As Bitfi, the producer of what is allegedly the world’s first unhackable wallet, came under attacks following the efforts of penetration testing company Pen Test Partners that managed to gain root access to its device, Cryptovest decided to contact the company for clarification. We spoke with Bitfi’s vice president of operations, Bill Powell, and were surprised to find out that we were the only press outlet that made an effort to contact the wallet maker.
Here is the company’s side of the story, including some clarifications regarding the storage model the device uses and insight into how its software works to prevent the siphoning of private keys from memory.
Cryptovest: Can you walk me through what’s been going on with the hackers at Pen Test Partners?
Bill Powell: The thing is that the company right now has two bounties. One is for a quarter-million dollars, which demonstrates a situation in which, let’s say, somebody steals your device, and the question is, “Can we get your money or not?” That is what it insinuates. That is a very important attack… And we’re the only company offering this kind of bounty, because our competitors know that if they send a wallet with coins to an experienced hacker, they’ll get those coins out in 15 minutes.
And then we have a second bounty which is designed to simulate a man-in-the-middle attack and that one awards $10,000. We still want to see if it’s possible to do it and see what kinds of ideas they [hackers] can come up with. In that bounty, it simulates a situation in which somebody intercepts a device being shipped to you or something like that, modifies it, and you would start using it without being aware of it transmitting information to the attacker whenever you’re typing in your secret phrase and salt. So, you put in your credentials and, without your knowledge, the wallet sends information to the attackers.
Nobody has ever come forward to claim either of these two bounties, ever. And these guys [Pen Test Partners] are basically posting random images with no proof, no method, no evidence, nothing whatsoever.
I mean, we reacted. We literally sent them messages saying, “If you have done this, please send the device to us so that we can check and pay your bounty.” And they just said, “Oh, we’re not interested in a bounty. We’re not interested. Give that money to charity. We don’t want it. We just want to do this.”
Who says that? Who would do that? And then we said, “OK. If you’re not interested in the money, do it [send the device] to help thousands of people who use the wallet.” I mean, if you don’t care about money, you obviously care about people who’s safety may be at risk. You demonstrated something that illustrates an attack, so shouldn’t you send it to us so we can immediately fix it and address it to see the way that the attack works?
We push updates to devices, so that when we discover a weakness, we can fix it rather quickly by pushing it out to our users.
It is mind-boggling, let’s say, that the media has picked up on these tweets from these random people without ever presenting any evidence or proof of any kind, and took it as fact and just posted articles all over the world saying the device has been hacked!
[...]
A quarter-million dollars certainly doesn’t just grow on trees, and a bounty is a very serious thing. If someone actually does this, and we don’t pay the bounty, no one will ever trust the company again.
You can’t just not pay the bounty. You’d completely ruin your reputation forever. You have to pay the bounty. It’s very serious.
The way that our device works is completely different from every other device, because other products store your private keys and keep them outside of the computer. But if they’re stolen, the seed and all the private keys are there and a hacker could get to them.
Our device does not store private keys. Our device generates them on the spot. So, it doesn’t store the data. That is the big innovation. A lot of people don’t really understand what we define as a really unique and sophisticated solution.
You put in your own phrase, and with that phrase, our algorithm calculates all your private keys for whatever transaction you’re doing - whether it’s Ethereum, Bitcoin, or whatever. [After that], the private key’s gone.
It persists in memory for a short amount of time. We try to get it down to a few seconds, and if your device is seized or stolen, an attacker or whoever takes it is going to find nothing in memory.
We think that if the guy was able to retrieve the private key from the device or something like that, it would have to have been done on a rooted device. But if you root a device, you have to restart it, and when you restart it, it wipes the RAM clean.
That means that there’s nothing in the memory anymore. And that’s why I think that he’s not releasing any data, because he knows that it’s a rooted device and it’s not a real-world attack.
It’s not something that can happen to an actual customer because if you steal a customer’s device… If you root it first, then it will wipe the memory clean. How will you get the private key even if you were to, let’s say, steal the device like 30 seconds after they use it?
It’s just, really, a remarkable situation. It seems like what happened was that these people got, just, triggered by the fact that [we made] this claim of “unhackable”. It got to this whole thing of, “What’s really the definition of ‘unhackable’?”
To them, it seems that a hack is anything where you modify the function of the device, whereas we are saying that a hack is where you are able to steal users’ funds. That is what a hack is.
We never meant to upset anyone. We just kind of thought we were true to our language [with] “unhackable”. We just thought that [it’s correct because] there’s just nothing to hack because the device doesn’t store data!
If the device doesn’t store data, you have nothing to hack. How can you hack something when there’s nothing on it?
That’s where we were coming from. We were not trying to upset all these hackers who see us as this challenge, where we’re challenging them to create this uproar in the hacker community where they’re like, “Oh my God, they’re saying ‘unhackable’. Nothing is unhackable!”
And also, I can tell you this: Right before we launched, we sent the device to John McAfee, an...
This article appeared first on Cryptovest
