July 2018 saw cryptocurrency hardware wallet manufacturer Bitfi offer a $100,000 (later raised to $250,000) bounty for anyone that was able to hack into their device. Spearheaded by executive chairman John McAfee -yes, that McAfee. Unlike other bug bounty programs, Bitfi announced this program to showcase “the world’s first unhackable device” and not to gain true insights into platform vulnerabilities.
Bitfi is the first wallet of its kind, the physical wallet “supports an unlimited amount of cryptocurrencies” without placing a strong emphasis on private keys. The security system is based on a user generated phase – easily memorized – instead of the regular 24 word seed which must be written down.
The Bitfi website shares that;
“On the Bitfi wallet, your private key is calculated using our algorithm every time you type in your secret phrase. Once a transaction is approved, the private key is not stored anywhere in local memory. The private key does not exist on the device until you type in your secret phrase again. Therefore, if your device is stolen or seized, there is no way to gain access to the private key because it is not on the device and your funds always remain safe and there is absolutely no reason for alarm or concern if your device is lost or stolen.”
Bitfi argues this makes the wallet unhackable, because “even if your Bitfi hardware wallet is seized or stolen, there is nothing that anyone can do to extract the private keys because they are not on the device in the first place.”
To prove the ‘unhackable’ nature of the device Bitfi announced a bug bounty program with very distinct rules. Firstly, an attacker must extract coins from a wallet, however, the user must purchase a wallet, yet, they are able to attack them using any vector deemed. All other attacks will not be deemed a successful hack.
Within a week of the announcement, crypto personality OverSoft tweeted “We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.” Yet, the firm dismissed this as “Rooting [i.e., getting administrative access to] the device does not mean it has been hacked.”
Since then there has been a lot of drama surrounding the program, with a few people suggesting they cracked the device. Though, at the time of writing no money has been given out. Also, the firm is now offering another bounty of $10,000 “should be able to transmit either private keys or the user’s secret phrase to a third party while still functioning normally with the Bitfi Dashboard.”
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.