Skip to main content

Hacker plays ‘Doom’ on John McAfee’s ‘unhackable’ BitFi Bitcoin wallet

Image used with permission by copyright holder

A 15-year-old bedroom hacker has managed to get classic first-person shooter Doom running on the allegedly “unhackable” BitFi crypto-wallet touted by tech-evangelist and paid promoter John McAfee. Although the Bitcoins that the wallet gives access too still appear unaffected by the hack, it doesn’t bode well for the device, which some have described as little more than a modified Android phone.

BitFi is a cryptocurrency device that is designed to provide a hardware portal to a cloud-connected wallet. Bitcoins and other altcoins aren’t stored on the device itself, but it does facilitate transactions. Although it has drawn some interest from security professionals and crypto-enthusiasts, it garnered most of its attention through affiliation with tech personality, John McAfee, who claimed it was unhackable. He also placed a bounty on it, offering $250,000 to anyone who could hack the device and steal Bitcoin from the cloud-connected wallet.

Within weeks, several hacks of the device had been completed, leading to people modifying its boot screen. Now, a self-described “adversarial thinker” has rooted it completely. Saleem Rashid was able to get Doom running on the Bitfi wallet without much difficulty. He has previously shown how it’s possible to extract sensitive information from other hardware wallets, like Trezor.

In recognition of @Bitfi6 and @officialmcafee and their prestigious @PwnieAwards accolades, we'd like to show you @spudowiar playing DooM on his #BitFi secure wallet! Congratulations! pic.twitter.com/50qZZu1MnF

— ☃️ (Parody – not an actual snowman) (@AbeSnowman) August 9, 2018

Although John McAfee has been keen to point out that such hacks do not qualify for the quarter-million-dollar reward, as they have not extracted the coins from the attached cloud wallet, this rooted hack is just the beginning. As “Abe Snowman” alludes to in the replies to the above tweet, there are reasons that security researchers are heading down this path of cracking the device.

The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.

— John McAfee (@officialmcafee) August 3, 2018

BitFi itself continues to defend the unhackable nature of its device, though it has made some statements to distance itself from McAfee, as PenTestPartners highlights. It also recently fired its social media coordinator after a series of defamatory tweets, which hasn’t left the company in good standing. Indeed, such actions have landed BitFi with a nomination for the “Lamest Vendor” of the year in the Pwnie Awards, which is quite an achievement in itself.

Although the BitFi hasn’t been demonstrably hacked to the point of releasing its bounty Bitcoins, the speed with which the supposedly unhackable and “storage-free” (it actually does have storage) wallet was hacked doesn’t bode well for its future.

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more