Bitfi Gets Pwnies Award for 'Lamest Vendor Response'How John McAfee's Cryptocurrency Hardware Wallet and Company Fell Short
Hubris has a new name: Bitfi.
See Also: Why CASBs Matter to Cloud Security
The cryptocurrency wallet-building company, backed by technology eccentric John McAfee, stormed to an apparently easy win on Wednesday at the annual Pwnie Awards, taking the not-so-coveted, spray-painted "My Little Pony" figurine for "Lamest Vendor Response."
Held annually at the Black Hat conference in Las Vegas, the Pwnie Awards are devoted to "celebrating and making fun of the achievements and failures of security researchers and the wider security community" (see 'Epic Fail': OPM Bests Ashley Madison).
Enter Bifti. First announced on June 19, with a shipping date of June 27, Bitfi says its cryptocurrency wallet is "the result of years of painstaking research and development" and that it cannot be hacked to recover the private key that was used to encrypt the device, thus making it impossible for an attacker to steal any cryptocurrency it stores.
"If the device is seized or stolen, taken apart and forensically analyzed the private keys cannot be retrieved," Bitfi says.
McAfee - founder of the eponymous anti-virus firm, escapee from Belize, one-time U.S. presidential candidate and gonzo technology eccentric - serves as chairman of Bitfi. He and the company have continued to claim that its cryptocurrency hardware wallet is "unhackable."
But Bitfi and its claims took a pounding as a team of security researchers subjected the devices to real-world tests and then communicated their findings. The researchers have been careful to note that they're not providing free penetration testing for Bitfi, which would involve helping the company to refine its product's security. Rather, they're calling the company out for what they see as inaccurate claims about the product's security and warning that the claims could give buyers a false sense of security.
"The Pwnie Awards last night gave some good examples of how vendors should not handle security disclosures," Alan Woodward tweeted Thursday. He's a professor of computer science at the University of Surrey who's been working with a global team of researchers who have been examining Bitfi security in their spare time.
Bitfi says it is so sure that its device can't be hacked that it is offering $250,000 to anyone who can successfully hack the device and recover cryptocurrency that the company has preloaded.
Terms and conditions apply: To qualify for the $250,000 bounty, a security researcher needs to purchase a device from the company and request to participate in the bounty, which costs $10. "The reason for the charge is because we need to ensure serious inquiries only," Bitfi says on its website.
The company has also clarified that it wasn't looking for help troubleshooting its devices' security. "This bounty program is not intended to help Bitfi to identify security vulnerabilities since we already claim that our security is absolute and that the wallet cannot be hacked or penetrated by outside attacks," it says. "Rather this program is intended to demonstrate to anyone who claims or believes that nothing is unhackable or that they can hack into the Bitfi wallet, that such attempts are futile and that the advertised claims about the Bitfi wallet are accurate."
McAfee: Passphrase Can't Be Stolen
McAfee has continued to double down on those claims.
"It can't be hacked," McAfee said in a July 28 tweet.
"Fact. There is no software on the device, and no memory," he said. "So you can't do a software hack. And the pass phrase is stored nowhere. Not in a server, not in the device ... nowhere. There is nothing you can do to the hardware that will give you the pass phrase."
The FUD surrounding the unhackablility of the BitFi wallet, part 1: pic.twitter.com/LNgteEqR30— John McAfee (@officialmcafee) August 2, 2018
Questions for Bitfi
The team of security researchers that has been looking into the security of Bitfi's devices has been led by Andrew Tierney (@CyberGibbons), a security consultant at Pen Test Partners, which is no stranger to unmasking devices with questionable security (see Yes, Unicorns With Bluetooth Problems Really Do Exist).
Their collective efforts initially met with some hostility from an affiliate marketer of Bitfi (@Bitfi6), leading to a now-deleted tweet. Bitfi agreed with Woodward that one of the tweets from the Bitfi Twitter account, about a researcher, amounted to "hate speech."
Members of the research team, including Woodward, have also continued to directly question claims made by the company.
Dear @Bitfi6 you said of your device:— Alan Woodward (@ProfWoodward) August 4, 2018
1. Modification prevents its use as a wallet
2. It is has tamperproof tech
3. Procurement from any source is no risk
Unless you change this it will be difficult not to conclude you are deliberately making statements you know to be incorrect.
Hacked: Researchers Grab Passphrase
By Aug. 4, Woodward reported that two of the researchers had hacked the supposedly unhackable, and that their exploit also allowed them to cover their tracks, leaving potential users none the wiser. In other words, it didn't appear to be unhackable or tamper-proof.
On Aug. 5, research team member Ryan Castellucci (@ryandotorg) reported being able to steal the passphrase and salt from Tierney's Bitfi.
"It prompts you to enter salt and passphrase when keys are needed and generates them in memory. There is no second factor at all, it's purely 'something you know,'" Castellucci said via Twitter.
Narrow Bounty Rules
Bitfi continues to claim that no one has successfully complied with the narrow terms of its bounty program, which requires would-be researchers to steal cryptocurrency that's been loaded by Bitfi onto one of its wallets.
"Are your coins secure on BitFi? Absolutely!! For weeks we have offered hackers the opportunity to get our wallet pre-loaded with Bitcoins. If they can take them we will pay them $250,000. No one has done that. It's a simple challenge. Your coins are safe," McAfee said in a Wednesday tweet.
To date, however, no researcher has come forward to say that they've been able to get a preloaded wallet. While researchers from Pen Test Partners and Cisco say they have a Bitfi, they all purchased them directly.
Malware researcher Daniel Gallagher says he's seen no evidence that Bitfi ever shipped a device to anyone under the terms and conditions of its bounty program. "They literally created an impossible task by refusing to send the device required to satisfy the terms of the engagement," Gallagher said via Twitter.
Something that I feel should be getting more attention is the fact that there is zero evidence that a #bitfi bounty device was ever shipped to a researcher. They literally created an impossible task by refusing to send the device required to satisfy the terms of the engagement.— Gallagher (@DanielGallagher) August 8, 2018
"They have confirmed that they have shipped less than 10 bounty devices," tweeted the Dublin-based security researcher known as @BunkoPirate. "Zero is also less than 10."
On Thursday, Bitfi told me that it had shipped "several" devices to security researchers, including one shipment to Castellucci, who tweeted the company on Wednesday asking for three units for next-day delivery.
"I'd like to demo something to the press this weekend. No funny business," Castellucci said.
What is a would-be buyer to do with a supposedly unhackable cryptocurrency wallet that can apparently be hacked?
In recognition of @Bitfi6 and @officialmcafee and their prestigious @PwnieAwards accolades, we'd like to show you @spudowiar playing DooM on his #BitFi secure wallet! Congratulations! pic.twitter.com/50qZZu1MnF— Abe Snowman (@AbeSnowman) August 9, 2018
"If you decide that your #Bitfi isn't secure enough for storing crypto currency creds, it makes for a handy retro gaming platform too," says Ken Munro, a partner at Pen Test Partners, via Twitter (see Who Hacked Barbie?).
On Thursday, Bitfi told me that it believes it is being misunderstood, and said that hacking the device to play games was no demonstration that a user's cryptocurrency could have been stolen. "No one has been able to demonstrate that they can steal users funds and no one has yet claimed either of the two bounties (one to simulate if your device gets stolen, pays $250,000 and the second to simulate a man in the middle attack, pays $10,000)," the company said.
"We also think it's rather disappointing that a lot of media picked up on claims made by some person hiding behind a picture of a cat, with absolutely no proof of concept, no evidence, or anything else," Bitfi said. "No real researcher would make claims without backing them up and most importantly, why don't they claim the bounty?"
How to Work With Researchers
Security researchers say the whole Bitfi saga is a case study in how not to work with researchers who report product flaws to manufacturers. It's also a cautionary tale about cybersecurity hyperbole.
"Don't make claims that are demonstrably false or impossible to substantiate," Munro says in a blog post.
"Everyone likes a challenge, particularly infosec researchers. If your claims are questioned, engage constructively; try to avoid confrontation. Don't persist or the coverage will build, and the Streisand effect takes over," he says.
Regardless, "it's never too late to change direction" and to rebuild a company's reputation, he adds.
Bitfi Switches Tack
Seemingly presaging its Pwnies win, Bitfi tweeted a rainbow on Tuesday, pledging to work more closely with the information security research community.
"They now have a much more constructive approach," Munro says in his Thursday blog post. "Well done for addressing this Bitfi, hopefully [it's] the shape of things to come."