2018-8-14 12:57 |
Bitfi wallet has apparently been hacked again. A group of researchers claim to have hacked it and they assert that they are eligible for the $10,000 USD bounty (now up to $250,000).
McAfee announced a partnership with Bitfi in late July to promote the security of that company’s cryptocurrency wallet. However, it seems that Bitfi was prematurely confident about the security of its digital wallet, as hackers have been able to penetrate the McAfee Bitfi account numerous times. In the latest hack, researchers were able to send signed transactions with the wallet despite Bitfi’s security mechanisms.
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
The researchers who hacked the device believe that they have fulfilled the conditions of Bitfi’s $10,000 bug bounty. Bitfi had three criteria to claim the rewards: namely that researchers should be able to prove they can modify the device, connect to the Bitfi server, and send sensitive data with the device.
Let us look if the hackers managed to check all the three boxes.
Modification Of The Device:This step has been easy and many hackers have successfully modified the device, using it as a music player and more. The hackers gained complete access (root) to it two weeks ago. Since then, they have been tracking everything about the device, which means that they have a complete overview of the data being sent out of it.
Connect To The Bitfi Server:The researchers have also been able to confirm the wallet is still connected to the Bitfi servers, and liable to data interceptions. security researcher Andrew Tierney (more commonly known as Cybergibbons).
He said,
“We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
Sending Sensitive Data:This step has been most difficult to crack for most hackers. Tierney also that they have met the third condition – they sent the device’s private keys and its passphrase to a remote server, meeting the three requirements to claim the $10,000.
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.”
Tierney said.
The latest hack on McAfee’s Bitfi wallet comes within days after 15-year-old Saleem Rashid demonstrated that he was able to crack the wallet to play Doom on the device. In that attempt, even though Rashid was able to hack the wallet, he was not able to access the cryptocurrency that was stored in McAfee’s account.
McAfee had downplayed Rashid’s hack in a tweet, noting:
“A video played on your Bitfi wallet has nothing to do with the safety of your funds. This is amateur hour, not a hack!”
However, McAfee has still not offered any comment about the most recent hack conducted by Tierney. It is still to be seen if Bitfi will pay up the cash for this hack or prove that this hack has somehow not managed to check the requirements to classify the intrusion as ‘hack.’
Similar to Notcoin - Blum - Airdrops In 2024