Following weeks of dispute on Twitter, Bitfi finally admits what people in the security industry thought from the first moment they heard about the “unhackable” hardware wallet: probably not.

Backed by John McAfee, the Bitfi Wallet is a hardware device for safekeeping cryptocurrency, marketed until recently as “the world’s first and only unhackable storage for digital assets.”

In support of the incredible claim, the company offered a $250,000 bounty to anyone who could empty the wallet using “all attack vectors.”

In a long list of tweets at the beginning of August, Andrew Tierney of Pen Test Partners pointed out the many flaws in the device, starting with the hardware components, and moving on to the operating system.

Other hackers joined in and began to toy with the wallet, posting their achievements online: reverse engineering, a John McAfee video playing on the device, a 15-year old playing DOOM on it, basically bending it to their will.

Still, Bitfi stuck to its story and refused to accept reality, even when it was awarded a Pwnie (a Razzie of the infosec community) for mis-handling a security vulnerability “most spectacularly”. The final nail in the coffin of the “unhackable” claim is a new attack security researchers demonstrated today on an unmodified Bitfi cryptocurrency hardware wallet.

In a video released on Twitter, Saleem Rashid, the 15-year old using Bitfi to play DOOM, shows how readily the unhackable wallet gives up the user-generated phrase and its “salt” value – the two elements required to generate the private key that protects the money.

[SOURCE]