John McAfee’s “unhackable” crypto wallet was cracked easily
McAfee endorsements are great at grabbing attention, but may be a poor way of instilling confidence.
John McAfee made waves in the cryptocurrency world, as he is wont to do, with a tweet saying "my Bitfi wallet is truly the world's first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks."
All McAfee's talk notwithstanding, anyone who relies on the wallet might find their money walking right out of it, as security researchers have discovered.
Hand over the keys
In cryptocurrency, possession of private keys is used to indicate ownership of cryptocurrency. The crypto itself is purely digital, and both everywhere and nowhere all at once, so private keys are essentially used to match users with their cryptocurrency holdings.
The Bitfi device has one specific security advantage, in that it doesn't actually store users' private keys on the device itself. Instead, a user has a password for the device. That password is used to generate, for a few milliseconds, a private key which unlocks the data and is then discarded.
The bounty, which was later raised to $250,000, has some very specific conditions and functionally only pays out for very specific types of attacks.
But elsewhere, researchers found the device to essentially just be a repurposed phone, with little in the way of any of the actual hardware security you'd expect to find on a hardware wallet.
Some of the flaws found include:
- A lack of tamper protection, letting people install malware before sale and otherwise manipulate it freely without leaving tracks.
- The ability to installing bugs that "listen" to the connection between the touchscreen and chip, to relay the password.
- The ability to reprogram the device with root access.
- The ability to access a user's Bitfi dashboard account from a tampered-with device.
On top of that, the device also has various tracking apps phoning-home to different web services, such as Baidu, so users will also need to trust in the security of a range of third party data-collectors, which traditionally hasn't been a good idea, and it means the wallet is Internet-connected which is exactly what a hardware wallet should not do.
As these issues kept arising, Bitfi publicly continued to handwave-away some of the more damning findings, helped/hindered along by the occasional objectively factually incorrect contribution from McAfee.
Bitfi's initial response was that the bounty was not for the purpose of discovering vulnerabilities, because there were none. The exact words were:
"This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks."
But the reports kept coming in, and Bitfi eventually seems to have realised that a McAfee endorsement alone probably wouldn't be enough to bury all the security flaws and it changed tack, offering a new $10,000 security vulnerability bounty.
It also offered a mea-culpa to some of the increasingly derisive researchers who pulled apart the device.
McAfee's keen to point at the commercial benefits of his endorsements, which will often run to about $100,000 for a single tweet. But as the whole Bitfi series of events shows, an endorsement from McAfee can be very expensive in more ways than one.
McAfee endorsements might be fine for a quick crypto pump and dump, but for serious projects that want to hang around in the long run, a McAfee Twitter endorsement might have the potential to cause irreparable brand damage.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA