Bitfi’s executive chairman, cybersecurity pioneer John McAfee, has called the Bitfi wallet “the world’s first unhackable device.” To prove his claim, McAfee challenged security researchers to breach the device for a $10 000 bounty.
On August 13, the researchers were able to successfully send signed transactions with the device – that is despite the “security” mechanisms Bitfi has in place to prevent attackers from doing that.
The researchers believe they have fulfilled the conditions of Bitfi’s $10 000 bug bounty. Bitfi had 3 criteria to claim the rewards: namely that researchers should be able to prove they can modify the device, connect to the Bitfi server, and send sensitive data with the device.
Modifying the device has been easy: the hackers gained complete access (root) to it two weeks ago. Since then, they have been tracking everything about the device, which means that they have a complete overview of the data being sent out of it. The researchers have also been able to confirm the wallet is still connected to the Bitfi servers, and liable to data interceptions.
“We intercepted the communications between the wallet and [Bitfi],” – security researcher Andrew Tierney (more commonly known as Cybergibbons) told Hard Fork, – “This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
Tierney also confirmed that they have met the third condition – they sent the device’s private keys and its passphrase to a remote server, meeting the three requirements to claim the $10 000.
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” – Tierney said. – “We believe all [conditions] have been met.”