They also suspended their bounty program but launched “conventional” through the Hacker One platform. The statement in question said that Bitfi has hired a security manager to “confirm vulnerabilities” that have been discovered by researchers. They said:
“While our intention has been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”
Even as Bitfi stated that they will no longer use the claim of their wallet being unhackable, the website displays instances of the usage of the term both on their homepage and some other pages.
The attack successfully removed all the stored funds from a Bitfi wallet which was unmodified, with the inherent flaws in the architecture of the wallet. It was uncovered by researchers Saleem Rashid and Ryan Castellucci as a part of the team “THCMKACGASSCO”, and can be executed even when the wallet is switched off.
The wallet reportedly relies on a two-fold method to ensure the security of the users’ funds. One is the secret phrase, a mainstay of any wallet storing cryptocurrencies, and the other is a “salt” phrase or value, which is used to encrypt the secret phrase to deny access.
In a statement to TechCrunch, Rashid stated that the private keys are stored in the memory of the wallet. Moreover, he posted a video on to Twitter of the wallet being ‘cold boot attacked’, as rooting the device does not wipe the RAM. This, in turn, led to him extracting the memory, finding the keys and successfully removing the funds from the wallet.
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked. it turns out that rooting the device does not wipe RAM clean. who would have thought it!? ???? i feel this music is very appropriate for @Bitfi6 ???? pic.twitter.com/jpSnYBd9Vk — Saleem “Unhackable” Rashid (@spudowiar) 30 August 2018
The video shows Rashid running an exploit on the computer that effectively hacks the unhackable wallet. After proceeding with the exploit, the funds are effectively removed from the wallet.
John McAfee, who promoted the wallet extensively, said, after the first exploit:
“The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It’s a failed attempt. All these alleged “hacks” did not get the coins.”
In a statement to TechCrunch, Bill Powell, the Vice President of Operations at BitFi, stated:
“[A hack is] anything that would allow an attacker to access funds held by the wallet…because the device does not store private keys, that is what prompted the unhackable claim”
Security researchers, however, claimed that any update by the team would not be able to fix the wallet to make it more secure. This is due to the fact that the flaw is inherent in the architecture of the system.
User dwfogel said:
“If you guys are serious the first thing you need to do is recall the current hardware – it’s inherently insecure.”
User OverSoftNL, one of the first security researchers to attempt hacking the wallet also agreed that it was insecure, stating:
“It is, there is no way to fix this with a firmware update.”