McAfee-backed Bitfi admits to being hackable, ropes in new security manager
Bitfi is in the process of shrugging off the John Mcafee declaration that the Bitfi wallet is unhackable. A recent tweet from the company stated the claim to be 'counterproductive' to the mass adoption of virtual currencies and they will remove the unhackable claim from their branding. However, Mcafee, the originator of the claim, is still standing by his word, according to his tweet.
The Bitfi wallet's claim went haywire as a second attack was developed by a team of security researchers, according to a report. The researchers were able to successfully execute a cold boot attack, which enables a hacker to acquire all the stored funds from an unmodified Bitfi wallet. This hack can be accomplished even when a wallet is switched off.
The wallet supports a user generated secret phrase and a "salt" value. These two unique values help to ensure the security of funds. However, the researchers have found that these two values can be extracted to obtain private keys which will ultimately provide access to the funds on the wallet. Andrew Tierney, a security researcher with Pen Test Partners, who verified the attack said,"This attack is both reliable and practical, requiring no specialist hardware."
Two researchers from the team of security researchers released a video which shows the setting up of a local exploit to get the keys from the device. Within an hour of the video being posted, the company denounced its claim of being an unhackable wallet and tweeted that they will be hiring a new security manager who will confirm the vulnerabilities found by the researchers.
Important announcement from Bitfi: pic.twitter.com/SD4ZCJxvLn
— Bitfi (@Bitfi6) August 30, 2018
The first bug bounty program announced by Bitfi which challenged all hackers to pull coins out of the wallet saw a successful attempt by a couple of researchers. The first attack found loopholes in the Bitfi wallets's operating system. The hackers found the passphrase to move funds in and out of the wallet. However, this successful hack, according to the company, was outside the scope of the bounty and the hackers failed to receive the set bounty. The second attack according to Tierney, who was one among the researchers behind the first hack attack, "meets the requirements of the bounty in spirit, even if it does not meet the specific terms that Bitfi have set."
To exacerbate Bitfi's shortcoming, the company also got roasted at the BlackHat USA security conference, Las vegas. The Mcafee backed company received Pwnie award for Lamest vendor response. The award is given to a company which shows the worst reaction in response to their security screw ups.
Image via Google
Join our Telegram group