back to article 'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist

A crypto-currency wallet heavily promoted as "unhackable" – complete with endorsements from the security industry's loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week. The $120 Wi-Fi-connected Bitfi wallet is a hardware device that stores your crypto-coins and assets, and …

Page:

  1. JohnFen Silver badge

    The universal law

    The universal, immutable law of security is: if a thing can be accessed legally, it can also be accessed illegally.

    I would add a corollary: this law is doubly true of any system that claims to be "unhackable".

    1. Dave 126 Silver badge

      Re: The universal law

      > if a thing can be accessed legally, it can also be accessed illegally.

      It's your use of the word 'if' that's caught my attention. What would it take to make a physical object inaccessible to a well-resourced attacker? You might put it in a bank vault, but that means trusting the bank - and the state, since it's the police who prevent robbers with cutting equipment taking a leisurely week to attack the vault. You might put it in a safe, but that merely means that the item to be accessed is now a physical key - a physical object, which is just making the problem recursive. You could use a passcode on your safe - but beware shiny button syndrome or the micro camera in the wall behind you. And again, in a lawless state the attackers can take as long as they want to physically break the safe. You might bury it in the woods, but again that just means the attacker only needs information to access your precious item.

      1. Stoneshop Silver badge
        Devil

        Re: The universal law

        It's your use of the word 'if' that's caught my attention. What would it take to make a physical object inaccessible to a well-resourced attacker?

        If they're dedicated to getting into your secure device specifically, then there's very little you can do.

        But in most cases you don't have to outrun the bear, you just have to outrun the next person.

        1. Dave 126 Silver badge

          Re: The universal law

          Making myself an unattractive target for thieves by spending all my money on beer.

          1. teknopaul Bronze badge

            Re: The universal law

            Enterprising young hacker should have rewritten the software on the xevive to publish the password when entered, copied the encrypted data, faked a hack with incorrect data, returned the device and claimed the prize.

            No doubt John would have, to some fanfare on stage, entered the real password on the device to prove it was never hacked. Hacker gets sms with real password opens wallet, profits a cool quarter of a million.

            1. MyffyW Silver badge

              Re: The universal law

              "As I pass through my incarnations in every age and race,

              I make my proper prostrations to the Gods of the Market Place.

              Peering through reverent fingers I watch them flourish and fall,

              And the Gods of the Copybook Headings, I notice, outlast them all."

              1. hplasm Silver badge
                Happy

                Re: The universal law

                "...And the Gods of the Copyrights, I notice, outlast them all."

                FTFY

      2. Charles 9 Silver badge

        Re: The universal law

        "What would it take to make a physical object inaccessible to a well-resourced attacker?"

        No defense known to man can stop an insider. Who has to crack bank vaults and so on if I can just learn enough about you to impersonate you?

      3. JohnFen Silver badge

        Re: The universal law

        You're assuming a logical connection that I did not assert. "If a thing can be accessed legally, it can be accessed illegally" does not mean that if a thing can't be accessed legally, then it can't be accessed illegally.

        1. Charles 9 Silver badge

          Re: The universal law

          He's not. He's asserting if ONE person can access, ANOTHER can by impersonating the first, and that there is no real way to prevent this physically.

  2. VikiAi Silver badge
    Mushroom

    "Uncrackable"

    Yeah, they said that about the atom once, and look where that got us!

    1. DropBear Silver badge

      Re: "Uncrackable"

      Hardly fair to blame them for that considering the mind-boggling repulsion between the nucleus and any other proton you might consider using for said cracking - and that when they said that, nobody had any idea that neutrons existed...

  3. jake Silver badge

    "And we should all know better than to be even bother talking about it."

    Indeed.

    But laughing at it? Fair game, that others might learn.

  4. Mark 85 Silver badge

    McAfee credible?

    Really? I am shocked that his endorsement of a product might be considered a plus that product based not just on the man himself but also on the concept of "endorsement for hire" like a certain sports and actor/actresses. I daresay any celebs endorsement is just about as valuable as the paper it's printed on.

    1. IceC0ld Bronze badge

      Re: McAfee credible?

      SO secure, it IS so secure

      it will survive for .............. five - four - McAfee - Two - GONE

      ah well better luck next time, as along the immutable laws, is the one born every minute :o(

    2. Stoneshop Silver badge
      Windows

      Re: McAfee credible?

      I am shocked that his endorsement of a product might be considered a plus

      To you and me it's not, but there are millions of rubes who just know his name from the AV stuff and consider that authorative on security matters

  5. JLV Silver badge

    >McAfee – a man who makes Donald Trump's tweeting compulsion look considered and thoughtful

    Less stable(maybe, one hopes), more genius (at least at some point). More fun to be around, I’d bet and at least he can blame mind altering substances for most of his tweets.

    1. jake Silver badge

      " I’d bet and at least he can blame mind altering substances for most of his tweets."

      So can the Idiot In Chief, except his are probably the natural result of aging.

    2. james_smith

      at least he can blame mind altering substances for most of his tweets.

      Quite possibly Trump could as well. One of his doctors prescribed him a medication that's basically an amphetamine back in 1982, and he took until "no later than 1990". It would explain a lot if he's still taking them, although even if he isn't, long term ampetamine use causes lasting damage to the body.

      http://polipace.com/2018/03/01/trump-medical-records-show-worrisome-addiction-drug/

  6. Palladium

    Quick!

    We got to keep hyping up crypto more before there are no more suckers left to hook.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quick!

      There's one born every minute.

  7. Anonymous Coward
    Anonymous Coward

    Crackers

    He's crackers

  8. Anonymous Coward
    Anonymous Coward

    That is some BS article!

    " The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham."

    Really?

    Another title for you: "Unhackable device can be hacked if the hardware is modified, therefore it is worthless."

    This is so stupid I have no words. What next? "Incredible: You can die of poisoning if healthy food is mixed with poison" ?

    1. Anonymous Coward
      Anonymous Coward

      You missed the point the article was stating the fact that the device is easy to open and therefore easy to modify.

      It should have a tamper warning if opened.

      1. HxBro
        Joke

        You mean there's no sticker!

        Hacking something with a "warranty is void if broken" sticker is infinitely harder than one without, maybe I should suggest that as a upgrade to the device, you can pick them up on ebay cheap enough, if they'd have skipped the endorsement and spent the money on stickers, they'd have a MUCH more secure device.

      2. 080

        Duplicate comment

    2. Anonymous Coward
      Anonymous Coward

      re: That is some BS article!

      Awww! Well, it is the Summer Holidays so I guess you're not at school....

    3. Geekpride

      Hi John McAfee, I didn't know you read The Register.

    4. bish

      Lay off the kool aid

      First of all, you're calling out the Register's article as 'BS', but using a quote from a completely different source: the article, in that section, is quoting what Andrew Tierney wrote elsewhere. You can call bullshit on Tierney's opinions (and you'd be wrong) but you can't call bullshit on El Reg, since they're just accurately reporting someone else's (relevant and informed) opinion on the story.

      Secondly, and finally, you seem to think 'hacking' is exclusively about using code to manipulate factory standard kit. Social engineering, bugs/key loggers, rubber duckies, etc etc are presumably not 'hacks' in your world, since they don't fit your absurdly narrow requirements that hacks use only stock hard/soft ware. You'd presumably also argue that even software exploits aren't technically vulnerabilities, because people aren't supposed to use software that way. God help anyone who relies on you for tech/security advice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lay off the kool aid

        I still don't buy this definition of "hackable' (even though most people are not with me here; that's fine).

        So if this device was sold with all electronics encased in a solid block of black epoxy, suddenly it would be the bee's knees?

        Not trying to be smart (and you would say there is no chance of that happening), but I wish all "hackable" devices required modifying the hardware to gain access, like this one apparently does. I happily would settle for that for now.

        1. Francis Boyle Silver badge

          You seem to be missing

          that this is a hardware security device. Yes, I expect hardware security devices to have secure hardware.

        2. jake Silver badge

          Re: Lay off the kool aid

          AC, some of us are old enough to remember when the word "hack" included physically modifying hardware. It's not our fault that the media has perverted the meaning of the word to mean "some clueless kid ran a shell script that he found online somewhere".

    5. Cynic_999 Silver badge

      "

      What next? "Incredible: You can die of poisoning if healthy food is mixed with poison" ?

      "

      You can see that, yet you fail to see the stupidity of a food producer who sells loose items of food while claiming that their product cannot be poisoned. Planting malicious code that transmits passwords to a 3rd party is an extremely common method that hackers use to gain unauthorised access. If I can plant a backdoor in a device by gaining physical possession of it for a few minutes, then it cannot possibly be described as "unhackable." At the *very* least the case should be made such that it would be obvious if someone had opened it.

  9. Byz

    First rule of security...

    Nothing is unhackable

    Second rule of security

    Don't put it on Android !!!

    Android has so many known security holes (makes windows look good).

    1. Lord Elpuss Silver badge

      Re: First rule of security...

      Android sits at both ends of the security scale. Run-of-the-mill unhardened Android like this (and 99.9% of consumer Android devices) offer next to no security. On the other hand, some of the most secure comms handsets also run android - albeit properly hardened and probably unrecognisable to the layperson.

      1. Byz

        Re: First rule of security...

        I saw a hardened device in March (sold as very secure), it was still sending packets off to China.

        Eventually we harden it so much to stop the packets that it basically was unusable as a device :o

        1. JohnFen Silver badge

          Re: First rule of security...

          "I saw a hardened device in March (sold as very secure), it was still sending packets off to China."

          Then you didn't see a hardened device, no matter what the company's salesdroids told you.

        2. Stoneshop Silver badge
          Black Helicopters

          Re: First rule of security...

          Eventually we harden it so much to stop the packets

          Several inches of armour plating, for a start?

        3. RancidOrange

          Re: First rule of security...

          convenient<--------------------------->secure

      2. Claptrap314 Bronze badge

        Re: First rule of security...

        So why didn't Google offer these "secure Andriods" to their SREs? If Google cannot secure the device, I'm calling it unsecurable.

        1. JohnFen Silver badge

          Re: First rule of security...

          Google cant' secure them because it's unwilling to remove Google's own software. Android devices really are securable, just not by Google.

  10. Stoneshop Silver badge
    Windows

    What shoddy design is this?

    It doesn't even incorporate Secure Blockchain[tm].

    1. Anonymous Blowhard

      Re: What shoddy design is this?

      "It doesn't even incorporate Secure Blockchain[tm]."

      Exactly! If they'd securely wrapped it in a block of chain that would have frustrated their much vaunted "fingernails"...

  11. Pete 2 Silver badge

    No need to hack anything?

    If this device "holds" your digital stash, then to have it stolen means you lose your imaginary money.

    The only operation that a bad person needs to perform in order to profit from this is to steal someone's Bitfi and send a ransom note to the owner.

    Sometimes the "old fashioned" methods are the most effective.

    1. Lord Elpuss Silver badge

      Re: No need to hack anything?

      Obligatory

      https://xkcd.com/538/

    2. Steve K Silver badge

      Re: No need to hack anything?

      You can also lose the device - does that mean that you have >1for backups...?

    3. Robert Carnegie Silver badge

      Re: No need to hack anything?

      Stealing the device physically and demanding a ransom isn't hacking. A device with substantial hacking resistance still can be worthwhile to have.

      On the other hand, if this was just a cellphone and someone stole it, it would typically be findable remotely.

      iPhone has that feature; I understand it also is fussy about interference with its internal parts. I don't have one, but it seems to me that an iPhone is a better one of what this is, than this is.

    4. Cynic_999 Silver badge

      Re: No need to hack anything?

      "

      ... you lose your imaginary money.

      "

      It is no more imaginary than the bits of coloured paper or plastic in your wallet, or the magnetic ones and zeros on the HDDs of your bank's computer. Earlier this year I enjoyed a very nice holiday in a distant and exotic land paid for entirely by what you are calling "imaginary money"

      1. VikiAi Silver badge

        Re: No need to hack anything?

        In the end, even the value of gold and diamonds is imaginary - they only have value because we agree that they do. The only things that have true intrinsic value to humans are vitamins, protein, calories and shelter.

        1. jake Silver badge

          Re: No need to hack anything?

          I dunno 'bout you, VikiAi, but I'll take potable water before the four you mention.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019