John McAfee, long famous in the cryptocurrency space for the “I’ll eat my d**k” bet made on the price of Bitcoin [BTC], has recently emerged as a strong advocate of Bitfi Wallet. The wallet is a so-called ‘brain wallet’ that allows users to keep their funds safe “in their own brains”, which basically means that they have to remember a passphrase.
The wallet is offering a $250,000 reward to whoever can hack it. This has led to a team of security researchers and ethical hackers to dive into it. They found that the device is nothing but a cheap Android phone, according to its hardware.
There is no hardware security at all to the wallet, and all the funds are stored off the device, like a hot wallet, which was the flaw mostly responsible for the Tokyo Coincheck hack that occurred earlier this year. This is opposed to a traditional hardware wallet, which stores the funds on the device itself.
Moreover, there exist in built apps that are known to be malware such as Adups FOTA, which is a spyware platform that allows for the transmitting text, call, location, and app data to a server in China every 72 hours. Moreover, the Baidu app, which is a Chinese version of Google, is also present on the device. The app tracks Wi-Fi and GPS, offering no privacy to those that require it.
Reportedly, these apps are active and transmitting data. User OverSoft NL on Twitter found this and tweeted it out, stating:
“Most of the firmware looks just like a normal MTK phone, including: A Baidu GPS/WIFI tracker, The well-known Adups FOTA malware suite, The entire Mediatek library of example apps, A tracker, capable of logging all activity on the device. At least the Baidu and Adups apps are indeed actively running on the device, including calling home to Baidu and Adups. The rest of the system/vendor partitions include drivers for removed devices like the camera, tcpdump, adbd and several other debugging binaries.”
As more security researchers, such as Cybergibbons, began to add to the list of complaints against Bitfi, they spoke up against existing solutions such as Trezor and Ledger Wallet by quoting news that said that they were not secure. This prompted Pavol Rusnak, the Co-Founder and CTO of Satoshi Labs, the company behind Trezor, to speak up. He stated:
“TREZOR with passphrase is immune against private key extraction. Why? Because it uses the same concept as your brainwallet calculator. It adds a passphrase (stored in user’s brain) to the mix.”
He further stated:
“Educate yourself and go read BIP39 before you post any more of this shit 😀 You are using the concept we, at Trezor, invented 5 years ago.”
Bitfi then grew protective of their ‘copyrighted’ technology, stating:
“I hope it’s not too similar because we filed over two dozen patents on our tech and if you are infringing it could be a problem.”
Rusnak responded in kind, albeit with more colorful language. He said:
“You can stick your dirty software patents where they belong – into your hairy a**.”
Bitfi provided a statement to Hard Fork, wherein they alleged that Trezor and Ledger have “employed an army of trolls”. They said:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).All these trolls can do is talk smack all day but they can’t hack the wallet if their life depended on it.”
On the bundling of Chinese software along with the product, they stated:
“There is absolutely no Chinese bloatware whatsoever. The device simply has Google and Bidu [sic] to be able to ping something to see if it is connected to the internet or not. Bidu [sic] is there because we have customers in China and Google is blocked in China. So for Chinese customers the device will simply ping Bidu [sic]. Thats all. None of this has anything to do with the security of the device. I mean we are offering a $250,000 bounty. Do you see any other wallet doing that?”
Subscribe to AMBCrypto’s Newsletter