John McAfee’s latest creation, which is Bitfi, was released on June 25, 2018. The company claimed that anyone who could hack into their digitized wallet and prove it to them would claim a bounty of $100,000. They claimed that this was not a marketing technique saying;
This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks, rather this program is intended to demonstrate to anyone who claims or believes that nothing is unhackable or that they can hack into the Bitfi wallet, that such attempts are futile and that the advertised claims about the Bitfi wallet are accurate.
This marketing technique has since backfired and proved to cause a lot of trouble for the company. Not only did a young teenager managed to get to the roots of the system but also he started a debate with the company which has turned few heads.
The company went on to upping the bounty prize to a whopping $250,000 in case some attempts to cause a hazardous offense to the system.
The bold claim invited some serious trouble even though the company mentioned that the bounty that was announced was not a way to find the vulnerabilities of the system but it was absolutely meddle free and could not be hacked. However, when bounty hunters begin to dismantle the Bitfi device, they found nothing more than the components of an android phone with the cellular connectivity stuff missing. Therefore, it turned out to be a massive rip off as it costs $120 whereas a mobile phone costs $35. A picture of the completely dismantled device was Tweeted:
So now we have pictures of the bare @Bitfi6 board.
It’s just a MEDIATEK MT6580.
No sign of a secure element.
— Ask Cybergibbons! (@cybergibbons) July 29, 2018
The bounty program also entails a set of rules that have to be followed in order to claim it. You have to purchase the digitized wallet and load it up with 50 crypto coins. In addition, for hacking into the wallet you have to hack the key, which does not exist.
The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key.
InfoSec protester, Andrew Tierney told.
“The only way to win the bounty is to recover a key from a device which doesn’t store a key. There are many, many more attacks such a device is vulnerable to. The most obvious one: modifying the device so that it records and sends the key to a malicious third party. However, this is excluded from the bounty. Why is this? Because the bounty is a sham.”
Oversoft did not exactly attain the key but they did have the root access to the device.
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard,
The researchers Tweeted that there are NO checks in place to prevent the claim by BitFi.
Short update without going into too much detail about BitFi:
We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard.
There are NO checks in place to prevent that like claimed by BitFi.
— OverSoft (@OverSoftNL) August 1, 2018
In addition to many analyst claiming that the bounty is a shame, there were people who were able to get a backdoor for the software and successfully and it was surprisingly a 15-year-old teenager, Saleem Rashid. The teenager had a heated debate with the company on twitter, to which Bitfi replied by saying,
Sir, rooting the device does not mean it has been hacked. The reason why this would not be a hack is because the device will not synchronize with our Dashboard and so a customer who buys this modified device will think it is defective. But we have a bounty out to see if it can be done maybe the people in InfoSec community know something we don’t.
After having refused to accept any of the claims made about accessing the backdoor, this is what Oversoft had to say,
They deny anything that’s not exactly according to their bounty rules, aka: they will never pay a bounty. It’s pure marketing.
Oversoft also went on to mention that the device that looks like a normal android phone has some unnecessary and rather troubling apps housed inside of it.
At least the Baidu and Adups apps are indeed actively running on the device, including calling home to Baidu and Adups,
The rest of the system/vendor partitions include drivers for removed devices like the camera, tcpdump, adbd and several other debugging binaries.
Whether or not if someone actually succeeds in hacking the BitFi device according to the rules mentioned, putting a bounty on it was just an invitation to trouble. In the event that someone is able to manage this, the company shall have a lot more problems than only a bounty to pay.