Remember John McAfee’s supposedly “unhackable” cryptocurrency wallet? It appears a group of researchers is about to prove the once-lauded antivirus pioneer wrong.
After cracking the so-called Bitfi wallet to play legendary game DOOM on it, today the researchers were able to successfully send signed transactions with the device – that is despite the “security” mechanisms Bitfi has in place to prevent attackers from doing that.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
With this development in mind, the researchers believe they have fulfilled the conditions of Bitfi’s $10,000 bug bounty. Bitfi had three criteria to claim the rewards: namely that researchers should be able to prove they can modify the device, connect to the Bitfi server, and send sensitive data with the device.
First up, modifying the device has been easy: the hackers gained complete access (root) to it two weeks ago. Since then, they have been tracking everything about the device, which means that they have a complete overview of the data being sent out of it. The researchers have also been able to confirm the wallet is still connected to the Bitfi servers, and liable to data interceptions.
“We intercepted the communications between the wallet and [Bitfi],” security researcher Andrew Tierney (more commonly known as Cybergibbons) told Hard Fork “This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
But more importantly: Tierney also confirmed that they have met the third condition – they sent the device’s private keys and its passphrase to a remote server, meeting the three requirements to claim the $10,000.
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney said. “We believe all [conditions] have been met.”
McAfee: either pay up or shut up. The ball’s in your court – and this publicity stunt has already dragged on long enough.
Published August 13, 2018 — 16:38 UTC