The Bitfi cryptocurrency hardware wallet emerged on the scene with fanfare, and backed by tech personality John McAfee, the company caused controversy by claiming the device was completely “unhackable.”
The Bitfi wallet was advertised as containing “fortress-like” security which could not “be hacked or penetrated by outside attacks.”
Naturally, the security community did its part to disprove such claims. It wasn’t long before we saw the $120 device become a Doom gaming console, root access was gained and partition listings were dumped on GitHub.
Researchers called the device nothing more than a “cut-down Android phone,” and in response to such claims, two bug bounties were issued.
The first was dubbed a “sham” by a collective of security researchers called THCMKACGASSCO and required researchers to purchase the device to participate. The $250,000 reward program was so narrow in scope that its validity was questioned.
The second offered $10,000 for valid bug reports and required exploits which “should be able to transmit either private keys or the user’s secret phrase to a third party while still functioning normally with the Bitfi Dashboard.”
Researchers set to work and posted exploit after exploit.
Earlier this month, McAfee said that “maybe calling it [Bitfi] unhackable was unwise.” The slew of attacks and vulnerability reports has now forced the company to backtrack on its previous claims.
On Twitter, the company posted a statement which said the company had hired external help in the form of a “Security Manager” who is “confirming vulnerabilities that have been identified by researchers.”
“Effective immediately, we will be removing the “Unhackable” claim from our branding which has caused a significant amount of controversy,” the company added. “While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”
Bifti added that the bug bounty programs which have “caused understandable anger and frustration among researchers” are now closed with immediate effect.
“As far as I can tell, there’s no way to address the security issues with your wallets without doing a product recall, throwing them into an industrial shredder and starting from scratch. Even then, who’d trust you?”
David Wachtfogel, head of Product Security at Group N Security, added that if Bitfi was serious about resolving the security issues found in the product, Bitfi needs to “recall the current hardware — it’s inherently insecure.”
The timing of the announcement is rather interesting, as it comes just after 15-year-old hacker Saleem Rashid, the same individual who hacked Bitfi to play Doom, was able to hack the system to generate the private key through a cold boot attack.
With this key, the funds are up for grabs — but now the bug bounties have been closed, it remains to be seen whether or not Bitfi will pay up.
Either way, it’s a lesson which should be taken to heart by future companies looking to cash in on security concerns — no device, or service, should ever be marketed as unhackable.
There are plenty of security experts out there willing to prove otherwise.
ZDNet has reached out to Bitfi and will update if we hear back.