John McAfee BitFi Wallet Finally Hacked? Unhackable Buzzword Dropped After Recent Breach
One of the things we always need to remember in the crypto space is that ‘nothing is unhackable.’ And this can happen to John McAfee as well. The important cryptocurrency figure was backing a virtual currency wallet which was considered ‘unhackable.’ However, in the last days it has been hacked twice.
Bitfi Wallet Gets Hacked Again
Important security developers were able to hack the wallet for the second time and could be able to have access to the stored funds. The $120 dollars wallet works with a user-generated secret phrase and with a ‘salt’ value such as a phone number. In this way, it is possible to scramble the secret phrase using cryptography.
These two unique values provided allow users to be sure that their funds are secure. However, security researchers say that the information about the secret phrase and salt can be easily extracted. If an individual has access to this information, private keys can be generated and thus, funds can be stolen.
This has been shown by the twitter user known as @spudowiar on August 30.
Bill Powell of @Bitfi6 discussing the single assumption upon which the entirety of @Bitfi6's ridiculous UNHACKABLE claim lies
could you even IMAGINE if this assumption was proved false?https://t.co/gdVg32Hhzu pic.twitter.com/pn07hAf2uP
— Saleem Rashid (@saleemrash1d) August 30, 2018
The information has been shared by Saleem Rashid and Ryan Castellucci. In a video, Rashid shows how he sets a secret phrase and salt. After it, he runs a local exploit and is able to extract the keys from the device.
Andrew Tierney, a security researcher at Pen Test Partners, was able to verify the attack. He has also been one of the hackers behind Bitfi. The company was offering $250,000 dollars for those able to conduct an attack. Tierney explains that the attack meets the requirements of the bounty, even if it does not meet the specific terms set by Bitfi.
However, John McAfee informed that the wallet is hacked only if a user gets the coins. As nobody got them, it is not possible to consider the attack as successful.
Bill Powel, vice president of operations at Bitfi said that users should get the funds held by the wallet.
“Because the device does not store private keys, that is what prompted the unhackable claim,” explained Powel.
After this situation, the company hired an experienced security manager that will be confirming the vulnerabilities found by the researchers. At the same time, they closed the bounty programs and deleting the ‘unhackable’ words from their website.
Back in July, the company received the Pwnie Award for Lamest Vendor Response, a prize given to companies that react the worst in response to security issues.
Add comment