‘Unhackable’ Bitfi Wallet Caught Lying as Security Hackers Chase $100k Bounty

Hacks & Frauds 2 min, 26 sec READ

by Rahul Nambiampurath

Security researchers around the world have revealed that there may be little to no truth to the Bitfi hardware wallet’s ‘unhackable’ claim.

A few days after Bitrates reported that John McAfee is offering a $100,000 bounty to anyone who breaks into his ‘unhackable’ Bitfi wallet, security researchers and hackers have pointed out several vulnerabilities in the device.

One of the first to tear down the hardware wallet was the security consultant Andrew Tierney, who tweeted that the guts of the device contained a standard off-the-shelf motherboard with a MediaTek MT6580 SoC (system on a chip). The same board is often found in cheap Android-based smartphones made by Chinese OEMs and vendors. He also added that there was “No sign of a secure element.”

Amidst the hype, Bitfi raised the stakes of the bounty and announced that it was offering $250,000 to anyone who successfully extracted the $50 worth of cryptocurrency stored on the testing devices it shipped out.

The problem with that though, is that the terms of the bounty only cover the ‘extraction’ of onboard currency and not the dozen other backdoors available to hack the device. Due to the superfluous ‘unhackable’ claim propagated by McAfee and Bitfi, many are pointing out that the bounty should cover any and all possibilities. Andrew commented on this as well, he said,

The only way to win the bounty is to recover a key from a device which doesn’t store a key. There are many, many more attacks such a device is vulnerable to. The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham.

So far, a number of critical vulnerabilities have been discovered. For one, the communication between the board and the touchscreen takes place through an unencrypted I²C protocol, which can be easily intercepted. Next, the bootloader can be accessed and read during bootup with commonly available MediaTek-specific software. And finally, the device can even be exploited to gain root access, all while still reporting as a genuine, untampered device.

What’s worse is that the hardware wallet was even found to house Android-related bloatware that causes it to ping Google and Baidu servers every few minutes.

With the amount of backlash Bitfi was receiving on Twitter, John McAfee decided to step in. In a tweet published August 1, he stated,

Bitfi hasn’t been silent all this while either. The company’s official Twitter handle was seen responding to one individual pointing out that the device was a stripped down phone in the following way,

Meanwhile, the company has also announced a Bounty #2 worth a mere $10,000 which now covers firmware modification as well. Andrew, the aforementioned security researcher, succinctly dismissed it with the statement “Not. Enough. Cash.”