John McAfee’s “unhackable” crypto wallet was cracked easily

Posted: 2 August 2018 1:06 pm
shutterstock bitcoin wallet crypto 450x250
{"theme":"dark","direction":"horizontal","showArrows":true,"splitTitle":true,"playerOptions":{"captions":true,"popupOnScroll":true,"subscribe":{"title":"Subscribe","url":"","visibleOnMain":true,"visibleOnPopup":true}},"active":{"index":0,"start":25,"end":null,"thumb":"","thumbAnimation":"kenburns-top-left","heading":{"small":"WATCH","large":"Top 10 coin analysis with Trader Cobb"}},"yt":{"method":"videos","params":{"id":"8eStmOOcP1I,tYCJDrgj54I,gMQ675bpyS4,gMQ675bpyS4,3eg5WDG_A"}},"banner":true}

McAfee endorsements are great at grabbing attention, but may be a poor way of instilling confidence.

John McAfee made waves in the cryptocurrency world, as he is wont to do, with a tweet saying "my Bitfi wallet is truly the world's first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks."

All McAfee's talk notwithstanding, anyone who relies on the wallet might find their money walking right out of it, as security researchers have discovered.

Hand over the keys

In cryptocurrency, possession of private keys is used to indicate ownership of cryptocurrency. The crypto itself is purely digital, and both everywhere and nowhere all at once, so private keys are essentially used to match users with their cryptocurrency holdings.

The Bitfi device has one specific security advantage, in that it doesn't actually store users' private keys on the device itself. Instead, a user has a password for the device. That password is used to generate, for a few milliseconds, a private key which unlocks the data and is then discarded.

The bounty, which was later raised to $250,000, has some very specific conditions and functionally only pays out for very specific types of attacks.

But elsewhere, researchers found the device to essentially just be a repurposed phone, with little in the way of any of the actual hardware security you'd expect to find on a hardware wallet.

Some of the flaws found include:

  • A lack of tamper protection, letting people install malware before sale and otherwise manipulate it freely without leaving tracks.
  • The ability to installing bugs that "listen" to the connection between the touchscreen and chip, to relay the password.
  • The ability to reprogram the device with root access.
  • The ability to access a user's Bitfi dashboard account from a tampered-with device.

On top of that, the device also has various tracking apps phoning-home to different web services, such as Baidu, so users will also need to trust in the security of a range of third party data-collectors, which traditionally hasn't been a good idea, and it means the wallet is Internet-connected which is exactly what a hardware wallet should not do.

As these issues kept arising, Bitfi publicly continued to handwave-away some of the more damning findings, helped/hindered along by the occasional objectively factually incorrect contribution from McAfee.

Changing tack

Bitfi's initial response was that the bounty was not for the purpose of discovering vulnerabilities, because there were none. The exact words were:

"This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks."

But the reports kept coming in, and Bitfi eventually seems to have realised that a McAfee endorsement alone probably wouldn't be enough to bury all the security flaws and it changed tack, offering a new $10,000 security vulnerability bounty.

It also offered a mea-culpa to some of the increasingly derisive researchers who pulled apart the device.

McAfee's keen to point at the commercial benefits of his endorsements, which will often run to about $100,000 for a single tweet. But as the whole Bitfi series of events shows, an endorsement from McAfee can be very expensive in more ways than one.

McAfee endorsements might be fine for a quick crypto pump and dump, but for serious projects that want to hang around in the long run, a McAfee Twitter endorsement might have the potential to cause irreparable brand damage.

Which crypto hardware wallets have been tried and tested?.

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site