Last week, John McAfee offered up $100,000 to anyone who could break into the Bitfi wallet – a device advertised as the world’s first completely “unhackable” cryptocurrency wallet.
Bitfi even asked that all attempts be made public. An ad-hoc collective of hackers and security researchers is doing just that, already finding a bunch of kinks that throw the device’s security into question.
While nobody has managed to claim the $100,000 reward for stealing the $50 worth of cryptocurrencies inside, the squad have torn it apart. Ryan Castellucci, software engineer and hardware hacker commented that Bitfi appears to be exactly what it seems to be from its marketing photos – a cheap stripped down Android phone.
Bitfi appears to be exactly what it looks like from the photos – a cheap stripped down Android phone. There's some screenshots of it demanding to be connected to WiFi in order to function elsewhere in @cybergibbons's feed. Someone will probably have Doom running on it by Friday. https://t.co/cC1pZsahJH
— Ryan Castellucci (@ryancdotorg) July 29, 2018
The researchers uploaded an exhaustive list of directories that are loaded into its onboard memory (ROM) when the device is switched on. Made publicly available through Pastebin, they give a complete overview of everything pre-installed on the Bitfi device.
Most troubling is the alleged inclusion of a well-known malware suite called Adups FOTA, a spyware platform that allows for the transmitting text, call, location, and app data to a server in China every 72 hours.
Another stowaway is the Chinese app Baidu. It has built-in WiFi and GPS tracking functionality – which makes this device perfect for those who love having absolutely fuck-all privacy.
There’s also no internal cold storage, all funds are seemingly kept in what’s known as a hot wallet. It’s precisely this method of storing cryptocurrencies that is often attributed as the main reason for the world-record CoinCheck exchange hack earlier this year.
McAfee, who is also an adviser to Bitfi, confirmed the so-called “wallet” is indeed a small phone-like device. “There is no internal storage,” McAfee tweeted. “The wallet receives its instructions for each coin from our servers.”
Bitfi’s security hinges on its ability to keep all transmissions of the private key and seed phrases safe – so really its “un-hackability” is technically the same as any other online wallet solution.
What’s most alarming is that it appears that the Adups FOTA suite and Baidu are active and are transmitting information.
At least the Baidu and Adups apps are indeed actively running on the device, including calling home to Baidu and Adups.
The rest of the system/vendor partitions include drivers for removed devices like the camera, tcpdump, adbd and several other debugging binaries.
— OverSoft (@OverSoftNL) July 30, 2018
We reached out to one of the researchers, Cybergibbons, a security consultant for a white-hacking firm. He relayed to us that they accessed the data through a Mediatek chipset utilized by the device. The chip, an 8GB eMMC chip, loads libraries into its internal memory (ROM) on start-up that make the running of applications possible.
“The device is using a Mediatek chipset,” the researcher told Hard Fork. “Often is the case that these chipsets run a Mediatek bootloader for the first few seconds when they boot. This can be interacted with over USB.”
The team simply used a free tool, SP Flash Tool, to access the data and read it completely. Cybergibbons stepped through the process on Twitter:
Allowing us to dump the file system. pic.twitter.com/bDXJuWB4QM
— Ask Cybergibbons! (@cybergibbons) July 30, 2018
“The problem is that they don’t seem to have minimized the device, which is what they need to do,” Cybergibbons added. “All this extra stuff puts you at risk of tracking, snooping and other network attacks.”
Minimizing, in this case, would be to strip the bloatware and the malware tools. Instead, it appears Bitfi have just bought a bunch of Android phones and shipped them with no regard to protecting the sensitive data of its users.
He further clarified that for now they believe Bitfi’s file system is read-only, which means any data stored on the device can’t be overwritten. If the researchers are correct, it would mean that the spyware was most likely preloaded on the wallet prior to shipping – not after-the-fact.
The main problem the hackers face is that they only have one device. If they break it now – they may not be able to get another one.
For now, they will continue ‘dry-hacking’ the device – accessing its flash contents but not interacting completely, just logging its network traffic as they probe further. After all, they’re interested in claiming McAfee’s the $100,000 cash price (plus $50 worth of cryptocurrencies) for a successful hack, so extras will probably come in handy.
We reached out to Bitfi for further comment, but we are yet to hear back. We will update this article should they respond accordingly. In the meantime, it appears the company has taken to Twitter to downplay claims that its cryptocurrency wallet is merely a phone.
Oh so funny John. It is obviously not a phone but a 3.9” tablet with touchscreen. It doesn’t even have a speaker so what on earth are you talking about? Since you claim it’s a phone, why don’t you try to make a call on it and let us know how it goes.
— Bitfi (@Bitfi6) July 31, 2018
While the collective hasn’t published proof of breaking into the Bitfi device yet, the researcher’s findings really highlight just how sceptical the general public needs to be regarding the storing and usage of their cryptocurrencies.
Do your research before you trust a device (or an app) with your funds – nothing is unhackable.
Update August 1, [08:58] AM UTC: Bitfi has since responded to the criticism, accusing hardware wallet manufacturers Trezor and Ledger of enlisting an “army of trolls” to badmouth its product.
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete,” a Bitfi spokesperson told Hard Fork in an email. “So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).”
“There is absolutely no Chinese bloatware whatsoever,” the spokesperson further told Hard Fork. “The device simply has Google and Bidu [sic] to be able to ping something to see if it is connected to the internet or not. Bidu [sic] is there because we have customers in China and Google is blocked in China. So for Chinese customers the device will simply ping Bidu [sic]. Thats all. None of this has anything to do with the security of the device. I mean we are offering a $250,000 bounty. Do you see any other wallet doing that?”
“All these trolls can do is talk smack all day but they can’t hack the wallet if their life depended on it,” Bitfi continued.
Despite the heated response, Bitfi has yet to share its code for review or directly address the researchers’ claims. But as we pointed out in our original coverage, nothing is unhackable.
Published July 31, 2018 — 12:59 UTC