The developers of the Bitfi cryptocurrency wallet, which was endorsed by John McAfee and supposed to be 'unhackable', issued a threat to researchers who claimed to have hacked it. In a tweet that has since been deleted, Bitfi warned that "lies and deception you deliberately spread...can have consequences", and the researchers have now publicly responded.
After a relatively minor hack which McAfee had shrugged off as meaningless, yesterday saw a major security breach by a team of researchers. This hack appeared to meet the conditions for Bitifi's promised $10k bug bounty, but the developers were not willing to accept it as valid.
Through Twitter, Bitfi responded confrontationally to the news, with this latest tweet suggesting that the researchers should be aware of "who you picked fight with" (sic).
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers. pic.twitter.com/McyBGqM3bt— Matthew Green (@matthew_d_green) August 6, 2018
Undeterred by this, the researchers issued a statement criticizing Bitfi's constant redefinition of what 'unhackable' means. They claimed that "the bounty is a strawman, designed to allow Bitfi to claim they haven't been hacked... In reality, the bounty only covers a single attack: sending your wallet (which has a strong seed and phrase) via UPS (taking several days) to an attacker. This doesn't emulate the real world".
They claimed that in the course of their research into Bitfi's vulnerabilities, they had "been able to...Root a wallet...Intercept all SSL communications between the wallet and servers...Sign a Bitcoin transaction under these conditions...Sniff the user's phrase and seed and send it to another machine under these conditions".
Observers on Twitter were shocked by the attitude of Bitfi towards the community, and some pointed out that perhaps it was Bitfi and not the researchers that needed to tread lightly.
Companies talking like this are immature and need customer service skills. They need to display professionalism. Just because this is crypto does not mean they can talk like that. Imagine apple or amazon customer services speaking like this. I would not buy!— CryptoGuy 🚀⏳🌒⚡ (@CryptoGuy10) August 9, 2018
😂🤣 I don't think THEY realize who THEY are messing with. BitFi threw down the guantlet at the entire white hat hacker/infosec community with a device that has zero protection against MitM vectors. They picked this fight they were completely ill prepared for and got reckt.— BTC Batman [UASF!] (@TheShadowBanman) August 7, 2018