John McAfee placed a $100,000 bounty on anyone who can hack into the Bitfi wallet, last week.
The $50 Bitfi wallet, advertised as the world’s first “unhackable” cryptocurrency wallet has been the point of focus for drones of hackers worldwide, throwing much of its specs into light. An ad-hoc collective of hackers and security researchers have also emerged for the task.
Although, no one has till date been able to claim to have hacked the wallet, much of its peculiarities have become topics of hot discussions across social media.
The first of its sort was the speculation by Ryan Castelluci, via his Twitter handle, that “Bitfi appears to be exactly what it looks from the photos – a cheap stripped down Android phone.”
McAfee later confirmed that bitfi was infact a small phone-like device with no internal storage. The wallet reportedly recieves instructions with regards to the find from their servers.
In addition, the presence of malware suites, such as Adups FOTA, a spyware platform, and that of Chinese app Baidu has raised several red flags for researchers claiming infractions of privacy.
Adups FOTA transmits location, text, call and other app data to a server in China every 72 hours. While, Baidu has an in built WiFi and GPS tracking services. Researchers of the collective have confirmed that these are operational and transmitting information.
Although the bounty hasn’t been claimed the consequent findings have confirmed that the public should exercise prudence while storing and using cryptocurrencies.
Researchers have been able to find directories loaded onto the ROM, which highlights that the apps in question are pre-installed into the wallet. This was confirmed by security consultant, Cyber-gibbons.
Cyber-gibbons accessed data through the Mediatek chipset. These load libraries into the ROM during startup, accessible even through an USB. Accessing the data in such manner through the Mediatek bootloader they were able to find many loopholes in the security aspect of the wallet.
On top of that, bitfi stores contents using the hot wallet method. A method which was at the root of the CoinCheck exchange hack earlier this year.
Overall, providing questionable protection, the only protection that it offers is the cryptography of the private key and the seed phases. The private key is the series of characters, different from the public, which gives you direct access to the wallet and its contents. This is similar to any other online wallet solution.
Taking heat for such discrepancies McAfee, refrained from addressing the researchers, and has chosen to point fingers at its competitors for releasing “trolls” against it.
They have justified the usage of Baidu as necessary for interacting with users in China as Google is blocked.
