If the security community could tell you just one thing, it's that "nothing is unhackable." Aside from John McAfee's cryptokurrency wallet, which was just creepy until it was not – twice.
Security researchers have now developed a new attack, as they say can get all the stored funds from an unmodified Bitfi wallet. The Android-powered $ 120 wallet relies on a user-generated secret phrase and a "salt" value – as a phone number – to encrypt the encrypted secret statement. The idea is that the two unique values ensure that your money remains safe.
But the researchers say that the secret sentence and the salt can be extracted, so that private keys are generated and the funds stolen.
Using this "cold boot attack," it's possible to steal money even when a Bitfi wallet is turned off. There is a video below.
The researchers, Saleem Rashid and Ryan Castellucci uncovered and built tasks as part of a team of several security researchers calling themselves "THCMKACGASSCO" (after their initials). The two researchers shared them with TechCrunch before the release. The video shows Rashid and indicates a secret sentence and salt, and runs a local exploitation to extract the keys from the device.
Rashid told TechCrunch that the keys are stored in memory longer than Bitfi requirements, allowing their combined utilization to run code on the hardware without deleting the memory. From there, an attacker can extract the memory and locate the keys. Utilization takes less than two minutes to run, says Rashid.
"This attack is both reliable and practical and requires no specialized hardware," said Andrew Tierney a security researcher with Pen Test Partners, who confirmed the attack.
Tierney was one of the hackers behind the first Bitfi attack. The McAfee-supported company offered a $ 250,000 reward for anyone who could perform what decision makers regard as a "successful attack." But Bitfi refused to pay off, claiming that the hack was beyond the scope of bounty, and instead of posting threats on Twitter
This new attack, says Tierney, "meets the requirements of bounty in spirit, even if it does not meet the specific terms that Bitfi has set."
McAfee earlier this month said, "The wallet is hacked when somebody gets coins."
Bill Powel, Vice President of Operations at Bitfi, told TechCrunch in an email that the company defines a hack "as something that would allow an attacker to access funds held by the wallet. "
"Because the device does not store private keys, that's what asks for the unhackable requirement," he said.
When you pressed, Powel did not address the specific requirements for cold boot attacks. McAfee, which was copied to Bitfi's email, did not respond.
Within one hour of the researchers who sent the video, Bitfi said in a tweeted statement that it has "employed an experienced security manager who confirms vulnerabilities identified by researchers."
"Effective immediately , we close the current bounty programs that have caused understandable anger and frustration among researchers, "add it.
The statement also said that it will not
Rashid said he has no immediate plans to release the exploitation code to prevent the estimated number of thousands of Bitfi users from being exposed.
Just last year, Bitfi won the Pwnie Award for Lamest Vendor Response, a traditional award issued at the Black Hat conference for companies responding to the worst in response to security issues.