Fresh from receiving the ‘Lamest Vendor Response Award’ at the Pwnies, a high profile cyber security awards ceremony held last week, Bitfi has been hacked for a second time, fundamentally undermining sMcAfee’s claim that the product is ‘unhackable.’
After hackers previously exploited loopholes to play video game DOOM on Bitfi wallet servers, cybersecurity researchers have now managed to send signed transactions, in spite of so-called ‘security’ measures designed to prevent these types of exploits.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
The researchers are now claiming the $10,000 bounty for uncovering bugs in the wallet, conditional on three tests set by Bitfi: that researchers demonstrate they can modify the device, that they can connect to Bitfi servers, and that they can transmit sensitive data using the device.
Security researcher Andrew Tierney, also known as Cybergibbons, said that these conditions had been met by the latest hack. In an interview with The Next Web, Tierney said, “We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
He added, “We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy. We believe all [conditions] have been met.”
Known for his outlandish and overblown claims, McAfee announced during the launch of Bitfi that the wallet was essential impenetrable, saying: “Of all today’s elaborate and sophisticated methods for making wallets secure and easy to use, surely none is as epic as that of the new Bitfi wallet. Several of my competitors have pioneered innovative methods to protect private keys, but Bitfi pulled out all the stops to ensure that the private key can never be obtained by illicit means.”
The latest hack only compounds the previous flaws identified in Bitfi, and should, by rights, lead to a payout of the $10,000 bounty.
At the time of writing, there was no confirmation from Bitfi that the bug bounty would be paid, although on the face of it, it looks as though the researchers have satisfied all three of the eligibility criteria.