Skip to Main Content

15 year old proofs: Bitfi wallet not “unhackable”

Nothing is unhackable, just as nothing is 100% secure. That’s something probably everyone can agree with. Nonetheless, there are still companies that try to cash in on such buzzwords: They sound great and more than enough people still are willing to believe it. The Bitfi cryptocurrency hardware wallet is the latest in a string of products which claimed exactly that. But as so often, pride comes before the fall.

A quick backstory

Bitfi Wallet is a cryptowallet. That means it’s there to make sure your cryptocurrency – be it Bitcoin, Monero, Litecoin, Ethereum, or any other one – is collected in one place and stays safe from cybercriminals. It being a hardware one means that it is an actual device instead of just some code on your PC.

Now there are a ton of wallets out there so if you want to enter the market with a splash, you really need to come up with something new. Bitfi Wallet definitely made an impression by claiming to be “the world’s first and only unhackable storage for digital assets.” The claim came with two hefty bounties: a $250,000 one if anyone managed to remove funds from a prepared wallet and a $10,000 one to demonstrate a man in the middle attack.

As you can imagine reactions followed immediately. There were tweets over tweets, first from Andre Tierney, then from more and more security researchers. Things escalated quickly. It went so far that Saleem Rashid, a 15-year-old, managed to play Doom on one of the devices.

No bounty but a security consultant instead

The final straw in the “unhackable” story came when the same 15-year old kid showed how he managed to extract the two elements to generate the key that makes sure the cryptocurrency is protected. With the key, he theoretically should manage to get to the money from the wallet.

Hours after he posted his achievement on Twitter, Bitfi suddenly changed their claims. Their Wallet was no longer touted as being “unhackable” and the bug bounty program was closed at the same time. On top of that, they announced that they had hired a Security Manager who confirmed the vulnerabilities discovered and shared by the different researchers during the last four weeks.

The moral of the story

Nothing is unhackable, no matter who claims it. There are a variety of security levels, that’s for sure. Encrypted files will always be more secure than unencrypted ones. A long and complicated password will be safer than using password123. Does that mean that you should not bother making your accounts and computer as secure and safe as possible? Of course not – just make sure that you do not fall for promises that try to sell you something that’s just not possible.

This post is also available in: German

PR & Social Media Manager @ Avira |Gamer. Geek. Tech addict.