John McAfee's 'Unhackable' Bitfi Wallet Got Hacked -- Again

Earlier this month, computer programmer John McAfee released "the world's first un-hackable storage for cryptocurrency & digital assets" -- a $120 device, called the Bitfi wallet, that McAfee claimed contained no software or storage. McAfee was so sure of its security that it launched with a bug bounty inviting researchers to try and hack the wallet in return for a $250,000 award. Lo and behold, a researcher by the name of Andrew Tierney managed to hack the wallet, but Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty. TechCrunch is now reporting that Tierney has managed to hack the Bitfi wallet again. An anonymous reader shares the report: Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a "salt" value -- like a phone number -- to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure. But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen. Using this "cold boot attack," it's possible to steal funds even when a Bitfi wallet is switched off. Within an hour of the researchers posting the video, Bitfi said in a tweeted statement that it has "hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers."

Never say unhackable.

[jellomizer]

If it is designed for a computer (a man made machine) to read the data and decrypt the data to be shown and used then there is a way to hack it. The best we can get is having it secure enough, to make mass production of the hack impossible or just expensive and performing such hack being a time consuming process.

Re:No software and no storage?

[Immerman]

How about ""hired an experienced security manager, who is confirming vulnerabilities..."

If you're trying to make the world's first unhackable device, how exactly is such a person not already a primary member of your team?

Re:No software and no storage?

[iserlohn]

Not only that, they seem to be missing the basics of PR. How hard is it to phase it as - "We have hired an external security expert to independently verify the reported vulnerabilities" ?

Re:No software and no storage?

[Immerman]

What if the your smart card is corrupted in such a manner as to exploit a flaw in your data-reading routines to corrupt the software itself? That's a notoriously vulnerable attack surface right there - we're *still* finding new ways to compromise data loading routines for common formats that are decades old, though you could hopefully simplify the format to . Heck, the smart-card formatting itself could be corrupted, attacking through the OS instead of the voting software. (Though I find it unconscionable that any voting machine would incorporate the huge attack surface of an OS in the first place)

> which the vote count display overhead is supposed to prevent, but then what?
Then you know you have a problem. Just because an acceptable solution isn't readily apparent is no reason to avoid exposing the fact that your system has been compromised. If you want a high-integrity anything, the first responsibility is to do everything you can to ensure that any tampering is revealed. Dealing with it suitably is whole second problem.

Though - here's a possibility: the oversight officials have to push a "commit" button periodically to commit the last N temporarily recorded votes to the permanent record - or a cancel button to invalidate them. So long as that's done while the last N voters are still physically present they can recast their votes while the perpetrator is being arrested. They just need to stick around until they've confirmed their vote is committed.

Really though - why are you trying to do electronic voting at all? What _exactly_ is the point? As far as I can tell it's just a way to radically weaken an important civil institution in order to add some high-tech glitz. Paper ballots are unhackable, easy to use (unless designed deceptively - and that's easy to prevent by requiring them to, for example, be approved by a jury), and there are some extremely clever designs out there that manage to incorporate anonymity, verifiable end-to-end confirmation receipts, and the inability to prove to anyone else how you voted. Heck, mail out ballots beforehand and let people just drop them off for validation and eventual counting - they can take all the time they need, and voting proceeds quickly at the polling pace since all most people need to do is feed it through the validation scanner.

It's *far* easier to secure a physical ballot box, and doesn't take that long to count - especially since the volunteer pool for vote counters is directly proportional to the number of voters - just give everyone a 1% chance of being flagged for vote-counting duty and you could get the votes counted in a few minutes. Ideally votes should be counted at the polling place, immediately after the polls close. Or possibly even in several shifts throughout the day - every hour or two a new ballot box is put out and the old one gets counted - that should still be anonymous enough, and it would be easy to pull randomly flagged people out of line for a half-hour stint in the vote-tallying room next door - let them skip the waiting line for voting so that there's no serious added burden on people so selected. Use a tallying scanner too if you like for added integrity - each bundle of ballots gets counted, tallied by both computer and drafted volunteers, and if the tallies don't all agree, they get re tallied until it does. Heck, tally by computer at the beginning AND end of the process to make sure nothing got modified or misplaced (and potentially later recounted) before the bundle is sealed and labeled with its final tallies, never to be opened again except in case of recount.

Just like that we've solved almost all the existing problems with paper ballots - they're verified as valid when cast (heck, add a digital scale and your wall-count display to ensure nobody casts multiple ballots). You've done the tallying before ballots ever leave the polling place, and can report them to the central counting authority without them ever being unsupervised. Counting is completed shortly after the polls close, and you've not once trusted a computer without verifying its working properly.