After weeks of claiming that its cryptocurrency wallet was unhackable despite being continually disproven, Bitfi has now raised its hands in the air in surrender.
In a tweeted statement, the hardware wallet maker said it will no longer use the ‘unhackable claim’ in its promotional materials.
“Effective immediately, we will be removing the “unhackable” claim from our brand which has caused a significant amount of controversy,” the tweet read. “While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”
Will Bounty Hunters get their Dues?
According to CNET, the Bitfi brand has taken a hit on social media and the turnaround is aimed at salvaging its reputation. Bitfi has, however, not indicated whether the bounties it had been offering to security researchers will be awarded to those who hacked its device. Notably, though the US$250,000 bounty program has been discontinued.
To its credit though, Bitfi has promised to unveil a conventional bounty program via HackerOne, a vulnerability coordination and bug bounty platform that links business organizations with cybersecurity experts.
The turnaround by Bitfi, whose executive chairman is John McAfee, came after several security researchers using the name ‘THCMKACGASSCO’ (based on their initials) were able to break into the hardware wallet. First reported by TechCrunch, the security researchers who included 15-year-old Saleem Rashid and Ryan Castellucci revealed that they were able to extract two unique values needed to steal the funds – a secret phrase which is generated by a user and a ‘salt’ value, using a ‘cold boot attack’.
According to the security researchers, this left the funds stored inside vulnerable to theft. What made this possible was the fact that the values were stored in the memory of the hardware wallet longer than the manufacturer had claimed.
Following the exploit, Bitfi has now indicated that it will be hiring an ‘experienced’ security manager to confirm the vulnerabilities which the security researchers identified. Some commenters, however, felt that that was not enough and suggested that a product recall was necessary.
If you guys are serious the first thing you need to do is recall the current hardware – it's inherently insecure.#RecallBitfi https://t.co/sprlb2Q2z1
— David Wachtfogel (@dwfogel) August 30, 2018
Reportedly, however, Bitfi has no such plans.
“Whatever issues we discover will be patched for all customers via our push updates,” Bitfi said in an email to CNET.
In its tweeted statement, Bitfi repeatedly promised to make a public announcement which will acknowledge and address the issues that have been raised by the security researchers and offer ‘specific action items on our future product roadmap’ next week. Indeed next week will be very crucial for the future of Bitfi – in the single tweet ‘next week’ was mentioned thrice.
Featured Image from Flickr/NullSession.