When the notorious former antivirus kingpinyou’d better believe hackers came out of the woodwork to prove him wrong.
So far, they haven’t proven him wrong — because Bitfi hasn’t yet received anything it considers proof.
But after chatting with Bitfi ops VP Bill Powel and Pen Test Partners security researcher Andrew Tierney (aka Cybergibbons) several times over the past 24 hours, I’m pretty sure it’s safe to say that the Bitfi wallet has been hacked.
It’s this simple:
- Bitfi confirmed to CNET that the wallet has been rooted, to the point that hackers are able to get the wallet’s hardware (roughly equivalent to a small Android tablet) to display anything they like on the screen. That alone satisfies one common definition of “hack.”
- Bitfi says it doesn’t agree that rooting is hacking — but told CNET that Bitfi’s definition of a hack is “anything done to the wallet that would cause a loss of funds.”
- Pen Test Partners, a noted security research firm that CNET has cited numerous times, tells CNET that it has been able to actually pull cash out of the wallet, too.
That’s enough for me, personally. But it may not be enough for you, particularly because Bitfi did make an interesting point when I chatted with them at length:
Bitfi says that no security researcher has actually stepped forward to claim the $250,000 bounty the company’s offering to anyone who can take funds out of its preloaded wallets, nor the $10,000 bounty it’s offering for a man-in-the-middle attack. “Not a single person has come forward to claim either of the two bounties,” says Powel.
And Pen Test Partners’s Tierney conceded that — to his knowledge — that’s actually true. “None of us have contacted Bitfi to disclose any issues.”
If they can prove it, why not claim the money? Well…
Bitfi appears to have sent three of them to security researcher Ryan Castellucci. Tierney says he’s the only one who’s received the bounty wallets, which I can’t confirm, but Bitfi says fewer than 10 people purchased a pre-loaded wallet., security researchers claimed it was impossible to take funds out of a pre-loaded wallet because Bitfi wouldn’t actually send pre-loaded wallets to security researchers. According to Bitfi, that’s not true — and since then,
As for the normal wallets, Tierney says the larger hacker group simply isn’t interested in attempting to prove anything to Bitfi anymore. He accuses them of continuing to move the goalposts for what “unhackable” means.
And he also says the hacker collective working on Bitfi received a threat from the company:
“We aren’t engaging with Bitfi after they made several threats on Twitter,” said Tierney.
Bitfi says the social media manager responsible for that tweet has been replaced, claims that Tierney is “cleverly twisting things that were said out of context,” and says that all its attempts to reach out for help securing its device against such hacks were rebuffed or ignored by hackers before it ever sent that tweet.
Here’s one example sent to a different hacker:
It’s not clear to me why, threat or no, security researchers wouldn’t disclose the vulnerabilities they discover. It’s the ethical thing to do, and it’s generally the way Pen Test Partners and co. operate when they’re hacking things.
Plus, it could clear up this whole “unhackable” claim for good.
Here’s the promise I got from Bitfi: “If someone does claim the bounty, we will either provide a fix immediately to our users by pushing out an update or if we cannot then we will no longer use the unhackable claim.”
It’ll be pretty obvious, pretty quickly, if Bitfi breaks that promise. But not until someone at least tries to claim the money.
Correction, 6:44 p.m. PT: Bitfi denies that it only sent bounty wallets to a single researcher. That was Tierney’s claim, and we’ve clarified that above.