“The world’s first un-hackable storage for cryptocurrency & digital assets,” said John McAfee, the chairman of the hardware crypto wallet Bitfi. On the website’s home page, these words are bravely stated, hence hard to pass by without seeing.
The researchers at Pen Test Partners sent signed transactions using Bitfi, therefore completing an important objective for the wallet program. This occurred just recently, and now for the zillionth time, the hardware has been hacked.
A security consultant at Pen Test Partners, Andrew Tierney, wrote on Twitter:
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.— Ask Cybergibbons! (@cybergibbons) 13 August 2018
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
To collect the second bounty of only $10,000, one must modify the wallet’s firmware connecting to the cyber Bitfi dashboard. And also complete the last obligation of making sure the secret phase of the user or private passes are transported to a third party while making sure the dashboard is a performing as usual. The prize of the second bounty pales in comparison with the first bounty of $250,000.
The group managed to modify the firmware and get through communications between the device and the digital asset wallet. To prove that the hardware was in connection to the dashboard and functioning well, the group of researchers thought to show the messages on the screen of the device.
Hacking the wallet involved group work of several persons and entities creating varying contributions. This is according to Mr. Tierney.
At the beginning of this August, an information security expert rooted the hardware, hence gaining all access and administration. He found some apps including Wi-Fi and GPS trackers. These findings were seen as an issue concerning security since the apps were found to connect to several web services such as the large search engine Baidu.
The British prodigy programmer of 15-year-old, Rashid Saleem, in less than eleven days from the findings managed to install Doom game app onto to the hardware and use it. Of course, this brought worries that due to bad tamper protections, actors may install malware causing vulnerability to manipulate. And due to the rooting, there are worries that along with this ability to install the malware, the device may be reprogrammed.
The company’s response to the entire story caused bad public view. It has of recent got the Pwnie Award for the Lamest Vendor Response at the BlackHat conference in Las Vegas.
Image Source: Flickr