John Mcafee & Bitfi launch the first 'unhackable' hardware wallet

[o_e_l_e_o]

My passphase is just God now.

Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago. 

[1715329260]

1715329260

[1715329260]

1715329260

[1715329260]

1715329260

[1715329260]

1715329260

[1715329260]

1715329260

[Hueristic]

My passphase is just God now.

Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago. 

Hah, I was joking as "God" is/was the most common admin password ever.

[alizay]

wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.

BUT the bigger question is: if one of these wallets does get hacked will mcafee eat his own penis???

[nc50lc]

wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.

Did you even read the previous posts? Delete it from your "to buy" list.
It's basically a brainwallet which has a horrible history in terms of security and compared to ledger, Mcafee's endorsed "unhackable" wallet is a joke.

Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago. 

I've seen that too.
Actually, I have an Electrum Wallet named "Collision Tester" which contained the private keys of the most common brainwallet passphrases like Satoshi, free bitcoins, free bitcoin, etc.
But unluckily, I never got the chance to transfer the funds since it's impossible to monitor the wallet 24/7 manually.

[bododk]

* this device has three flaws in design:

- human factor
- weak algorithm
- self update mechanism

Please, do not use this wallet.

[gentlemand]

- self update mechanism

That one is a little bit worrying.

It appears they're saying you can't turn down updates and indeed there is no such thing as an update, you get the latest and livest version every time you fire it up.

In that case that makes their servers a stunningly tempting target and you have no protection from a nefarious party feeding you something unhelpful.

I get the feel they're trying to invent the wheel while barrelling down the highway and at some point they're going to miss something extremely gaping and obvious.

[gentlemand]

A security researcher's review here - https://rya.nc/bitfi-wallet.html

Overall it doesn't seem as screamingly bad as it first appeared, but there are still plenty of holes and the developers appear to lack diligence in quite a few areas.

"I strongly advise against using one of these devices. While Bitfi is perhaps not an outright scam, the design is inferior to that of hardware wallets where the device really is needed (or the backup of the seed) along with the passphrase in order to spend the coins. The fact that they're using a lot of the same techniques to sell devices that have been used to sell snake oil so many times in the past makes me very concerned. I've notified Bitfi of these issues, however they showed no interest in fixing them."

[o_e_l_e_o]

I've notified Bitfi of these issues, however they showed no interest in fixing them.

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

[gentlemand]

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

They'll just think it's, like, his opinion, man.


More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied:

We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."

[Hueristic]

I've notified Bitfi of these issues, however they showed no interest in fixing them.

Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?

I dunno, ask Microsoft.

They'll just think it's, like, his opinion, man.


More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied:

We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."

That is pure Gold, apparently the moron doesn't know what open sauce means.

[Ndok88]

 Thank you for review...
I cancelled buy bitfi

[gentlemand]

https://twitter.com/cybergibbons/status/1023667374153773057

More fun.

The innards are basically a low end Android phone with plenty of parts missing and no important - ie secure - ones added.

[HCP]

https://twitter.com/cybergibbons/status/1023667374153773057
The innards are basically a low end Android phone with plenty of parts missing and no important - ie secure - ones added.

Just... WOW.

It essentially confirms ALL the worst assumptions made about this device... and then adds some more. The entire thing is a basically snake oil wrapped up with a nice $120.00 bow

The Bitfi wallet is only $120 USD. As a computing device it is much more costly to
manufacture than ordinary hardware wallets, however, our mission is to make this
technology accessible to everyone and to keep it affordably priced as long as possible.

My condolences to anyone who bought one.

https://www.reddit.com/r/Bitcoin/comments/92dnf8/bitfis_hardware_wallet_is_terrible
https://rya.nc/bitfi-wallet.html

[ryanc]

They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.

This is false - I engaged on a very similar crusade when the now defunct ether.camp site was offering brain wallets without explaining what they were.

The siren call of brain wallets is strong, but we must fight back.

[gentlemand]

They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.

Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.

[ryanc]

Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.

I think "screech" is a good description of their social media "strategy".

[gentlemand]

https://twitter.com/OverSoftNL/status/1024684201575108615

Bring on so much shrillness that checking their and Mcafee's Twitter accounts will cause your speakers to shatter.

So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder?

As there's nothing on board I presume that also means there's nothing to stop you being fed whatever someone wants you to see and everything you do going straight to them.

[bob123]

So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder?

Since this wallet is auto-updating itself each time it has an internet connection, you don't really need to sell compromised versions.
You would just need to find a vulnerability and use an exploit to compromise ALL devices which are logging in (auto updating) their wallet within the trame frame of the beginning of your attack and the end of your attack (when bitfi wallet server gets shut down).

But, assuming it can be rooted.. it would really be straight forward to create a malicious version which will serve as a backdoor. This is nothing compared to an attack on a ledger nano s / trezor.

[o_e_l_e_o]

https://mobile.twitter.com/OverSoftNL/status/1025000286119780353:

"So yeah: you don't need a BitFi device to run a BitFi wallet.
I repeat: there's nothing in that device that is required for the BitFi app to function. There's NO secure element. They could've released it on the Play Store as an app."

Maybe this is a good thing - instead of forking out hundreds of dollars for what is essentially an unsecure old android phone, you can just download the APK and run it on any device with an android emulator.  

[Hueristic]

https://mobile.twitter.com/OverSoftNL/status/1025000286119780353:

"So yeah: you don't need a BitFi device to run a BitFi wallet.
I repeat: there's nothing in that device that is required for the BitFi app to function. There's NO secure element. They could've released it on the Play Store as an app."

Maybe this is a good thing - instead of forking out hundreds of dollars for what is essentially an unsecure old android phone, you can just download the APK and run it on any device with an android emulator.  

But why would you want to?