He even said the prize is not for the first person who does it but for all those who are able to hack the crypto hardware wallet. Now, it seems that Bitfi’s challenge has been won by a group of researchers.
The security researcher Andrew Tierney (using Twitter handle Cybergibbons) cracked the hardware wallet, played popular game DOOM on it, and also sent signed transactions using the device, despite the safeguards deployed by Bitfi to prevent that.
By doing so, the researchers believe that they have fulfilled the conditions put forth by Bitfi to offer the bounty. Bitfi had laid out three conditions to be satisfied to claim rewards: hacker should be able to modify the device, establish connection with Bitfi server, and send crucial information using the device.
According to the researchers, tampering the code has been an easy job. The research group revealed that they gained total access to the root two weeks before. From then on, all details about the device were tracked, giving them a clear overview of the product, including the data being sent through it. The process also enabled the researchers to confirm the wallet continues to stay connected with the Bitfi servers, giving the possibility of data interceptions.
Security researcher Andrew Tierney revealed to Hard Fork
“We intercepted the communications between the wallet and [Bitfi]. This has allowed us to display silly messages on the screen. The interception really isn’t the big part of it, it’s just to demonstrate that it is connected to the dashboard and still works despite significant modification.”
The third crucial condition for claiming the bounty was met by sending the device’s private keys and its passphrase to a server elsewhere. With these activities, the research group was able to complete the conditions laid down by Bitfi to claim the bounty.
Well, that’s a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.
That sounds a lot like Bounty 2 to me. pic.twitter.com/qBOVQ1z6P2
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
Once again, all I have done is glue together bits that others have done. The rooting – not me. The MitM – not me. The method we get the key – not me. The bad Python sticking it together – me.
— Ask Cybergibbons! (@cybergibbons) August 13, 2018
Tierney said
“We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy. We believe all [conditions] have been met.”
Now, it’s up to McAfee to stand by his promise and pay the research group who not only exposed the vulnerability but also saved non-tech investors who could have otherwise bought the wallet.