
John McAfee’s ‘unhackable’ Bitfi wallet got hacked again - sahin-boydas
https://techcrunch.com/2018/08/30/john-mcafees-unhackable-bitfi-wallet-got-hacked-again/
======
ryan-c
Since knowledge of the salt and passphrase is sufficient to generate all the
private keys needed to conduct transactions, the ability to extract those
values is equivalent to being able to take any associated coins.

Additionally, the design allows for offline passphrase guessing attacks to be
run by anyone without having to directly attack any particular wallet. They
managed to re-invent brain wallets with a somewhat better (but still bad) KDF
- WarpWallet's better.

If the device is used, then left unattended, the coins can be taken. If it's
powered on, there's a reliable cold boot attack. If it's powered off, a
backdoor can be installed that will exfiltrate the salt and passphrase on next
use.

The original bounty offered was a sham - the sole "valid" attack vector was
extracting key material from a device that had been used once and then shipped
powered off (in most cases that I'm aware of, with a dead battery), and never
had the passphrase entered into it again.

It looks to me like there's no way to make these things secure without a full
product recall.

(I'm the researcher who wrote the tooling to automatically identify the salt
and passphrase given a memory dump)

------
pejrich
I agree with McAfee here. Just because they accessed something they weren't
supposed to, doesn't mean it was hacked. The system fails when someone gets
access to the coins, because that's what the system was designed to protect.
I'm not claiming McAfee is correct about anything else, or that the system
really is secure, but the point stands that a system designed to secure coins,
can only be considered a failure if you manage to extract coins.

~~~
cybergibbon
It's a hardware wallet. It doesn't have any coins in it. It has private keys.

As the article says, the keys have been recovered from a Bitfi, allowing
access to the funds.

I am not sure what else you require for it to be called hacked.

~~~
pejrich
Then perhaps I'm naive about how all this works. But to me there's a
difference between accessing keys, and accessing funds. Are these the exact
keys, in the exact format, that someone could use to access the coins? For
example, if someone were to "hack" my site, and get access to hashed
passwords, this would be seen as a breach, and my system would be described as
insecure (which is fair), and it could cause issues for people, but getting a
hashed password is not the same as getting a plain text password. Are the keys
they recovered from the device the equivalent of a plain text password, or a
hashed password? Let's say I create a hardware wallet that stores 2 keys (123
and 456), and it uses those two keys to create a private key by doing stuff to
it. So 123 and 456 create the pk 132435. Of course this is a terrible system,
and not safe at all, but my point is, accessing 123 and 456, is not the same
as accessing the actual pk (132435).

~~~
ryan-c
I reversed the algorithm for going from salt and passphrase to private keys a
month ago.

[https://rya.nc/bitfi-wallet.html](https://rya.nc/bitfi-wallet.html)

That particular version of the code doesn't print the private key, but it can
be trivially modified to do so.

We demonstrated using the salt and passphrase to extract coins from wallets
without the hardware several weeks ago.

------
benchaney
The article makes it super unclear whether or not you can steal the coins.
Somebody is obviously trying to muddy the water, but I can't tell if it is
McAfee or the researchers.

If it is McAfee, he is doing an excellent job, judging by the other comments
in this thread.

~~~
cybergibbon
"But the researchers say that the secret phrase and salt can be extracted,
allowing private keys to be generated and the funds stolen."

Not sure how much clearer it can be stated.

~~~
pejrich
I think it could be heaps clearer. To almost everyone outside of a small slice
of people in the world, there's a bit difference between "The wallet was
hacked and funds were successfully removed from it", and "The wallet was
hacked and a key and salt were recovered".

Just because something CAN be done, that doesn't mean it's trivial. Someone's
PK "can" be guessed, it's just incredibly unlikely. So for people, like
myself, not 100% knowledgable on this type of tech, if someone goes through
all the trouble to get the keys, but doesn't complete the final step of
actually removing coins, it looks like either for some reason they can't or
they are just completely naive and assuming everyone else knows exactly what
they've done.

------
jfaioif3
How can they consider it hacked if they couldn't steal the coins? That's
ridiculous.

~~~
oxide
I'm pretty sure access to the p keys and salt means you CAN steal the coins.
Simply send the stolen keys to your own wallet, and coins are stolen.

