INSUBCONTINENT EXCLUSIVE:
If the security community could tell you just one thing, it that ¬hing is unhackable.& Except John McAfee cryptocurrency wallet, which
was only unhackable until it wasn''t — twice.
Security researchers have now developed a second attack, which they say can obtain all the
stored funds from an unmodified Bitfi wallet
The Android-powered $120 wallet relies on a user-generated secret phrase and a &salt& value — like a phone number — to cryptographically
scramble the secret phrase
The idea is that the two unique values ensure that your funds remain secure.
But the researchers say that the secret phrase and salt can be
extracted, allowing private keys to be generated and the funds stolen.
Using this &cold boot attack,& it possible to steal funds even when a
Bitfi wallet is switched off
There a video below.
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.
it turns out that rooting the device does
who would have thought it!
i feel this music is very appropriate for @Bitfi6 pic.twitter.com/jpSnYBd9Vk
mdash; Saleem "Unhackable" Rashid
(@spudowiar) August 30, 2018
The researchers, Saleem Rashid and Ryan Castellucci, uncovered and built the exploits as part of a team of
several security researchers calling themselves &THCMKACGASSCO& (after their initials)
The two researchersshared them with TechCrunch prior to its release
In the video, Rashid is shown setting a secret phrase and salt, and running a local exploit to extract the keys from the device.
Rashid told
TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware
without erasing the memory
From there, an attacker can extract the memory and find the keys
The exploit takes less than two minutes to run, Rashid said.
This attack is both reliable and practical, requiring no specialist hardware,&
said Andrew Tierney, a security researcher with Pen Test Partners, who verified the attack.
Tierney was one of the hackers behind the first
The McAfee-backed company offered a $250,000 bounty for anyone who could carry out what its makers consider a &successful attack.& But Bitfi
declined to pay out, arguing that the hack was outside the scope of the bounty, and instead resorted to posting threats on Twitter.
This new
attack, Tierney says, &meets the requirements of the bounty in spirit, even if it does not meet the specific terms that Bitfi have
set.
McAfee earlier this month said, ''the wallet is hacked when someone gets the coins.
The press claiming the BitFi wallet has been
The wallet is hacked when someone gets the coins
Gaining root access in an attempt to get the coins is not a hack
All these alleged "hacks" did not get the coins.
mdash; John McAfee (@officialmcafee) August 3, 2018
Bill Powel, vice president of
operations at Bitfi, told TechCrunch in an email that the company defines a hack &as anything that would allow an attacker to access funds
held by the wallet.
Because the device does not store private keys, that is what prompted the unhackable claim,& he said.
When pressed,
Powel did not address the specific claims of the cold boot attack
McAfee, who was copied on the email to Bitfi, did not respond.
Within an hour of the researchers posting the video, Bitfi said in a tweeted
statement that it has &hired an experienced security manager, who is confirming vulnerabilities that have been identified by
researchers.
Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among
researchers,& it added.
The statement also said it will no longer use the &unhackable& claim on its website.
Rashid said he has no immediate
plans to release the exploit code so as to prevent the estimated few thousand Bitfi users from being put at risk.
Just last month, Bitfi won
the Pwnie Award for Lamest Vendor Response, a traditional award given out at the Black Hat conference for companies that react the worst in
response to security issues.
