Bitfi’s “Unhackable” Drama Goes On And On

Bitfi’s “Unhackable” Drama Goes On And On

Bitfi no longer claims its wallet is “unhackable” and the bounty program is no longer available. McAfee now has taken the matter in his hands offering $20 million to anyone who hacks his personal wallet.

ICONOMI – Digital Assets Management Platform
SEC Takes Its First Action Against ICO Scams
Jibrel Network Builds A Superb Ethereum Wallet

The Bitfi fiasco is still making the headlines. For the uninitiated, here’s what happened so far – Bitfi and John McAfee launched a hardware cryptocurrency wallet, which they both declared “unhackable”. Bitfi offered a massive reward to anyone who successfully hacks it. A couple of days later sever security researchers did just that but Bitfi ultimately proclaimed their attempts unsuccessful.

Bitfi no longer claims its wallet is “unhackable” and the bounty program is no longer available. McAfee now has taken the matter in his hands offering $20 million to anyone who hacks his personal wallet.

Bitfi was quick to distance itself from “this $20m offer,” leaving John alone in his battle against white-hat hackers. Instead, Bill Powel from Bitfi claimed hackers provided no evidence they indeed compromised Bitfi’s hardware wallet.

Cybersecurity researcher Andrew Tierney (aka Cybergibbons) responded by showing a video, which displays an evil maid attack thrown on the “unhackable” wallet.

Bitfi’s answer to a media outlet covering the story was:

“You will notice that, as always, [Cybergibbons] provides no evidence or reproducible method of different kinds of attacks other than simply claiming that they have been able to successfully achieve them. Since you spoke to us, we have made considerable effort to get these hackers to claim bounty [sic] and all requests were ignored. You will note that in one instance we offered to make payment if he would simply take a few minutes to speak to our engineers on the phone (because he did not want to send in the device).”

As you can imagine, the story sparked an intense debate on Twitter, where Bitfi threatened particular hackers.

According to the hardware wallet manufacturer, the Twitter community had taken the “threatening” tweet out of context. A spokesperson insists it was published as a response to a logo mocking the company.

“While we think that the message from our social media manager was not appropriate it was likely posted in desperation as our logo was defaced and smeared on the internet.”

However, there was never an official statement regarding the evil maid attack. Despite that Cybergibbons shared his point of view:

“The bounty doesn’t say anything about providing method or sending the device. We are confused to why they need or want it. Above all, though, it doesn’t matter if we don’t claim the bounty. The issues exist regardless. If they want to fix the issues, they can approach any [penetration testing] firm that has worked with Android. There are so many issues on the device. It’s just a car crash from start to finish.

Regarding the threat, they keep on trying to frame this as about the parody logo I was using. It just makes no sense. The threat said ‘lies & deception,’ not ‘logo.’ I don’t know how much more evidence they need. The attack is just rooting the phone and using common tools to read the phrase. There is nothing to it.”

Interestingly enough, Bitfi invited Saleem Rashid (the security expert who performed the evil maid attack) to speak with the company’s engineers via the telephone. Here it gets really messy as both sides claim different things and whether this was an actual offer or not we cannot tell.

After all, Bitfi’s marketing materials no longer use the word “unhackable”, which initially started the controversy. Nevertheless, McAfee is unwilling to stop this nonsense as he asked Tierney to come to his house and hack John’s personal wallet. John offered to videotape the hacking. The response was this:

Saleem Rashid is the one broadcasting hacking videos but for some reason, McAfee always points to Andrew Tierney and even a Twitter user named Eku (@stay_salty) offered his services on behalf of Tierney but McAfee ultimately denied the challenge.