Less than a week after renowned cybersecurity pioneer John McAfee claimed that his newly-created bitcoin wallet, Bitfi, was unhackable, security researchers did just that.
Dutch security researcher ‘OverSoft’ claimed to gain root access to McAfee’s unhackable wallet, a statement that gained credibility later when Bitfi admitted to a security breach.
The researcher said in a tweet:
Short update without going into too much detail about BitFi: We have root access, a patched firmware and can confirm the BitFi wallet still connect happily to the dashboard. There are NO checks in place to prevent that like claimed by BitFi.
While Bitfi didn’t confirm if OverSoft, or indeed anyone else, had actually breached the system, its chief executive Daniel Khesin did admit to needing “help”.
In a statement, Bitfi said:
Dear friends, we’re announcing second bounty to help us assist potential security weaknesses of the Bitfi device. We would greatly appreciate assistance from the infosec community, we need help. Here are the bounty conditions: https://bitfi.com/bounty2 Thank you, Daniel Khesin CEO
It’s important to note that OverSoft hacked the device without actually owning or having the $120 device at hand.
“You don’t need a BitFi device to run a BitFi wallet,” the security researcher wrote. “I repeat: there’s nothing in that device that is require for the BitFi app to function. There’s NO secure element. They could’ve released it on the Play Store as an app,” added, damningly.
Meanwhile, McAfee argued that gaining root access with “no write or modify” rights is “as useless as a dentist license un (sic) a nuclear power plant.”
The security researcher responded that the wallet wasn’t secure as a result of gaining root access and dismissed the first bounty offered by the manufacturer as “a sham”.
By definition, however, OverSoft has indeed hacked the wallet by gaining access to the root folder directory of the device, enabling him to run keyloggers, install malware or push patches to the software of the devices, if he wished to do so.
Image credit: Flickr.