BitFi withdraws Unhackable Crypto Wallet claim

[WMGroomAK]

In a case of why you should never challenge someone to try, BitFi has removed the claims that their 'unhackable' cryptocurrency wallet is actually unhackable and discontinued their $250k bug bounty program. The hack that was performed this time essentially allows for a someone to run code on the hardware without the memory being erased, thus allowing the attacker to extract the memory from the RAM and find the Crypto Keys stored on the device.

https://techcrunch.com/2018/08/30/john-mcafees-unhackable-bitfi-wallet-got-hacked-again/

Quote

If the security community could tell you just one thing, it’s that “nothing is unhackable.” Except John McAfee’s  cryptocurrency wallet, which was only unhackable until it wasn’t — twice.

 

Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.

...

The researchers, Saleem Rashid and Ryan Castellucci, uncovered and built the exploits as part of a team of several security researchers calling themselves “THCMKACGASSCO” (after their initials). The two researchers shared them with TechCrunch prior to its release. In the video, Rashid is shown setting a secret phrase and salt, and running a local exploit to extract the keys from the device.

 

Rashid told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory. From there, an attacker can extract the memory and find the keys. The exploit takes less than two minutes to run, Rashid said.

...

Within an hour of the researchers posting the video, Bitfi said in a tweeted statement that it has “hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers.”

 

“Effective immediately, we are closing the current bounty programs which have caused understandable anger and frustration among researchers,” it added.

 

The statement also said it will no longer use the “unhackable” claim on its website.

 

I guess the overall lesson is that you shouldn't try to assert that your solution is completely foolproof and unhackable...  There is always someone out there that will find a way to get in.  Would also like to know if they were actually able to claim the $250k bounty.  Seems like they've earned it...

 

Bleeping Computers article: https://www.bleepingcomputer.com/news/security/bitfi-wallet-is-vulnerable-no-bounty-no-unhackable/

 

[bcredeur97]

Nothing is unhackable, really.

 

except maybe a brick

[Tellos]

Why anytime somebody makes this claim I get annoyed,

[Enderman]

4 minutes ago, bcredeur97 said:

Nothing is unhackable, really.

 

except maybe a brick

I can hack a brick to pieces with a jackhammer.

[ScratchCat]

40 minutes ago, Tellos said:

Why anytime somebody makes this claim I get annoyed,

Everytime someone makes a claim like this they raise an army against themselves bent on proving them wrong.

 

If you don't want your product to be hacked make it inconspicuous, not a target

[Deus Voltage]

On a serious note though, could there "ever" be something that's genuinely "unhackable"?

[MMKing]

3 minutes ago, Deus Voltage said:

On a serious note though, could there "ever" be something that's genuinely "unhackable"?

Making something unhackable is extremely easy. Making something accessible to the legitimate user only is impossible.

 

I.e ''Throw away the key'', ensuring no one can access the data.

[Blasteque]

1 hour ago, Deus Voltage said:

On a serious note though, could there "ever" be something that's genuinely "unhackable"?

Cryptography has 3 parts: cipher, cipher text, and cipher key.  In theory, remove one of these and the cipher text is secure.  In practice, if you have enough samples of 2 of them, it may be possible to calculate the 3rd (especially if you know something about the format for the 3rd).

 

For digital device security, there will always be a device that has all 3 pieces at least some of the time.  You can have part of it on a remote server and have the key in your head, but as soon as you enter the password to authenticate, the server will (at least momentarily) have all 3 pieces.

[Sauron]

On 8/31/2018 at 10:46 PM, Deus Voltage said:

On a serious note though, could there "ever" be something that's genuinely "unhackable"?

No. Even if the technology were perfect they could just trick you.

[CarlBar]

12 minutes ago, Sauron said:

No. Even if the technology were perfect they could just trick you.

 

The weakest link in any secure system is allways the human element.

 

That said you can go to a lot of effort via airgapping, vetting, complex SoP's, e.t.c. To make it very hard to breach a system. A great example is the ancient hardware the US was using for it's nuclear launch codes until a few years ago. I'm sure there's quite a few people who could have extracted the codes if they'd had unrestricted access to the system. But the procedures in place around the hardware made it sufficiently difficult that it was never actually an issue.

[silberdrachi]

On 8/31/2018 at 4:41 PM, ScratchCat said:

Everytime someone makes a claim like this they raise an army against themselves bent on proving them wrong.

 

If you don't want your product to be hacked make it inconspicuous, not a target

Security through obscurity. This does stop you from being hacked, but doesnt really fix the problem in reality. Just takes one bored person