John McAfee is one of the most popular yet controversial names in the cryptocurrency microcosm. Of late, McAfee has been in the news for launching the ‘BitFi’ hardware wallet, which he claims is unhackable. McAfee was so confident of the security of his wallet that he even issued a challenge with a bounty of $100,000 for anyone who is able to hack the wallet. McAfee then went on to raise this bounty to $250,000. In less than a week, security researchers found multiple security loopholes in the wallet.
For those who may not be aware, the proposed BitFi cryptocurrency hardware wallet, which comes out at $120 - is a wallet which comes with a touchscreen display and is shaped like an iPhone. The device offers support for push notifications - and claims to support “an unlimited number of cryptocurrencies and crypto assets.”
McAfee was so confident of the security of his BitFi hardware wallet that he even stated that this bounty is not intended to help him identify the security flaws - because there aren’t any! However, in less than a week, several security researchers have pointed out numerous security flaws in the BitFi wallet and this has led to a major twitter outrage against McAfee, who has denied to pay a bounty to any of these individuals.
A tweet from security researchers group OverSoftNL indicates that they have obtained root access to the BitFi wallet. The tweet reads:
“Short update without going into too much detail about BitFi: We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard. There are NO checks in place to prevent that like claimed by BitFi.”
While BitFi completely ignored the tweet made by OverSoftNL, the company came up with a Tweet later in the day, stating that they are setting up another $10,000 bounty for those who can identify security weaknesses. This tweet reads:
“Dear friends, we're announcing second bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infosec community, we need help. Here are the bounty conditions: https://t.co/f00POuF1Ov Thank you, Daniel Khesin CEO”
The exact terms and conditions for claiming this second, $10,000 bounty are as follows:
The firmware of the Bitfi device is modified
After the firmware is modified the device still needs to connect to the Bitfi Dashboard
The device then should be able to transmit either private keys or the users secret phrase to a third party while still functioning normally with the Bitfi Dashboard
After BitFi backed off from the original bounty and created a second bounty, OverSoftNL claimed that McAfee and BitFi never really intended to provide any bounties to the security researchers and this was all just a marketing gimmick. The biggest “burn” of the day came from security researcher Ryan Castellicco who strongly advises users to not use BitFi and called the device “a cheap, stripped-down Android phone.” Interestingly, researchers (including OverSoftNL) pointed out that the device comes pre-loaded with Chinese search engine Baidu app, as well as with the Adups Malware. Both these apps are “calling home” as per the security researchers while BitFi claims that they are just there for pinging purposes.
While BitFi continues to deny that their wallet has been hacked, security researchers and hackers continue to blast the device, claiming it is a sham. McAfee was also in the news last week as he launched the McAfeeMarketCap and McAfeeCryptoTeam websites.