Bitcoin Forum
June 25, 2019, 07:01:32 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: John Mcafee & Bitfi launch the first 'unhackable' hardware wallet  (Read 1136 times)
Hueristic
Legendary
*
Offline Offline

Activity: 2030
Merit: 1210


Doomed to see the future and unable to prevent it


View Profile
July 22, 2018, 08:39:59 PM
 #41

-snip-

I checked that address - no funds! You liar!

The address that corresponds to "correct horse battery staple" (also from XKCD) has had almost 16 BTC in it over the years. All the most common passwords (123456, password, qwerty, monkey) have held varying amount of Bitcoin over the years, as have a bunch of obvious Bitcoin-related ones (satoshi, bitcoin, blockchain).

People are awful at security.

someone guessed and stole that years ago! Smiley

My passphase is just God now. Tongue

Some PGP public keys you should import: theymos, Wladimir, Gregory, Pieter
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1561446092
Hero Member
*
Offline Offline

Posts: 1561446092

View Profile Personal Message (Offline)

Ignore
1561446092
Reply with quote  #2

1561446092
Report to moderator
1561446092
Hero Member
*
Offline Offline

Posts: 1561446092

View Profile Personal Message (Offline)

Ignore
1561446092
Reply with quote  #2

1561446092
Report to moderator
1561446092
Hero Member
*
Offline Offline

Posts: 1561446092

View Profile Personal Message (Offline)

Ignore
1561446092
Reply with quote  #2

1561446092
Report to moderator
o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 602
Merit: 2147



View Profile
July 22, 2018, 08:54:22 PM
 #42

My passphase is just God now. Tongue

Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago.  Cheesy

Hueristic
Legendary
*
Offline Offline

Activity: 2030
Merit: 1210


Doomed to see the future and unable to prevent it


View Profile
July 23, 2018, 12:28:13 AM
 #43

My passphase is just God now. Tongue

Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago.  Cheesy

Hah, I was joking as "God" is/was the most common admin password ever.

alizay
Jr. Member
*
Offline Offline

Activity: 123
Merit: 3


View Profile
July 25, 2018, 01:49:49 AM
 #44

wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.

BUT the bigger question is: if one of these wallets does get hacked will mcafee eat his own penis???

★ PRiVCY ➢ Own Your Privacy! ➢ Best privacy crypto-market! ★
✈✈✈[PoW/PoS]✅[Tor]✅[Airdrop]✈✈✈ (https://privcy.io/)
nc50lc
Sr. Member
****
Offline Offline

Activity: 630
Merit: 420


Self-proclaimed Genius ㊙️


View Profile WWW
July 25, 2018, 03:22:49 AM
 #45

wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.
Did you even read the previous posts? Delete it from your "to buy" list.
It's basically a brainwallet which has a horrible history in terms of security and compared to ledger, Mcafee's endorsed "unhackable" wallet is a joke.
Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago.  Cheesy
I've seen that too.
Actually, I have an Electrum Wallet named "Collision Tester" which contained the private keys of the most common brainwallet passphrases like Satoshi, free bitcoins, free bitcoin, etc.
But unluckily, I never got the chance to transfer the funds since it's impossible to monitor the wallet 24/7 manually.

(っ◕‿◕)っ Newbies and Newbies at heart! Remember to Lock your Thread(s) after receiving enough replies/sufficient answers. 
39EKeFj43inkH6Ctkosh9E7oskx3tvhSXi ∙ Do not buy non-mainstream ASICs at second-batch and onwards, you know the risk!
bododk
Jr. Member
*
Offline Offline

Activity: 51
Merit: 1


View Profile
July 25, 2018, 07:45:16 AM
 #46

* this device has three flaws in design:

- human factor
- weak algorithm
- self update mechanism

Please, do not use this wallet.
gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
July 25, 2018, 09:58:12 AM
 #47

- self update mechanism

That one is a little bit worrying.

It appears they're saying you can't turn down updates and indeed there is no such thing as an update, you get the latest and livest version every time you fire it up.

In that case that makes their servers a stunningly tempting target and you have no protection from a nefarious party feeding you something unhelpful.

I get the feel they're trying to invent the wheel while barrelling down the highway and at some point they're going to miss something extremely gaping and obvious.

gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
July 28, 2018, 09:36:11 AM
 #48

A security researcher's review here - https://rya.nc/bitfi-wallet.html

Overall it doesn't seem as screamingly bad as it first appeared, but there are still plenty of holes and the developers appear to lack diligence in quite a few areas.

"I strongly advise against using one of these devices. While Bitfi is perhaps not an outright scam, the design is inferior to that of hardware wallets where the device really is needed (or the backup of the seed) along with the passphrase in order to spend the coins. The fact that they're using a lot of the same techniques to sell devices that have been used to sell snake oil so many times in the past makes me very concerned. I've notified Bitfi of these issues, however they showed no interest in fixing them."


o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 602
Merit: 2147



View Profile
July 28, 2018, 09:58:04 AM
 #49

I've notified Bitfi of these issues, however they showed no interest in fixing them.

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
July 28, 2018, 10:01:29 AM
 #50

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

They'll just think it's, like, his opinion, man.


More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied:

We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."

Hueristic
Legendary
*
Offline Offline

Activity: 2030
Merit: 1210


Doomed to see the future and unable to prevent it


View Profile
July 28, 2018, 01:49:35 PM
 #51

I've notified Bitfi of these issues, however they showed no interest in fixing them.

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

I dunno, ask Microsoft. Tongue


They'll just think it's, like, his opinion, man.


More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied:

We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."

That is pure Gold, apparently the moron doesn't know what open sauce means. Smiley

Ndok88
Newbie
*
Offline Offline

Activity: 85
Merit: 0


View Profile
July 29, 2018, 07:42:36 AM
 #52

 Thank you for review...
I cancelled buy bitfi Grin Cheesy
gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
July 29, 2018, 09:58:11 PM
 #53

https://twitter.com/cybergibbons/status/1023667374153773057

More fun.

The innards are basically a low end Android phone with plenty of parts missing and no important - ie secure - ones added.

HCP
Legendary
*
Offline Offline

Activity: 1008
Merit: 1631

<insert witty quote here>


View Profile
July 29, 2018, 10:29:41 PM
 #54

https://twitter.com/cybergibbons/status/1023667374153773057
The innards are basically a low end Android phone with plenty of parts missing and no important - ie secure - ones added.
Just... WOW. Roll Eyes Undecided

It essentially confirms ALL the worst assumptions made about this device... and then adds some more. The entire thing is a basically snake oil wrapped up with a nice $120.00 bow

Quote from: https://bitfi.com/
The Bitfi wallet is only $120 USD. As a computing device it is much more costly to
manufacture than ordinary hardware wallets, however, our mission is to make this
technology accessible to everyone and to keep it affordably priced as long as possible.
Roll Eyes Roll Eyes Roll Eyes


My condolences to anyone who bought one.

https://www.reddit.com/r/Bitcoin/comments/92dnf8/bitfis_hardware_wallet_is_terrible
https://rya.nc/bitfi-wallet.html

ryanc
Member
**
Offline Offline

Activity: 103
Merit: 40


View Profile WWW
July 31, 2018, 08:18:12 PM
Merited by HCP (2)
 #55

They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.

This is false - I engaged on a very similar crusade when the now defunct ether.camp site was offering brain wallets without explaining what they were.

The siren call of brain wallets is strong, but we must fight back.
gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
August 02, 2018, 07:53:39 PM
 #56

They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.

Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.


ryanc
Member
**
Offline Offline

Activity: 103
Merit: 40


View Profile WWW
August 02, 2018, 10:50:57 PM
 #57


Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.



I think "screech" is a good description of their social media "strategy".
gentlemand
Legendary
*
Offline Offline

Activity: 2044
Merit: 1746


Baby Blue Panties


View Profile
August 02, 2018, 10:57:36 PM
 #58

https://twitter.com/OverSoftNL/status/1024684201575108615

Bring on so much shrillness that checking their and Mcafee's Twitter accounts will cause your speakers to shatter.

So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder?

As there's nothing on board I presume that also means there's nothing to stop you being fed whatever someone wants you to see and everything you do going straight to them.

bob123
Hero Member
*****
Offline Offline

Activity: 938
Merit: 1139



View Profile WWW
August 03, 2018, 05:50:22 AM
 #59

So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder?

Since this wallet is auto-updating itself each time it has an internet connection, you don't really need to sell compromised versions.
You would just need to find a vulnerability and use an exploit to compromise ALL devices which are logging in (auto updating) their wallet within the trame frame of the beginning of your attack and the end of your attack (when bitfi wallet server gets shut down).

But, assuming it can be rooted.. it would really be straight forward to create a malicious version which will serve as a backdoor. This is nothing compared to an attack on a ledger nano s / trezor.



o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 602
Merit: 2147



View Profile
August 03, 2018, 10:52:43 AM
 #60

https://mobile.twitter.com/OverSoftNL/status/1025000286119780353:

"So yeah: you don't need a BitFi device to run a BitFi wallet.
I repeat: there's nothing in that device that is required for the BitFi app to function. There's NO secure element. They could've released it on the Play Store as an app."

Maybe this is a good thing - instead of forking out hundreds of dollars for what is essentially an unsecure old android phone, you can just download the APK and run it on any device with an android emulator.  Grin

Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!