bitfi, claimed that, hardware-wise, “the Bitfi is a stripped down Mediatek MT6580 [...] It’s an Android phone, minus some components.” “Someone will probably have Doom running on it by Friday,” commented Ryan Castellucci, a self-proclaimed “software engineer and hardware hacker,” calling the device “a cheap, stripped down Android phone.” Consequently, in a subsequent episode of their “hacking Bitfi” series, Pen Test Partners posted a video allegedly proving that Bitfi device does have storage: In it, the wallet displays an uploaded video of John Mcafee. The Bitfi website, in turn, continues to refer to its wallet as “the most sophisticated instrument on the world.”
Bitfi dismissed Saleem Rashid claims, citing his decision not to claim the bounty. Responding, Rashid retweeted cryptocurrency and cybersecurity researcher Alan Woodward, who had also discussed the hack with Bitfi in the same Twitter thread.
“It’s not speculation based on what I’m looking at,” Woodward had written, continuing:
“And we don’t want your money. Give it to charity. We are concerned that others will entrust their money to something that is not secure in the way [it appears] to suggest.”
“Army of trolls”: Bitfi’s response to the criticism
Nevertheless, despite reportedly firing their social media employee, Bitfi continues to disown — and even threaten — their critics via social media: For instance, the wallet team asked Woodward if they could “alter [a] photograph of [his] face with something humiliating added,” in response to his concern about Bitfi’s affiliate allegedly spreading hate speech while defending the wallet.
On Aug. 1, an official Bitfi spokesperson, went even further and told Hard Fork that the recent criticism of the wallet’s security on Twitter was, in fact, the product of an “army of trolls” hired by hard wallet competitors Trezor and Ledger — Trezor’s founder and CEO has since denied the accusation. The spokesperson for Bitfi stated:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete [...] So they hired an army of trolls to try to ruin our reputation (which is OK because the truth always prevails).”
Meanwhile, Bitfi’s CEO Daniel Khesin continued to hold a skeptical position toward Rashid, challenging him to accept the money if he had, in fact, compromised the device, contributing to the overall immature approach his firm took trying to handle criticism:
“The person claiming to have cracked the bounty has not come forward to prove it and has tweeted five min ago that he will not be pursuing the bounty because it’s not worth his time,” he told Cointelegraph.
“Yet, he tweeted to the whole world this morning that he hacked into our wallet. I think it’s a disgrace for any human being to do such a thing, but I will leave to you to judge.”