‘Unhackable’ Wallet Reportedly Breached, Hackers Claim to Meet Bounty Conditions
A group of researchers claims to have have hacked the Bitfi wallet, the Next Web reported August 12.
Bitfi's executive chairman, cybersecurity pioneer John McAfee, has called it “the world’s first unhackable device.” To prove his claim, McAfee challenged security experts to breach the device for a $100,000 bounty starting July 24.
Bitfi is a physical device, or hardware wallet, which supports “an unlimited amount of cryptocurrencies,” and revolves around a user-generated secret phrase instead of a conventional 24-word mnemonic seed that has to be written down. Additionally, Bitfi is purported to be “completely open-source,” meaning that the user stays in control of their funds “even if the manufacturer of the wallet no longer exists.”
Though several attempts to hack the wallet have been made since then, none of them met the bounty’s terms and the wallet has ostensibly not been fully breached until today. The researchers claimed they could successfully send signed transactions with the wallet, claiming they met the conditions of the bounty program by modifying the device, connecting to the wallet’s server, and transmitting sensitive data with it. Security researcher Andrew Tierney said:
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy. We believe all [conditions] have been met.”
The researchers reportedly obtained complete access to the device two weeks ago, after which they have been closely tracking it, including the data being sent out of the wallet. They claim to that the device is still connected to the Bitfi server. Tierney told the Next Web:
“We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
Earlier this month, Bitfi CEO Daniel Keshin wrote to Cointelegraph regarding the alleged hack by fifteen-year-old Saleem Rashid. Khesin said:
“As of now, we have no evidence that our device can be hacked and if someone succeeds in doing so then we will immediately put out a fix to all devices to address the vulnerability that was discovered and it will be unhackable once again.”