C'mon, if you say your device is 'unhackable', you're just asking for it: Bitfi retracts edgy claim

John McAfee-backed crypto-coin wallet eats humble pie

Bitfi finally and reluctantly retracted its unhackable claim last night in the face of a new cold boot attack.

The John McAfee-backed hardware crypto-wallet firm got under the skins of security researchers by marketing its device as "unhackable" when it launched in July.

The $120 Wi-Fi-enabled Bitfi wallet is a hardware device that stores crypto-coins and other assets, protecting access to these devices through a passphrase. The passphrase is used to temporarily generate the private key needed to unlock a vault.

As previously reported, a hardware teardown exposed the device as essentially a cheap Android phone with the mobile connectivity components pulled out. The hardware is centred around Mediatek MT6580 system-on-chip, and came without a secure element that might have gone some way towards substantiating the bold claims made about the device.

Further investigation showed the unencrypted I2C protocol lines between the touchscreen and chipset can be eavesdropped on and (worse) it was possible to root the device and run arbitrary code. Security researchers made merry by demonstrating running the game Doom on the device.

None of this succeeded in mollifying Bitfi, still less John McAfee, who dismissed all these weaknesses as inconsequential. During a video debate, McAfee said he wanted to promote the wallet as a safe way for newbies to switch over from fiat currencies, arguing that "pissing off" the hacker community with claims the tech was unhackable were a great way to help promote the product.

The community was less than impressed. Bitfi won the PwnieAwards for "Lamest Vendor Response" at Black Hat earlier this month on the back of write-in nominations for an award it wasn't initially nominated for.

The latest hack goes even further by demonstrating a cold boot attack, recovering passphrase and salt from memory.

Ken Munro of Pen Test Partners told El Reg that the latest hack "shows that anyone with physical access can extract the keys required to steal coins". Worse yet, "the keys can be recovered after a significant period of time. Even powering it off doesn't wipe them," he said, adding that the cold boot recover vid was done by a 16-year-old.

A variety of independent security researchers worked towards this goal but particular credit is due to Saleem Rashid (@spudowiar), Ryan Castellucci (@ryancdotorg) and Andrew Tierney (@cybergibbons).

Other contributors to the effort have included Ken Munro, Alan Woodward and others.

Professor Woodward of Surrey University confirmed Munro's prognosis on the pwnage.

He told El Reg that the latest video "shows taking a Bitfi wallet that has been used to deal in Bitcoins, plugged into a machine via the USB and the secret passphrase and salt then recovered from the memory of the wallet. Once you have that you can steal the bitcoins as we know how the wallet generates the keys using that input."

Bitfi responded to the latest blow by withdrawing its controversial $250,000 bounty and promising to drop the "unhackable" claim. It also stated that it wanted to work with bug bounty outfit Hacker One to replace its much criticised in-house offer.

Bitfi drops unhackable marketing claim

Bitfi drops unhackable marketing claim

Hacker One said Bitfi has yet to open a dialogue.

Bounty bar

Security researchers cried sham over Bitfi's initial bug bounty because it only covered one specific vector of attack, accessing coins on a device locked up with an unknown passphrase. This would have involved key recovery from a genuine, unaltered device. Excluded from the bounty was the possibility of modifying the device so that it records and sends the key to a malicious third party, among other possibilities.

The device failed to feature any anti-tampering measures so the possibility that units might be messed with before being returned to an intended mark isn't implausible.

Although Bitfi seemingly wants to make peace with hackers who have criticised its bounty, it is not ready to admit its tech is vulnerable to its paying customers, as evidenced here. El Reg asked Bitfi to clarify its contradictory statement as to whether its device was vulnerable. We'll update this story as and when more information comes to hand.

Critics, for their part, show no signs of relenting. "Bitfi can't recall products as user keys persist in memory," Ken Munro argued on Twitter, referencing the observations of team anti-Bitfi member @OverSoftN. ®

"This is NOT fixable by firmware, the Mediatek chipset simply was not built for this kind of device and provides features that can't be disabled by FW," @OverSoftN added.


The "unhackable" claim isn't even original. Oracle infamously described its technology as unbreakable years ago only to be proved wrong by security researcher David Litchfield shortly afterwards.

Broader topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022