Blog: Opinions

Hacking the Bitfi Part 4: Addressing their claims

Ken Munro 06 Aug 2016

The Bitfi hardware crypto wallet debacle continues apace. Here’s a quick summary of progress over the weekend, including successful extraction of private seeds and passphrases from a Bitfi.

Bitfi change their claims

You’ll remember that Bitfi made several claims which the infosec community took exception to:

That the Bitfi has no storage

Well, as was already proven, the Bitfi does have storage. About 8GB of flash memory

John McAfee persisted with this claim, until the weekend.

And then changed his mind:

That was progress. Now that everyone was clear that storage DID exist, that would explain why the passphrase and seed could be extracted from the storage on the device:

It appears that there was no process in place to wipe credentials from memory. The credentials persisted on the Bitfi for at least 17 hours after they were entered.

That’s a pretty big fail and we understand that Bitfi are preparing an update to the software.

That it would be safe to buy a Bitfi from any outlet, used or new

This claim was made in the Bitfi web site FAQ. After it was shown that the I2C communications from the screen were not encrypted and a device could be trivially back doored, the claim was retracted.

The claim has now been withdrawn and Bitfi state that devices should only be bought direct from them.

That a tampered wallet would not sync

The wallet in the photo below has most definitely been tampered with. It still syncs.

Bitfi have responded by stating that they will provide tamper evident stickers for all Bitfi cases

Remember, tamper evident is not the same as tamper proof. The owner then becomes responsible for the verifying that their wallet hasn’t been tampered with.

Surely it would be better to incorporate electronic anti-tamper protection, as was suggested in the original claim?

The ‘unhackable’ claim

This is work in progress. Note that the original $250K bounty claim transpired to be a very specific set of circumstances. The team have already demonstrated several different hacks of the Bitfi, some resulting in coin theft.

Given the team have only had the Bitfi hardware for a week, it’s no surprise that it’s taking a bit of time.

Also, several of the team researching the Bitfi have ordered bounty devices, yet none has been received as of today. Hopefully that’s just an order processing or shipment delay…

Remember though: compromise once, run everywhere. Only one Bitfi has to be hacked in order to expose a method of compromising everyone’s Bitfi.

Conclusion

Bitfi admitted that their device had only been on the market for two months. They indicated that it was still developing.

Many IoT devices enter the market with flaws which are subsequently exposed and resolved. We don’t support that strategy, but it happens.

However, this isn’t just any IoT device: it’s a crypto currency wallet that is supposed to keep your passphrases and seeds absolutely secure.

They’ve made some bold claims, then changed them in the light of evidence provided by the security community.

I think Bitfi would be well advised to pull their product from the market for a short while and significantly update its security.

Then relaunch, with a revised set of claims.