Bitfi rescinds bounty, unhackable claim as wallet hacked yet again
This one seems to have done it. Bitfi might be down for the count.
It was the brick that broke the camel's back. The John McAfee-backed Bitfi wallet has been claiming it's "unhackable" for a while, but it's quickly been hacked in several different ways several different times, all while Bitfi refuses to pay out the bounty it has promised to anyone who can get the coins from a wallet, on various technicalities.
This might be the last one. Someone broke into the wallet in a new way, causing Bitfi to withdraw its claims of being "unhackable," along with "the current bounty programs which have caused understandable anger and frustration among researchers".
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.
it turns out that rooting the device does not wipe RAM clean. who would have thought it!?
— Saleem "Unhackable" Rashid (@spudowiar) August 30, 2018
This attack hinges on several of Bitfi's claims being inaccurate.
Theoretically, or so Bitfi says, an attack of the kind that would lead to a bounty payout was impossible because it would require accessing the device's keys. However, the keys are supposedly generated for a single use for a brief time before disappearing. The idea is that no one can ever get at the keys before they disappear.
But that's exactly what happened, with Saleem Rashid saying it actually persists longer than claimed, giving enough time to run the required exploits and grab the keys.
It's not clear whether or not Bitfi will be paying out the $250,000 bounty this time, or whether it will be looking for another way of dodging it. Bitfi says it has hired a security manager to verify the details of the attack. One can't help but wonder who was involved in the debacle before Bitfi hired the new security manager.
"As part of our ongoing efforts to protect our customers, we have hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers," Bitfi said in a statement. "Next week, we will make [a] comprehensiveness public announcement acknowledging and addressing these issues that have been identified."
"Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers.
"Effective immediately, we will be removing the "Unhackable" claim from our branding which has caused a significant amount of controversy. While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal."
To give credit where it's due, Bitfi certainly has united the community in mutual disbelief at the state of its wallets and John McAfee's intemperate PR skills. And who could forget that time someone played Doom on a crypto wallet. You don't see that everyday.
Bitfi seems to be looking at the future, but it's not clear whether it will ever be able to recover from a complete shattering of confidence in its products. Plus, many of the discovered vulnerabilities – and there are a heck of a lot of them – are permanently baked into the wallet hardware.
"As far as I can tell, there's no way to address the security issues with [Bitfi's] wallets without doing a product recall, throwing them in an industrial shredder and starting from scratch," said one security researcher.
It's a good thing there are plenty of other hardware wallets out there which have actually proven themselves, and felt the heat of intense security research without bursting into flames.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA