“Unhackable” Bitfi crypto wallet. What’s all the fuss about?

2018-07-30T11:34:37
ID PENTESTPARTNERS:F792D37FB5015ABB87D1C6ADA1101432
Type pentestpartners
Reporter Ken Munro
Modified 2018-07-30T11:34:37

Description

If you haven’t already seen the Bitfi cryptocurrency wallet, check it out here.

With backing from John McAfee, it’s claimed that the device is unhackable. So why all the fuss in the infosec community?

Here’s the claim they make:

‘Completely un-hackable’

That is a very, very brave claim to make. They haven’t caveated the claim in their press materials, focussing on the ‘Unhackable’ claim.

That claim is going to get the attention of any infosec researcher. Security is not binary: secure/not secure. There are many degrees of ‘greyness’ based on the risk and threat profile.

If the claim was that stealing funds by stealing the passphrase from the device in a real world situation would be all but impossible, then fair enough.

But that’s not the claim. To quote the above tweet ‘…unhackable device’.

Getting hardware security right is very difficult. The attack surface is huge; our blog is littered with devices that were vulnerable.

Digging a little deeper, we then find some more details of the bounty:

<https://bitfi.com/bounty>

So, the scope of the bounty is actually very small and pretty unrealistic. Marketing fluff?

We did start to consider whether the $170 cost ($120 purchase price + $50 pre-load) was actually a bit of a scam to sell the wallets!

However, we bought some anyway.

It transpired that the device was effectively a cut down Android phone (thanks @Mindstalker612), the Bill of Materials was perhaps $35. It’s based on a Mediatek MT6580:

You can even see where the SIM card slots were!

This doesn’t bode well.

A bit of balance?

I don’t think any security researcher would complain if the claim and bounty were balanced and reasonable, but they’re not.

If they had claimed that they were MORE secure than other hardware wallets, fair enough.

BUT, the headline claim is ‘unhackable’ and it’s been positioned to state that researchers are ‘nay sayers’.

When quizzed publicly about this on Twitter, there have been some contradictory responses from @bitfi6 , for example:

That’s completely untrue, remember this is a cut-down Android phone:

They also claim that there is no software on the device:

Oh dear. Of course there is software on it. It’s running an O/S, it has a CPU…

Even better, some of the researchers involved, including our @cybergibbons, have been accused of working on behalf of other wallet providers such as Trezor:

That is most certainly not the case, though several other hardware wallets have had security flaws.

What do Bitfi want? A public fight? I guess the game is afoot then.