'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist

Backed by John McAfee so you know it's going to be A+

Pics A crypto-currency wallet heavily promoted as "unhackable" – complete with endorsements from the security industry's loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.

The $120 Wi-Fi-connected Bitfi wallet is a hardware device that stores your crypto-coins and assets, and requires a passphrase to access these goodies. The phrase is used to temporarily generate, for a few milliseconds, the private key needed to unlock the data, and is then discarded. So without the passphrase, you can't get at the gizmo's fun bux, allegedly.

It was thus launched last week with some bold claims: it was the "most sophisticated instrument in the world" offering "fortress-like security" for your electronic coins. Its phone-like device is "the world’s first unhackable device", the manufacturer announced – to some mockery by security experts.

The biz even got John McAfee to play along. He tweeted: "For all you naysayers who claim that 'nothing is unhackable' & who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks."

Having received acres of press coverage, the company then offered its own "bounty" of $250,000, presumably in an effort to sell more hardware. But then, of course, with glum inevitability, the whole thing has come crashing down.

A spokesperson for Bitfi was not available for immediate comment.

First off, the "most sophisticated instrument in the world" turns out to be nothing more than a cheap touchscreen Android phone with some components pulled out, particularly the cellular connectivity stuff. It's powered by a Mediatek MT6580 system-on-chip, and appears to be very similar to a smartphone reference design. The Bitfi biz is charging people $120 for something that is sold for $35 wholesale.

The bounty program also turns out to be very different to what you would imagine. The company has given very specific requirements over what constitutes a legitimate hack: you have to receive a Bitfi phone loaded with $50 in crypto-coins using an unknown passphrase, and get the coins off that device.

A good thing

Which sounds reasonable, and also serves to flag the one aspect of the Bitfi that is a genuine security plus: it doesn't store the actual key used to access the crypto-currencies on the device itself.

However, the bounty doesn't reflect reality. As infosec probester Andrew Tierney put it, the challenge only covers one specific method of theft – accessing coins on a stolen device – yet the thing is supposed to be completely unhackable and thus be able to see off any attempts to empty it.

"The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key," Tierney wrote over the weekend.

"The only way to win the bounty is to recover a key from a device which doesn’t store a key. There are many, many more attacks such a device is vulnerable to. The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham."

Indeed, the bounty does not cover the scenario of someone intercepting shipments of the devices, backdooring them, and then siphoning off coins from victims – a genuine supply chain problem. Nor devices being stolen, tampered with, and then returned without a victim knowing, allowing the wallet to be emptied. Again, another legitimate concern given this is supposedly "unhackable."

Despite the claims of "faultless, impenetrable security," it turns out that the Bitfi phone is very far from an unhackable wallet.

Crucially, it has no anti-tamper measures, meaning the back can be popped off using your fingernails, the hardware reprogrammed or bugged, the case closed up again, and the handheld handed to a victim. Once the mark taps in their passphrase, whatever backdoor you've built into the thing can phone those details home over the internet for you to exploit.

We know this because within a week of the gadget being launched – and just a few days after security researchers received their specially repurposed phones – they started digging in and revealing:

  • The unencrypted I2C protocol lines between the touchscreen and chipset can be eavesdropped on, allowing you to discern the individual passphrase that a user taps in on the display if you slip in an appropriate bug.
  • There is a complete lack of tamper protection: so you can open up the device, and it will continue to work normally while you monitor what is going on within the thing. Alternatively, you can tamper with its hardware or firmware so that it steals coins, close it up as if nothing has changed, and hand it to a victim.
  • You can access and dump the device's file system from its flash storage.
  • There is software present that allegedly and potentially collects personal information, tracks the whereabouts of the device, and beams it off to Baidu and Adups servers in China. There are also standard MediaTek libraries and example apps installed.
  • And, yes, inevitably, you can gain root access to the device to reprogram it.
  • And a backdoored device will still connect to its online backend and log into the owner's Bitfi dashboard account, which manages their crypto-dosh.

Similar topics

Other stories you might like

  • Crypto market crashes on Celsius freeze, inflation news
    Not a good moment to look at that digi-coin portfolio, fam

    The cryptocurrency world is experiencing what can only be described as a meltdown, with prices plummeting today to lows not seen since the end of 2020.

    The plunge is likely due to several factors including general economic uncertainty as seen in the stock market, inflation, bearish conditions and loss of confidence in crypto-coins, and scared money and bots being spooked by whales selling.

    It definitely did not help that crypto-lending biz Celsius Network put a freeze on withdrawals, swaps, and transfers Sunday night. Soon after Bitcoin tumbled 10 percent, Ethereum lost 19 percent of its value, and fan-favorite Dogecoin shed nearly 15 percent of its value, or about $0.01, since then. 

    Continue reading
  • Bill Gates says NFTs '100% based on greater fool theory' amid crypto cataclysm
    Plus: Non-fungible tokens for dummies

    Comment Microsoft co-founder Bill Gates has declared that "expensive digital images of monkeys are going to improve the world immensely."

    He was joking, obviously, though considering Gates's supposed connection to microchips in vaccines, one can never be too careful. What he's talking about are non-fungible tokens (NFTs), which came up at a TechCrunch event in Berkeley, California, on Tuesday. Specifically the Bored Ape Yacht Club variety.

    You know those kids' books where the picture is divided into three (head, body, legs) so you can turn different sets of pages to get a different image? That's what the Bored Ape Yacht Club is for those willingly parted from large amounts of money for the right to stand next to a picture of a cartoon chimp.

    Continue reading
  • Japan lets its banks and other entities issue stablecoins
    Wants private coins to have face value in Yen by 2023

    Japan's parliament has passed legislation allowing Yen-linked stablecoin cryptocurrencies, thus becoming one of the first countries – and by far the largest economy – to regulate a form of non-fiat digital money.

    The regulations stipulate that only banks and other registered financial institutions – like money transfer agents and trust companies – can issue the alterna-cash. Intermediaries, or those who are responsible for the circulation of the currencies, will be required to adopt stricter anti-money-laundering measures. The rules also define stablecoins as digital money and guarantee face value redemption.

    Japan's Financial Services Agency (FSA) floated this regime in a March 2021 proposal. Parliamentary assent for the proposal means it will come into effect in 2023. The regulations will apply to domestic financial institutions as well as foreign operations that target Japanese users. The research material supporting the decision relied heavily on trends in the US and Europe.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading

Biting the hand that feeds IT © 1998–2022