The Bitfi wallet, which John McAfee considered invulnerable, has been hacked… by a 15-year-old. The teenager, Saleem Rashid, got access to the so called unhackable wallet. He posted a video on Twitter, which shows the extraction of a secret phrase and the "salt” value. These elements are needed to generate a private key.
Bill Powell of @Bitfi6 discussing the single assumption upon which the entirety of @Bitfi6's ridiculous UNHACKABLE claim lies
— Saleem "Unhackable" Rashid (@spudowiar) August 30, 2018
could you even IMAGINE if this assumption was proved false?https://t.co/gdVg32Hhzu pic.twitter.com/pn07hAf2uP
Prehistory
In late July, John McAfee introduced the Bitfi wallet, declaring it "unhackable." He promised $250,000 to anyone who can prove the opposite.But very quickly the experts found out that the unbreakable device, in fact, is the most ordinary smartphone on Android, from which just some components have been removed. Specialists managed to get root access to the device and learn that attackers can extract the password phrase immediately after it was typed on the screen.
Also, the wallet was practically in no way protected from the unauthorized intervention. That is, Bitfi can be opened and examined, and it will continue to work, as if nothing had happened. And, by the way, the same teen managed to launch the game Doom on the device. The wallet was widely criticized by the crypto community.
The Bitfi developer even received the Pwnie award in the nomination "Lamest Vendor Response" for the low level of product safety. And McAfee had to back off, too. He acknowledged that it was unreasonable to call BitFi "unhackable.”
The End of Disputes
However, now the story of unbreakable Bitfi, obviously, has come to an end. Soon after Saleem Rashid published on Twitter a proof of Bitfi hacking, developers of the crypto wallet published a response message in their official microblog.
They reported that they hired an experienced information security specialist who confirmed the existence of vulnerabilities. Next week, developers promise to issue an official statement and fix the problems. A bug bounty program is immediately closed. Apparently, the promised reward will not be paid to anyone. The developers just thanked the experts for their efforts and promised to launch a new reward program for vulnerabilities on the Hacker One platform.