The drama revolving Bitfi, John McAfee’s ostensibly ‘unhackable’ wallet, has managed to gain recognition from the community. This week the wallet has become an early winner of Pwnie Award for the Lamest Vendor Response — a trophy of mediocre prestige given to the company that handles security vulnerabilities in the worst possible way in a given year.
For the uninitiated, at the end of July McAfee announced a bounty programme: following certain rules, a hacker had to get access to Bitfi’s wallet and in return receive a bounty, which was raised by McAfee from $100 000 to $250 000. Eventually, the marketing strategy paid off and POTUS candidate managed to draw attention to his product.
A few hackers, including a fifteen-year-old, rooted the device which is apparently a cheap Android phone. Instead of dealing with the matter in a civilized manner and admitting that its product does not match the Bitfi’s claim “that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks,” the wallet representatives have engaged themselves in Tweet battles while McAfee resorted to his usual megalomaniac “attack everyone” kind of rhetoric. The full story is available here.
The issuers of the Lamest Vendor Response took into account this behavior. According to their site, the credit for the award goes to “lots of people” while the justification is the following “this response has everything. Bitcoin. The word Unhackable. John McAfee. A 250k Bounty that is so narrowly constrained it is ridiculous. Reverse engineers posting that the wallet has no hardware security mechanisms (not even anti-tamper). Multiple people breaking the device. A video of John McAfee being displayed onscreen on the device. A tweet from Bitfi claiming that rooting the device doesn’t mean that it was hacked.”
Then there is also the fact that McAfee tried to use this situation in order to debase his competitors Ledger and Trezor. Hence he tweeted “Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).”
And then once again tweeted:
So, if a hostile tank enters a defending city but does not kill people in a specific house should all the inhabitants, including the ones living in that specific house, feel safe, ignore the tank and claim that their army is impeccable?
McAfee might consider answering this question once he comes back from Hatteras Island where he is currently enjoying his holiday according to his latest tweets. In the meantime, he should prepare to claim the well-earned award alongside Michał Zalewski. The latter has been granted the Lifetime Achievement Award for his book Silence on the Wire “which is one of the best examples of what it means to “hack” and embodies the spirit of a true hacker.”
All winners of Pwnie Awards (not all of them are of a sarcastic nature) for Most Over-hyped Bug, for Most Innovative Research, for Best Cryptographic Attack and other categories are available via this link.