When the notorious former antivirus kingpinyou’d better believe hackers came out of the woodwork to prove him wrong.
So far, they haven’t proven him wrong — because Bitfi hasn’t yet received anything it considers proof.
But after chatting with Bitfi ops VP Bill Powel and Pen Test Partners security researcher Andrew Tierney (aka Cybergibbons) several times over the past 24 hours, I’m pretty sure it’s safe to say that the Bitfi wallet has been hacked. It took only a few weeks for security researchers to find a way to pull money out of the wallet.
It’s this simple:
- Bitfi confirmed to CNET that the wallet has been rooted, to the point that hackers are able to get the wallet’s hardware (roughly equivalent to a small Android tablet) to display anything they like on the screen. That alone satisfies one common definition of “hack.”
- Bitfi says it doesn’t agree that rooting is hacking — but told CNET that Bitfi’s definition of a hack is “anything done to the wallet that would cause a loss of funds.”
- Pen Test Partners, a noted security research firm that CNET has cited numerous times, tells CNET that it has been able to actually pull cash out of the wallet, too. So that’s definition #2.
That’s enough for me, personally. But it may not be enough for you, particularly because Bitfi did make an interesting point when I chatted with them at length:
Bitfi says that no security researcher has actually stepped forward to claim the $250,000 bounty the company’s offering to anyone who can take funds out of its preloaded wallets, nor the $10,000 bounty it’s offering for a man-in-the-middle attack. “Not a single person has come forward to claim either of the two bounties,” says Powel.
And Pen Test Partners’s Tierney conceded that — to his knowledge — that’s actually true. “None of us have contacted Bitfi to disclose any issues.”
If they can prove it, why not claim the money? Well…
Bitfi appears to have sent three of them to security researcher Ryan Castellucci. Tierney says he’s the only one in their group who’s received the bounty wallets. (Bitfi says fewer than 10 people purchased a pre-loaded wallet in all.), security researchers claimed it was impossible to take funds out of a pre-loaded wallet because Bitfi wouldn’t actually send preloaded wallets to security researchers. According to Bitfi, that’s not true — and since then,
But that was the belief.
As for the normal wallets, Tierney says the larger hacker group simply isn’t interested in attempting to prove anything to Bitfi anymore. He accuses them of continuing to move the goalposts for what “unhackable” means, when, he says, it’s clear that the device is vulnerable.
Notably, he also says the hacker collective working on Bitfi received a threat from the company:
“We aren’t engaging with Bitfi after they made several threats on Twitter,” said Tierney.
Bitfi says the social media manager responsible for that tweet has been replaced, claims that Tierney is “cleverly twisting things that were said out of context,” and says that all its attempts to reach out for help securing its device against such hacks were rebuffed or ignored by hackers before it ever sent that tweet.
Here’s one example sent to a different hacker:
It’s not clear to me why, threat or no, security researchers wouldn’t disclose the vulnerabilities they discover. It’s the ethical thing to do, and it’s generally the way Pen Test Partners and co. operate when they’re hacking things.
Plus, it could clear up this whole “unhackable” claim for good.
Here’s the promise I got from Bitfi: “If someone does claim the bounty, we will either provide a fix immediately to our users by pushing out an update or if we cannot then we will no longer use the unhackable claim.”
It’ll be pretty obvious, pretty quickly, if Bitfi breaks that promise. But not until someone at least tries to claim the money.
Correction, Aug. 15 at 8:22 p.m. PT: Bitfi denies that it only sent bounty wallets to a single researcher. That was Tierney’s claim, which he’s since corrected by email — he says he meant that only a single researcher in his group has the wallets.
Update, Aug. 15 at 4:42 p.m. PT: Security researcher Kenn White reached out to me to point out one possible reason why Bitfi’s tweeted threat might be enough to keep hackers from disclosing their methods: two companies have recently sued security writers for defamation, which has led to a chilled climate where some researchers have become afraid of legal threats.
Separately, Tierney tweeted that he doesn’t believe researchers owe companies disclosure.
This tweet seems to sum up the feelings of several security reseachers I’ve engaged with since I published this piece: