Today let’s discuss John McAfee’s cryptocurrency wallet, the Bitfi wallet, defined by the popular cyber security expert “unhackable.”
Unfortunately, nothing is unhackable, and the Bitfi wallet was already hacked two times.
The Bitfi wallet is an Android-powered hardware device for storing cryptocurrencies and crypto assets.
A team of security researchers called THCMKACGASSCO devised a new attack that could allow them to steal all the stored funds from an unmodified Bitfi wallet.
The wallet relies on a user-generated secret phrase and a “salt” value to cryptographically scramble the secret phrase. The experts who devised the attack explained that the secret phrase and salt can be obtained allowing the attackers to generate the private keys and stole the funds.
“The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.” reported Techcrunch.com.
“But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen”
The security duo composed of Saleem Rashid and Ryan Castellucci, members of a the THCMKACGASSCO, developed the exploits for the attack and published a video PoC for the hack. In the video PoC is shown that setting a secret phrase and salt, and running a local exploit, it is possible to extract the keys from the device.
The video shows the attack can take less than two minutes to be executed.
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.
it turns out that rooting the device does not wipe RAM clean. who would have thought it!?
— Saleem "Unhackable" Rashid (@spudowiar) August 30, 2018
Rashid explained that they discovered that the keys are stored in the memory longer than Bitfi claims. The experts have devised a technique to run code on the hardware wallet without erasing the content of memory that included the keys, then they were able to extract the content of the m2mory including the keys.
The bad news is that the attack is trivial to carry out and doesn’t require any specific hardware as explained by Andrew Tierney, a security researcher with Pen Test Partners who verified the new attack.
Tierney was one of the members of the hacking team that carried out the first Bitfi attack.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
McAfee offered a $250,000 bounty for anyone who could successfully carry out an attack on the wallet that will result with the theft of the coins.
Bitfi did not pay out the bug bounty because the attack demonstrated by the researchers was outside the scope of the bounty.
The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.
— John McAfee (@officialmcafee) August 3, 2018
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers. pic.twitter.com/McyBGqM3bt
— Matthew Green (@matthew_d_green) August 6, 2018
Differently from the first hack, this second one demonstrated by the security duo seems to in scope for the bug bounty.
Bill Powel, vice president of operations at Bitfi, told TechCrunch in an email that the company defines a hack “as anything that would allow an attacker to access funds held by the wallet.”
After the researchers published the video PoC of the attack, Bitfi announced to have hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers.
Important announcement from Bitfi: pic.twitter.com/SD4ZCJxvLn
— Bitfi (@Bitfi6) August 30, 2018
Rashid will not publicly disclose the exploit code to avoid hackers using it.