Bounty for hacking the ‘unhackable’ Bitfi wallet jumps from $100K to $250K

Toss around claims about a device being unhackable, and they will come for you. Amid the drama, McAfee upped the bounty for hacking the Bitfi hardware crypto wallet to $250,000.

Bounty for hacking the ‘unhackable’ Bitfi wallet jumps to $250K
Metamorworks / Getty Images

I DARE YOU! That’s what the term "unhackable" screams at some, raising hackles and having them accept that challenge because there is no such thing as unhackable to a determined attacker.

John McAfee disagrees with that and first offered $100,000 bounty for hacking the Bitfi wallet. Following the claims by security researchers that the hardware cyptocurrency wallet wasn’t unhackable, McAfee upped the bounty to $250,000.

When the $120 hardware wallet launched, Bitfi claimed the device, which looks like phone, was “the world’s first unhackable device.” Bitfi partnered with John McAfee, and McAfee quickly went about taunting the unhackability of the device.

Bitfi also strongly disagrees with the “nothing is unhackable” claim, saying that its “bounty program is not intended to help Bitfi to identify security vulnerabilities, since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks.”

The rules for claiming the bounty are that you pay an additional $10 for the $120 Bitfi wallet to come preloaded with coins. “If you successfully extract the coins and empty the wallet, this would be considered a successful hack.” Then you get to keep the coins and can cash in on the $250,000 bounty.

Enter the testers — and the drama

Pen Test Partners broke down the wallet and started picking it apart. Andrew Tierney, aka @cybergibbons, claimed the bounty was a sham. That led to Bitfi suggesting Tierney was working for other cryptocurrency wallet providers. That was followed up by Rob Loggia, a McAfee technical advisor, refuting the “fake negative reviews” of Bitfi; Loggia took particular exception to security researcher Ryan Castellicco saying Bitfi is “a cheap stripped down Android phone” and then adding, “I strongly advise against using one of these devices.” Yep, it’s a drama-fest.

Responding to claims that Bitfi was an “insecure stripped down phone” being pushed “as a secure hardware wallet,” Bitfi tweeted:

A group of researchers then made Bitfi ROM directory listings public; the list of both the system and vendor partitions are on Pastebin. The researchers did find some troubling apps on the device, including the Chinese app Baidu and Adups malware which seem to be calling home.

The researchers specifically noted:

Most of the firmware looks just like a normal MTK phone, including:

A Baidu GPS/WIFI tracker
The well-known Adups FOTA malware suite
The entire Mediatek library of example apps
A tracker, capable of logging all activity on the device

Responding to the claims of the device coming preloaded with spyware and malware, Bitfi told The Next Web that an “army of trolls” allegedly working on behalf of wallet competitors Trezor and Ledger are behind it.

Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).

Bitfi added:

“There is absolutely no Chinese bloatware whatsoever,” the spokesperson further told Hard Fork. “The device simply has Google and Bidu [sic] to be able to ping something to see if it is connected to the internet or not. Bidu [sic] is there because we have customers in China and Google is blocked in China. So for Chinese customers the device will simply ping Bidu [sic]. Thats all. None of this has anything to do with the security of the device. I mean we are offering a $250,000 bounty. Do you see any other wallet doing that?”

“All these trolls can do is talk smack all day but they can’t hack the wallet if their life depended on it.”

Other researchers are waiting to see if Bitfi will release the source code, as it is advertised as being an open source crypto wallet.

Meanwhile, McAfee upped the bounty for the “unhackable” Bitfi wallet to $250,000.

Other bounties for hacking Bitfi

McAfee isn’t the only one dangling a bounty as bait. There are currently at least three other researchers offering £600 (roughly $800) to the hacker who can “demonstrate and openly publish a practical attack on Bitfi.” Ken White offered to kick in another £100 if:

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.