articleStartImage

The BitFi crypto wallet has been successfully rooted by a teenage hacker. 15-year-old Saleem Rashid was able to get the video game classic Doom running on the device, but ultimately did not manage to extract any coins from the wallet.

In a video on Twitter, the self-proclaimed “bitcoin hardware wallet breaker” used the BitFi touch screen to navigate a short segment of the cult 1993 Id Software video game Doom. In the video, the device is visibly disassembled, with its back panel missing.

Rashid’s successful rooting attempt comes weeks after John McAfee proclaimed the device to be the first “unhackable” cryptocurrencies wallet on the market, and offered $100,000 to the first person who manages to breach the wallet’s security measures. Later BitFi, the company behind the wallet, turned McAfee’s offer into a bounty program and raised the reward to $250,000.

https://twitter.com/AbeSnowman/status/1027377982497861632

The “Unhackable” Crypto Wallet

The BitFi device differs from traditional crypto wallets as it provides a hardware portal to the user’s cloud-connected wallet. The device does not store any personal information – including cryptocurrencies or private keys. Theoretically, stolen devices can be replaced immediately by users, without suffering any financial losses. This has led BitFi and John McAfee to proclaim the device as the “safest crypto wallet”.

McAfee himself responded to Rashid’s video, but pointed out the device was not indeed hacked, as Rashid was unable to extract the coins from the wallet. Still, while not a true hack in nature, the rooting of the BitFi wallet can prove to be an important security risk. According to “Abe Snowman”, the Twitter user from who posted the video, explained how installing a game on the device proves major vulnerabilities, such as “read and write from storage and RAM” and “install and execute arbitrary code”. 

Although Rashid was unable to extract any of the Bitcoin worth $10, those vulnerabilities could potentially allow hackers to install keylogging malware on the device capable of recording and transmitting the private key of the cloud-based wallet. Whether this would require physical access to the device or would be achievable remotely is unknown.

Rashid has previously exposed vulnerabilities in other hardware cryptocurrency wallets, such as Ledger. According to Abe Snowman, the teenager plans to share the details of the attack and the methodology used, once the “work has completed”.