Security researchers have successfully modified BitFi’s hardware wallet and provided a demonstration of the device running Doom. BitFi’s response? “Prove it.” Security researchers are arranging a demonstration this weekend proving BitFi’s wallets can be hacked.
Unhackable? Not So Much
BitFi launched their hardware wallet in June as a way for cryptocurrency users to secure their bitcoins and other cryptocurrencies. In August, BitFi announced two bounty programs. Their first bounty program launched on August 1st and offered a $250,000 bounty to anyone that proves a hack of the BitFi hardware wallet. A second bounty program provides $10,000 to anyone that shows a hack on the firmware of the BitFi device.
In announcing the program, Bitfi tweeted a challenge to the security community:
“See, we are offering a $250,000 bounty to hack our wallet. And no one can do it (yet). On the other hand, a bunch of 15 year old kids can hack into your wallet in minutes. So please don’t tell us who is inferior here.”
Given the substantial nature of the bounty, the security community quickly responded.
Ease of Hacking Demonstrated
Pen Test Partners offered a breakdown of the BitFi device revealing it to be nothing more than a cut down an Android phone. From their report, the researchers claimed that “the Bill of Materials was perhaps $35. It’s based on a MediaTek MT6580.”
Oversoft claimed to gain root access, patched the firmware and proved that they could still connect to the dashboard. They then tweeted their proof to Bitfi and Bitfi’s response was a mere: “Sir, rooting the device does not mean it has been hacked.”
Ryan Castellicco, a security researcher, offered the following tweet:
“Bitfi appears to be exactly what it looks like from the photos – a cheap stripped down Android phone. There’s some screenshots of it demanding to be connected to WiFi in order to function elsewhere in @cybergibbons‘s feed. Someone will probably have Doom running on it by Friday.”
One day earlier from Ryan’s prediction, Abe Snowman offers the following video tweet with Doom running on a Bitfi.
Ryan Castillo challenged Bitfi by requesting three wallets to demonstrate the hacking of the Bitfi wallet at Caesars Palace in Las Vegas this weekend:
“Hey, @Bitfi6, can you folks send three Bitfi wallets via Next Day Air AM to ‘Ryan Castellucci, c/o Caeser’s Palace, 3570 S Las Vegas Blvd, Las Vegas, NV 89109’? I’d like to demo something to the press this weekend. No funny business.”
Bitfi has accepted the challenge. Stay tuned for an exciting weekend.