Last week Altcoinbuzz asked whether someone loves hacking crypto wallets for $100 000. The article concerned Bitfi and its CEO John McAfee, who has set up a special bounty programme. In it, money was offered to hackers who could interfere with their allegedly ‘unhackable’ wallet. As you might have guessed, it all went a little bit wrong.
To remind: Bitfi spelled out specific rules. Thus, a hacker wannabe had to purchase their wallet for $120, top it up with $50 and hack. The bounty was then raised to $250 000 by McAfee himself.
What happened
It all began with a tweet made by Ask Cyber Gibbons who posted pictures of the bare Bitfi board which did not look very sophisticated. Then, Kamil Breijcha reposted the picture and sarcastically described it as the most secure wallet which according to him “is just a cheap android phone without any secure element.”
Later on, an IT geek from the Netherlands Oversoft joined in saying that he now possesses root access. Unless the authors have a different understanding of the matter, rooting means they can access Bitfi’s files.
Another tweet followed from Ask Cyber Gibbons who once again mentioned that with the help of Saleem Rashid, who openly describes himself as “Bitcoin hardware wallet breaker,” the Bitfi has been rooted. Previously, Rashid, who is fifteen, unearthed a security vulnerability in Ledger back in 2017. Predictably, Bitfi did not react well criticizing the claim saying it is a disgrace. They also mentioned competitors’ shenanigans. Trezor has even posted a tweet to deny that.
Bitfi CEO Daniel Khesin proceeded to say that it had “absolutely no evidence” the wallet was insecure: “As of now, we have no evidence that our device can be hacked and if someone succeeds in doing so then we will immediately put out a fix to all devices to address the vulnerability that was discovered and it will be unhackable once again.”
This statement alone casts very serious doubt on whether Bitfy realizes how this sounds. Mitigating a hack after a hack after a hack does not make a device ‘unhackable once again.’ It means it is poorly designed in the first place.
Moreover, a crypto expert from University of Surrey Alan Woodward has stated that he does not consider the material published by Rashid and others to be speculation. He then proceeded to reveal the hackers’ surprisingly noble nature.
Thus, he said “And we don’t want your money. Give it to charity. We are concerned that others will entrust their money to something that is not secure in the way appear to suggest.” Obviously, Bitfi made many defensive responses asking for more proof, which is indeed a reasonable demand especially given that Rashid and co did not claim the bounty. After all, hacking and nobility are an odd couple.
Yet, the way Bitfi subsequently behaved, particularly by asking the community to help them identify what is wrong with their product, raises even more concerns about the company’s adequacy and candidness.
Everything is wrong in McAfee’s kingdom
Predictably, Bitfi’s evangelist McAfee responded sharply to the alleged hack. He started by posting a three videos saga which he describes “as a definitive video countering all the nonsense claims.” In it, he predominantly describes the definition of a hack. So what is a hack? Merriam Webster, an online dictionary, defines it as “an act or instance of gaining or attempting to gain illegal access to a computer or computer system.”
McAfee, however, has a slightly different version of what a hack is. He adds the element of taking something as a result of a hack. This means, that after the word system in the MW’s definition it is compulsory to add “that resulted in seizing any entity that belongs to the hacked party.” Surely, if you follow this definition, which was created by McAfee himself, then the hack did not appear.
But here is the deal: It most likely did. And not only because of the dictionary’s definition. Thus, the Bitfi’s bounty program itself states “this bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks.”
This does not only completely contradict Bitfi’s tweets which are mentioned above in which they tell Woodward that they want the community to help them identify problems, this also shows that they unwillingly acknowledge the hack in its normal, traditional meaning. Their product is immaculate, that is how they position it. It, therefore, does not need help or advice. And yet the tweet below completely and utterly defies that notion because it turns out that they need assistance.
To make it worse, they kept saying they would remunerate all smart researchers who could help identify weaknesses in their “immaculate” product. In fact, they have made so many self-compromising tweets that this article would require a page to just cover those.
McAfee further fanned the flames with his tweet “Hackers saying they have gained root access to the BitFi wallet. Well whoop-de-do! So what? Root access to a device with no write or modify capability. That’s as useless as a dentist license un a nuclear power plant. Can you get the money on the wallet? No. That’s what matters.”
Unfortunately for McAfee, that is not what matters, as he himself factually acknowledges in this tweet that they did penetrate the system, as being able to connect to something is in itself very dangerous for the product. Aigars Mass in his reply to McAfee has formulated it well.
Woodward has also replied to Bitfi that it is very dangerous to think otherwise, as Bitfi tweeted, “Sir, rooting the device does not mean it has been hacked.” Probably, according to Bitfi, unsolicited rooting is an act of friendship. Why the hackers chose not to take the money — whether for noble reasons or any other — is not that important.
Yet neither of the tweets have changed McAfee’s stance. He continues to be in denial, just like Bitfi, saying that you need to specifically take that sum. Perhaps, the hackers do not fully comply with the rules of the bounty program although this also subject to debate, most likely at the lawyer’s office. But again, this is secondary. Concurrently, the company set up a new bounty in its endeavor not to give up. This time, it is just $10 000 and the person needs to transmit “private keys or the users secret phrase to a third party while still functioning normally with the Bitfi Dashboard.”
The self-defense is comprehensible. After all, they want the hackers to work on retrieving the most valuable information that the wallet contains which most probably will take some time. But already after round one, it is obvious that there is a 99,9% chance that this is a hackable device. The situation showcases a huge flaw in marketing and communication as well as a desire to carry out a megalomaniac one-man show. Instead, of calling it unhackable and creating an aura of exclusivity around it, the creators should work on their self-perception. Then, the community will truly benefit.