You may well be aware of the Bitfi wallet released by John Mcafee in recent months. The supposedly ‘unhackable’ wallet had a bounty programme which has caught the eyes of hackers all over the world. You may remember that the wallet was allegedly breached by a 15 year old boy not long ago, well now the infamous Bitfi wallet has supposedly been hacked… again.
“The radically innovative Bitfi wallet is the world’s first un-hackable device that is the quintessential expression of disruptive research and development.”
That’s the claim being made by Bitfi on their home page. They have offered an official bounty of $250,000 USD to anyone who can successfully hack and remove $10 worth of cryptocurrency from a Bitfi wallet.
The Bitfi bounty in fact has two parts with two separate rewards. They have the main $250,000 bounty “to remove funds from a prepared wallet”and a smaller $10,000 country to “demonstrate a man in the middle attack”
In this instance it has been reported by ‘Hard Fork’ that security researchers at Pen Test Partners were able to send signed transactions using Bitfi thereby fulfilling a vital requirement for the hardware wallet’s bounty program.
“Well, that’s a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine,” Andrew Tierney, a security consultant at Pen Test Partners, wrote on Twitter. “That sounds a lot like Bounty 2 to me.”
The Bitifi bounty campaign
The rules for claiming the bounty are simple:
- We deposit coins into a Bitfi wallet
- If you wish to participate in the bounty program, you will purchase a Bitfi wallet that is preloaded with coins for just an additional $10 (the reason for the charge is because we need to ensure serious inquiries only)
- If you successfully extract the coins and empty the wallet, this would be considered a successful hack
- You can then keep the coins and Bitfi will make a payment to you of $250,000
- Please note that we grant anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes, and our infrastructure
Please note that if you wish to participate we may ask you to make the process public so that others in the digital asset community can follow the attempt to hack the Bitfi wallet. The above is what we consider a successful hack. Nothing else will qualify. Please also note that this is not a bug bounty program. This is strictly a bounty to hack into the Bitfi wallet to allow those who claim they can hack it to attempt to do so.
Man in the middle conditions
Bitfi has three criteria to claim the bug bounty rewards: researchers should be able to prove they can modify the device, connect to the Bitfi server, and send sensitive data with the device.
The following is the interview with Hard Fork and the full article can be found here.
First up, modifying the device has been easy: the hackers gained complete access (root) to it two weeks ago. Since then, they have been tracking everything about the device, which means that they have a complete overview of the data being sent out of it. The researchers have also been able to confirm the wallet is still connected to the Bitfi servers, and liable to data interceptions.
“We intercepted the communications between the wallet and [Bitfi],” security researcher Andrew Tierney (more commonly known as Cybergibbons) told Hard Fork “This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
But more importantly: Tierney also confirmed that they have met the third condition – they sent the device’s private keys and its passphrase to a remote server, meeting the three requirements to claim the $10,000.
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney said. “We believe all [conditions] have been met.”
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.— Ask Cybergibbons! (@cybergibbons) August 13, 2018
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
Bitfi threaten those attempting to hack the wallet, despite being asked to make the attempts public
Bitfi quite clearly request that those attempting to hack the wallet make the attempts public:
make the process public so that others in the digital asset community can follow the attempt to hack the Bitfi wallet.
To those who’ve followed Bitfi’s wishes and made their hacking attempts public, the company issued a sinister threat via Twitter:
It’s hard to imagine how a company would ask security researchers to attempt to hack the wallet, offering a $250,000 reward for anyone who can successfully pull it off, only to then threaten them with ‘consequences’ for doing so.
Follow the progress of our $10,000 Live crypto investment fund! – Follow on Telegram