John McAfee’s Bitfi wallet hacked, again
Will Bitfi cough up the cash and pay hackers their earned bounty or use an excuse to avoid remuneration?
Notorious cryptocurrency supporter and social media influencer John McAfee issued a US$100,000 bounty in late July for any person who could hack his Bitfi digital wallet. So, hackers went to work on cracking the device.
Soon after McAfee's challenge was issued, the bounty was raised to US$250,000. However, a separate bounty was conceived to help Bitfi "identify potential security vulnerabilities" in the firmware encryption of the device.
This new bounty offers up a US$10,000 reward to those in the digital asset community.
Andrew Tierney, a security consultant for Pen Test Partners, took to Twitter this week to proclaim that he successfully made a transaction using the Bitfi digital wallet, supposedly fulfilling the US$10,000 bounty.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
Bitfi's bounty states that the firmware of the Bitfi device must be modified, the device must connect to the Bitfi Dashboard and should be able to transmit either private keys or the user's secret phrase to a third party.
In a recent interview, Tierney told The Next Web that his hack meets all of Bitfi's bounty requirements.
"We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy," Tierney revealed. "We believe all [conditions] have been met."
A 15-year-old security researcher, Saleem Rashid, was credited with running old-school computer game DOOM on the Bitfi device but McAfee claimed that the teen didn't remove any coins, so the hack was unsuccessful.
A video played on your Bitfi wallet has nothing to do with the safety of your funds. This is amateur hour, not a hack! Any device with a computer and screen can be used to play games. I should start watching my YouTube videos on Bitfi wallet. Go to https://t.co/ATFaxwUzQC !
— John McAfee (@officialmcafee) August 12, 2018
Below, you can see footage of the teenager playing the popular 90s first-person shooter on Bitfi's digital wallet.
In recognition of @Bitfi6 and @officialmcafee and their prestigious @PwnieAwards accolades, we'd like to show you @spudowiar playing DooM on his #BitFi secure wallet! Congratulations! pic.twitter.com/50qZZu1MnF
— Abe Snowman (@AbeSnowman) August 9, 2018
Earlier this month, hackers intent on claiming the US$250,000 prize identified security flaws on the device:
- A lack of tamper protection, letting people install malware before sale and otherwise manipulate it freely without leaving tracks.
- The ability to install bugs that "listen" to the connection between the touchscreen and chip, to relay the password.
- The ability to reprogram the device with root access.
- The ability to access a user's Bitfi dashboard account from a tampered-with device.
On top of that, the device was also found to have various tracking apps phoning-home to different web services, such as Baidu, so users would also need to trust in the security of a range of third party data-collectors and this means that the wallet is Internet-connected, which is exactly what a hardware wallet should not do.
Standards are key to doing anything at scale. Standardisation allows for compatibility between different systems, quicker growth and an easier way of achieving higher standards in most things. Cybersecurity is one of those things. In mid-June South Korean cryptocurrency exchange Bithumb was hacked, revealing that even the best-known and most reputable centralised exchanges can lose customer funds to ingenious attackers.
You can learn all about different exchanges, understand exactly how to buy and sell cryptocurrencies, calculate your taxes, discover digital wallets to hold assets and explore a list of all the alternative coins on the market.