John McAfee threw down the gauntlet last week when claiming his newly-created Bitcoin wallet, Bitfi, was “unhackable.” It took security researchers less than a week to hack it.
As of yesterday, a Dutch security researcher known as “OverSoft” claimed to have root access to McAfee’s unhackable wallet. In a tweet, the researcher(s) said:
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect[s] happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
BitFi didn’t immediately respond, but a later tweet seems to confirm the security breach. That said, Bitfi didn’t confirm OverSoft — or anyone else — had actually breached the system. We’ve reached out for comment, but Bitfi hadn’t responded as of this writing.
Bitfi CEO Daniel Khesin then seemingly sent out a distress call of sorts, claiming “we need help.”
Dear friends, we’re announcing a second bug bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infused community, we need help. Here are the bounty conditions: bitfi.com/bounty2
Thank you, Daniel Khesin CEO”
Things only got weirder from there, with the original hackers claiming Bitfi had no intention of paying the $250,000 bug bounty. “It’s pure marketing,” OverSoft said.
Also of note is that OverSoft hacked the device without actually owning or possessing one. This is kind of a big deal, as the device costs $120, plus shipping, and may not actually be needed.
You don’t need a BitFi device to run a BitFi wallet. I repeat: there’s nothing in that device that is require for the BitFi app to function. There’s NO secure element. They could’ve released it on the Play Store as an app.
Currently, we’re in a state of limbo. McAfee argues that gaining root access doesn’t constitute a hack, and that the hacker needs to extract money from the wallet in order to change his mind. By definition, though, OverSoft certainly hacked the wallet by gaining access to the root folder directory, thus allowing him to run keyloggers, patch the software, and do all sorts of nefarious things, if he were so inclined.
We’ve reached out to both Bitfi and OverSoft and will update this piece as needed.
Published August 2, 2018 — 22:28 UTC