BitFi: Unhackable, for Specific Definitions of "Hack"

( From my blog on 2018-08-02; the original, with rich text and images, can be found here )

BitFi and John McAfee aren’t having a good week.

It started, in the way many information security bug-bounties started. An announcement was made on July 24th by John McAfee regarding a $100,000 bounty for anyone who was able to hack the BitFi hardware wallet.

https://twitter.com/officialmcafee/status/1021805449681817600

The terms were simple enough. As described on their website, BitFi would deposit coins into a Bitfi wallet. If you wished to participate in the bounty program, you would purchase a Bitfi wallet that is preloaded with coins for just an additional $10. If you could successfully extract the coins and empty the wallet, this would be considered a successful hack. You could then keep the coins and Bitfi will make a payment to you of $100,000 (later raised to $250,000).

BitFi also clarified that they would grant anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes, and their infrastructure. And so, a number of brilliant minds went to work to figure out what they could do with the device, and within a week, exploits began to surface.

One person, who goes by @cybergibbons on Twitter, was able to determine that the firmware was easily-accessible using SP Flash Tool, a software package that can write new firmware to the device. Another person, on that same day, was able to determine the hardware used for the device; it was based on a MediaTek phone, and still running Chinese malware and the default Baidu app collection.

https://twitter.com/cybergibbons/status/1023905635811950592
https://twitter.com/OverSoftNL/status/1024008149093822464

The next day, @OverSoftNL was able to confirm that one would be able to obtain root access on the device and even patch the device’s firmware, and the phone could still be used to connect to the BitFi dashboard and presumably make transactions. In other words, should a malicious party wish to purchase BitFi devices and install a malicious keylogger, perhaps one like Ryan Castellucci described here, they would be able to obtain a user’s passphrase and circumvent the “unhackable” security feature so broadly touted in BitFi’s marketing.

In short, the BitFi was hacked.

Let me be clear: this hack did not meet the qualifications set out by BitFi in their announcement; because these users had not taken the coins out of the wallet, John McAfee and BitFi did not qualify this as having hacked the wallet. It is, nonetheless, a grave concern that anyone purchasing a BitFi wallet should consider. The device is made with shoddy hardware, and BitFi has not removed Chinese malware packages or even the default apps that come with a standard Chinese mobile phone.

In the time since then, harsh arguments between John McAfee, the BitFi team, the hackers who have found these vulnerabilities and the consumers who want honesty from BitFi has gotten to fever-pitch, on Twitter. Just this morning, McAfee felt it necessary to produce a short video in which he attempts to define “hacking” — but misses the point of the vulnerabilities identified.

https://twitter.com/officialmcafee/status/1025009808968171521

This does not mean that the BitFi wallet cannot be improved for future iterations; however, for the time being, one would be safer waiting to see what is done next.

I will conclude by bringing your attention to a 19th century cryptographer Auguste Kerckhoff, and his self-named Kerckhoff’s Principle — “A cryptographic system should be secure even if everything about the system, except the key, is public knowledge”. From what we know thus far about the BitFi wallet, it does not meet this standard.