Hardware wallet manufacturer Bitfi is this year’s recipient of the Pwnie Award for the Lamest Vendor Response.
— Eric Vanderburg (@evanderburg) August 9, 2018
The award, which is given to vendors who handle a security vulnerability in the worst way possible, was awarded based on the controversies and missteps the device manufacturer has been embroiled in since its cryptocurrency wallet was unveiled close to two months ago.
‘Safest in the World’
During the launch of the device the executive chairman of Bitfi, John McAfee essentially declared the hardware wallet to be ‘unhackable’.
“Of all today’s elaborate and sophisticated methods for making wallets secure and easy to use, surely none is as epic as that of the new Bitfi wallet. Several of my competitors have pioneered innovative methods to protect private keys, but Bitfi pulled out all the stops to ensure that the private key can never be obtained by illicit means,” McAfee said at the time.
And on social media the founder of the eponymously named antivirus software proclaimed the wallet to be the most secure way of securing cryptocurrencies.
In less than five hours, my new unhackable Bitfi wallet will sell out again. The first batch sold out in only 22 minutes! Its light years beyond anything else out there and the safest way you can store your crypto. Go to https://t.co/ATFaxwUzQC
— John McAfee (@officialmcafee) June 27, 2018
As proof of the confidence Bitfi had in its claims, the hardware wallet manufacturer introduced a bounty program which initially was giving away US$100,000 before it was increased to US$250,000 to anyone who would to hack the wallet and take the pre-loaded bitcoins.
Exploit After Exploit
As CCN reported claims of the device getting hacked soon emerged and this included from an information security expert using the Twitter handle @OverSoft who proclaimed that the device had been rooted before posting the wallet’s ROM directory listings.
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
— OverSoft (@OverSoftNL) August 1, 2018
OverSoft was also able to find a suite of apps from Chinese online search engine giant Baidu installed on the device and this included GPS/Wi-Fi trackers as well as Mediatek firmware. This prompted hardware hacker Ryan Castelluci to brand the hardware wallet a bare-bones Android device.
Bitfi appears to be exactly what it looks like from the photos – a cheap stripped down Android phone. There’s some screenshots of it demanding to be connected to WiFi in order to function elsewhere in @cybergibbons‘s feed. Someone will probably have Doom running on it by Friday. https://t.co/cC1pZsahJH
— Ryan Castellucci [VEGAS] (@ryancdotorg) July 29, 2018
And perhaps as a response to Castelluci’s challenge, the 15-year old hacking prodigy Saleem Rashid, who was instrumental in disclosing security vulnerabilities in the Ledger hardware wallet earlier this year, was soon able to install the Doom game on the device and play it.
In recognition of @Bitfi6 and @officialmcafee and their prestigious @PwnieAwards accolades, we’d like to show you @spudowiar playing DooM on his #BitFi secure wallet! Congratulations! pic.twitter.com/50qZZu1MnF
— Abe Snowman (@AbeSnowman) August 9, 2018
However, Bitfi’s executive chairman was adamant that none of these actions constituted a successful hack according to the terms set in the bounty program.
“Let’s put this to bed. Using the wallet as a component in a video player is not a hack. Gaining root access on a device with no memory is not a hack,” McAfee wrote on Twitter while insisting that successfully hacking the device constituted getting the bitcoins that had been pre-loaded in the hardware wallet.
Additionally, a Bitfi spokesperson blamed all the controversies on its competitors in an emailed statement to Hard Fork:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).”
For organizers of the Pwnies, the 2018 Lamest Vendor Response category was probably the easiest to award.
Featured image from Flickr.
Follow us on Telegram or subscribe to our newsletter here.
• Join CCN’s crypto community for $9.99 per month, click here.
• Want exclusive analysis and crypto insights from Hacked.com? Click here.
• Open Positions at CCN: Full Time and Part Time Journalists Wanted.