Bitcoin wallet Bitfi withdraws ‘unhackable’ claim

John McAfee

Image copyright
Getty Images

Bitfi, a cryptocurrency wallet backed by anti-virus software entrepreneur John McAfee, has issued a statement saying it will no longer describe its service as “unhackable”.

The announcement followed the release of evidence by a group of security researchers showing the wallet being compromised.

However, Mr McAfee maintains that the claim stands.

Bitfi had offered a $250,000 (£190,000) reward to anyone who hacked the wallet.

But it stated that the Bitcoin inside must be removed from the wallet – which was controversial among the cybersecurity community as often weaknesses are identified but not acted upon.

The group claimed to have hacked the wallet once before but Bitfi and Mr McAfee refused to accept their evidence.

They said it didn’t qualify for the reward – known as a bug bounty – because none of the digital currency was actually removed.

Security researchers had argued that the terms of the bug bounty programme were too specific.

“Effective immediately, we are closing the current bug bounty programs which have caused understandable anger and frustration among researchers,” the firm wrote in a statement.

It said it planned a bigger announcement in the coming days.

John McAfee, however, maintained on Twitter that the $120 wallet, which is designed to hold any form of crypto currency, is “clearly unhackable” in response to a question from a follower.

The group of security researchers who carried out the hack included Prof Alan Woodward, cybersecurity expert at Surrey University.

“Security can be complex and the wider public rely upon vendors telling the truth,” he said.

“However, there are certain signals that should immediately ring alarm bells. The worst is if a vendor claims something is unhackable as Bitfi did: nothing is unhackable.”

The wallet works by creating a virtual key based on two pieces of information – a made-up phrase – on the website it suggests something like “10 Scary Things My Doctor Is Not Telling Me” and a second piece of data such as a phone number or email address to ensure that each combination of the two – the private key – is unique.

Bitfi says that this key is not stored anywhere, including on the device itself, but this was disputed by the security researchers who say they were able to find it, using what is known as a cold boot attack, where electronic information can be recovered from memory long after it has been entered.