Hardware wallet manufacturer Bitfi is this year’s recipient of the Pwnie Award for the Lamest Vendor Response.
The award, which is given to vendors who handle a security vulnerability in the worst way possible, was awarded based on the controversies and missteps the device manufacturer has been embroiled in since its cryptocurrency wallet was unveiled close to two months ago.
During the launch of the device the executive chairman of Bitfi, John McAfee essentially declared the hardware wallet to be ‘unhackable’.
“Of all today’s elaborate and sophisticated methods for making wallets secure and easy to use, surely none is as epic as that of the new Bitfi wallet. Several of my competitors have pioneered innovative methods to protect private keys, but Bitfi pulled out all the stops to ensure that the private key can never be obtained by illicit means,” McAfee said at the time.
And on social media the founder of the eponymously named antivirus software proclaimed the wallet to be the most secure way of securing cryptocurrencies.
As proof of the confidence Bitfi had in its claims, the hardware wallet manufacturer introduced a bounty program which initially was giving away US$100,000 before it was increased to US$250,000 to anyone who would to hack the wallet and take the pre-loaded bitcoins.
As CCN reported claims of the device getting hacked soon emerged and this included from an information security expert using the Twitter handle @OverSoft who proclaimed that the device had been rooted before posting the wallet’s ROM directory listings.
OverSoft was also able to find a suite of apps from Chinese online search engine giant Baidu installed on the device and this included GPS/Wi-Fi trackers as well as Mediatek firmware. This prompted hardware hacker Ryan Castelluci to brand the hardware wallet a bare-bones Android device.
And perhaps as a response to Castelluci’s challenge, the 15-year old hacking prodigy Saleem Rashid, who was instrumental in disclosing security vulnerabilities in the Ledger hardware wallet earlier this year, was soon able to install the Doom game on the device and play it.
However, Bitfi’s executive chairman was adamant that none of these actions constituted a successful hack according to the terms set in the bounty program.
“Let’s put this to bed. Using the wallet as a component in a video player is not a hack. Gaining root access on a device with no memory is not a hack,” McAfee wrote on Twitter while insisting that successfully hacking the device constituted getting the bitcoins that had been pre-loaded in the hardware wallet.
Additionally, a Bitfi spokesperson blamed all the controversies on its competitors in an emailed statement to Hard Fork:
“Please understand that the Bitfi wallet is a major threat to Ledger and Trezor because it renders their technology obsolete. So they hired an army of trolls to try to ruin our reputation (which is ok because the truth always prevails).”
For organizers of the Pwnies, the 2018 Lamest Vendor Response category was probably the easiest to award.
Featured image from Flickr.
Last modified: May 20, 2020 6:08 PM