After weeks of claiming that its cryptocurrency wallet was unhackable despite being continually disproven, Bitfi has now raised its hands in the air in surrender.
In a tweeted statement, the hardware wallet maker said it will no longer use the ‘unhackable claim’ in its promotional materials.
Important announcement from Bitfi: pic.twitter.com/SD4ZCJxvLn
— Bitfi (@Bitfi6) August 30, 2018
“Effective immediately, we will be removing the “unhackable” claim from our brand which has caused a significant amount of controversy,” the tweet read. “While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”
Will Bounty Hunters get their Dues?
According to CNET, the Bitfi brand has taken a hit on social media and the turnaround is aimed at salvaging its reputation. Bitfi has, however, not indicated whether the bounties it had been offering to security researchers will be awarded to those who hacked its device. Notably, though the US$250,000 bounty program has been discontinued.
To its credit though, Bitfi has promised to unveil a conventional bounty program via HackerOne, a vulnerability coordination and bug bounty platform that links business organizations with cybersecurity experts.
The turnaround by Bitfi, whose executive chairman is John McAfee, came after several security researchers using the name ‘THCMKACGASSCO’ (based on their initials) were able to break into the hardware wallet. First reported by TechCrunch, the security researchers who included 15-year-old Saleem Rashid and Ryan Castellucci revealed that they were able to extract two unique values needed to steal the funds – a secret phrase which is generated by a user and a ‘salt’ value, using a ‘cold boot attack’.
According to the security researchers, this left the funds stored inside vulnerable to theft. What made this possible was the fact that the values were stored in the memory of the hardware wallet longer than the manufacturer had claimed.
Following the adventure, Bitfi has now shown that it will procure an ‘accomplished’ security administrator to affirm the vulnerabilities which the security analysts distinguished. Some analysts, in any case, felt that that was insufficient and proposed that an item review was vital.
But seriously, the problem isn't a specific bug (or even a hundred specific bugs). The basic architecture and hardware is inherently insecure. They have to start from scratch.#RecallBitfi
— David Wachtfogel (@dwfogel) August 20, 2018
Reportedly, however, Bitfi has no such plans.
“Whatever issues we discover will be patched for all customers via our push updates,” Bitfi said in an email to CNET.
In its tweeted statement, Bitfi repeatedly promised to make a public announcement which will acknowledge and address the issues that have been raised by the security researchers and offer ‘specific action items on our future product roadmap’ next week. Indeed next week will be very crucial for the future of Bitfi – in the single tweet ‘next week’ was mentioned thrice.