Bitfi screwed up big time. First, it arrogantly labeled its hardware wallet “unhackable” offering a hefty bounty to everyone successfully compromising it. As we reported timely, it took security researchers just a couple of days to hack it.
Bitfi screwed up big time. First, it arrogantly labeled its hardware wallet “unhackable” offering a hefty bounty to everyone successfully compromising it. As we reported timely, it took security researchers just a couple of days to hack it and even make it run our favorite old-fashioned DOOM.
McAfee’s/Bitfi’s response was that getting a root access doesn’t count as a hack. By constantly redefining the term “hack” the manufacturer refused to admit that its device is a total sham. Needless to say, the crypto community pointed the finger at Bitfi, claiming the company is unwilling to release the bounty reward. And from then on, things got uglier by the day.
Instead of paying security researchers for their efforts, Bitfi threated them. Unfortunately, the Twitter post, which used quite an improper language, is now deleted. However, Twitter users managed to make a screenshot before the post went offline.
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers. pic.twitter.com/McyBGqM3bt
— Matthew Green (@matthew_d_green) August 6, 2018
Soon after, the cybersecurity researchers released a statement on Pastebin, which reads:
“We aren’t engaging with Bitfi after they made several threats on Twitter. I will quote one here:
‘This is my last tweet as my shift is ending, but did you guys ever bother to look into who you picked fight with & the resources these people have? Not wise. Remember that the lies & deception that you deliberately spread about Bitfi can have consequences’
The bounty is a strawman, designed to allow Bitfi to claim they haven’t been hacked because the bounty hasn’t been claimed. In reality, the bounty only covers a single attack: sending your wallet (which has a strong seed and phrase) via UPS (taking several days) to an attacker. This doesn’t emulate the real world, not even close.
Bitfi keep on trying to redefine what “unhackable” means. Again, I will quote Bitfi themselves:
‘This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks.’
“Unhackable” means cannot be hacked and will not ever be hacked by any means. This is the only definition we accept.
We are more than happy to demonstrate the attacks to a journalist.
We are not really interested in attempting to prove any of these to Bitfi: they know these are vulnerabilities. They can see the traffic from the wallet and check the transaction shown. So far we have been able to:
- Root a wallet
- Intercept all SSL communications between the wallet and servers
- Sign a Bitcoin transaction under these conditions
- Sniff the user’s phrase and seed and send it to another machine under these conditions
Please ask Bitfi to explicitly confirm or deny these are possible.”
Throwing threats is easily the silliest thing to do, especially when your business depends on the community’s trust. Good luck, Bitfi.