John McAfee’s “unhackable” Bitfi wallet got hacked — again

If the security community could tell you just one thing, it’s that “nothing is unhackable.” Except John McAfee’s cryptocurrency wallet, which was only unhackable until it wasn’t — twice.

Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.

But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen.

Using this “cold boot attack,” it’s possible to steal funds even when a Bitfi wallet is switched off. There’s a video below.

The researchers, Saleem Rashid and Ryan Castellucci, uncovered and built the exploits, and shared the with TechCrunch prior to its release. In the video, Rashid is shown setting a secret phrase and salt, and running a local exploit to extract the keys from the device.

Rashid told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory. From there, an attacker can extract the memory and find the keys. The exploit takes less than two minutes to run, Rashid said.

“This attack is both reliable and practical, requiring no specialist hardware,” said Andrew Tierney, a security researcher with Pen Test Partners, who verified the attack.

Tierney was one of the hackers behind the first Bitfi attack. The McAfee-backed company offered a $250,000 bounty for anyone who could carry out what its makers consider a “successful attack.” But Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty, and instead resorted to posting threats on Twitter.

This new attack, Tierney says, “meets the requirements of the bounty in spirit, even if it does not meet the specific terms that Bitfi have set.”

McAfee earlier this month said, “the wallet is hacked when someone gets the coins.”

Bill Powel, vice president of operations at Bitfi, told TechCrunch in an email that the company defines a hack “as anything that would allow an attacker to access funds held by the wallet.”

“Because the device does not store private keys, that is what prompted the unhackable claim,” he said.

McAfee, who was copied on the email to Bitfi, did not respond.

Rashid said he has no immediate plans to release the exploit code as to prevent the estimated few thousand Bitfi users from being put at risk.

Just last month, Bitfi won the Pwnie Award for Lamest Vendor Response, a traditional award given out at the Black Hat conference for companies that react the worst in response to security issues.



from TechCrunch https://ift.tt/2C1eagu
Share:

No comments:

Post a Comment

Search This Blog

Blog Archive

Powered by Blogger.

Edo raises $12M from Breyer Capital to measure TV ad effectiveness

Edo , an ad analytics startup founded by Daniel Nadler and actor Edward Norton, announced today that it has raised $12 million in Series A f...

Blog Archive

Recent Posts

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Sample Text

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation test link ullamco laboris nisi ut aliquip ex ea commodo consequat.

Pages

Theme Support

Need our help to upload or customize this blogger template? Contact me with details about the theme customization you need.