Get the Finder app 🥳

Track your credit score, free

Free

Bitfi rescinds bounty, unhackable claim as wallet hacked yet again

Posted: 31 August 2018 6:25 pm
News

This one seems to have done it. Bitfi might be down for the count.

It was the brick that broke the camel's back. The John McAfee-backed Bitfi wallet has been claiming it's "unhackable" for a while, but it's quickly been hacked in several different ways several different times, all while Bitfi refuses to pay out the bounty it has promised to anyone who can get the coins from a wallet, on various technicalities.

This might be the last one. Someone broke into the wallet in a new way, causing Bitfi to withdraw its claims of being "unhackable," along with "the current bounty programs which have caused understandable anger and frustration among researchers".

This attack hinges on several of Bitfi's claims being inaccurate.

Theoretically, or so Bitfi says, an attack of the kind that would lead to a bounty payout was impossible because it would require accessing the device's keys. However, the keys are supposedly generated for a single use for a brief time before disappearing. The idea is that no one can ever get at the keys before they disappear.

But that's exactly what happened, with Saleem Rashid saying it actually persists longer than claimed, giving enough time to run the required exploits and grab the keys.



It's not clear whether or not Bitfi will be paying out the $250,000 bounty this time, or whether it will be looking for another way of dodging it. Bitfi says it has hired a security manager to verify the details of the attack. One can't help but wonder who was involved in the debacle before Bitfi hired the new security manager.

"As part of our ongoing efforts to protect our customers, we have hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers," Bitfi said in a statement. "Next week, we will make [a] comprehensiveness public announcement acknowledging and addressing these issues that have been identified."

"Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers.

"Effective immediately, we will be removing the "Unhackable" claim from our branding which has caused a significant amount of controversy. While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal."

To give credit where it's due, Bitfi certainly has united the community in mutual disbelief at the state of its wallets and John McAfee's intemperate PR skills. And who could forget that time someone played Doom on a crypto wallet. You don't see that everyday.

juicy crypto words

Bitfi seems to be looking at the future, but it's not clear whether it will ever be able to recover from a complete shattering of confidence in its products. Plus, many of the discovered vulnerabilities – and there are a heck of a lot of them – are permanently baked into the wallet hardware.

"As far as I can tell, there's no way to address the security issues with [Bitfi's] wallets without doing a product recall, throwing them in an industrial shredder and starting from scratch," said one security researcher.

It's a good thing there are plenty of other hardware wallets out there which have actually proven themselves, and felt the heat of intense security research without bursting into flames.


Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site