BitFi Security Manager Issues Statement on Potential Wallet Risks and Bounty Rewards
Michael M. “Trey” Garland, III, who is a production manager with BitFi Security, recently posted a statement about the ongoing security efforts that the company is making to strengthen wallets. In the announcement, which was posted to Twitter on Saturday, Garland indicates that he was formerly a member of a Hacker Collective that was evaluating and exposing the security holes in BitFi’s wallets. Since then, he has been able to compile “the extensive feedback that all of you in the InfoSec community have posted about BitFi.”
About a week ago, Garland was issued the task of assessing the current state of security for these digital wallets, and he has since stated that he will releasing “detailed findings” and their new “plan for addressing and mitigating these vulnerabilities.
IMPORTANT STATEMENT FROM Bitfi: pic.twitter.com/2EkSYpSkCv
— Bitfi – open source: bitfi.dev (@TheBitfi) September 8, 2018
There were three bounty wallets sent out with funds. Within Bounty #1, the rules specifically stated that the funds were meant be removed from the wallets, but that has not happened yet. Bounty #2 came with the following statement, The statement said, “The firmware of the BitFi device is modified. After the firmware is modified, the device still needs to connect to the BitFi dashboard. The device then should be able to transmit either private keys or the users’ secret phrase to a third party while still functioning normally with the BitFi Dashboard… This bounty will be terminated after the first person identifies the weakness.
At this point, Bounty #2 has already been achieved by user Saleem Rashid, which will be awarded this month after Garland speaks with him about payment options. However, with these assessments, it is clear that there are “a number of issued” that will result in changes to the algorithms and technology that secure the wallets. Everything from the actual product to the website will need updating.
According to Garland, the next few weeks will come with many modifications. He said,
“In the coming weeks, we [will] be changing our messaging, removing references to being ‘unhackable’ from our branding, packaging, and website, adding and correcting information to the FAQ and support pages, and re-establishing our presence on GitHub. We will also be launching a product and security blond where I will occasionally offer a glimpse into my work and research I perform as part of my responsibilities at BitFi. These kinds of things take time, and we appreciate your patience.”
When all these assessment and bounty wallet challenges are complete, the CEO of BitFi, Daniel Khesin, will let the public know about what has been learned through it in a statement. That statement will also including “how you have all truly helped up become a better company,” says Garland.
Garland offers his own email address for users with any other concerns. The email address is [email protected].