Android

‘Unhackable’ BitFi crypto wallet has been hacked
‘Unhackable’ BitFi crypto wallet has been hacked 150 150 John Biggs

The BitFi crypto wallet was supposed to be unhackable and none other than famous weirdo John McAfee claimed that the device – essentially an Android-based mini tablet – would withstand any attack. Spoiler alert: it couldn’t.

First, a bit of background. The $120 device launched at the beginning of this month to much fanfare. It consisted of a device that McAfee claimed contained no software or storage and was instead a standalone wallet similar to the Trezor. The website featured a bold claim by McAfee himself, one that would give a normal security researcher pause:

Further, the company offered a bug bounty that seems to be slowly being eroded by outside forces. They asked hackers to pull coins off of a specially prepared $10 wallet, a move that is uncommon in the world of bug bounties. They wrote:

We deposit coins into a Bitfi wallet
If you wish to participate in the bounty program, you will purchase a Bitfi wallet that is preloaded with coins for just an additional $10 (the reason for the charge is because we need to ensure serious inquiries only)
If you successfully extract the coins and empty the wallet, this would be considered a successful hack
You can then keep the coins and Bitfi will make a payment to you of $250,000
Please note that we grant anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes, and our infrastructure

Hackers began attacking the device immediately, eventually hacking it to find the passphrase used to move crypto in and out of the the wallet. In a detailed set of tweets, security researchers Andrew Tierney and Alan Woodward began finding holes by attacking the operating system itself. However, this did not match the bounty to the letter, claimed BitFi, even though they did not actually ship any bounty-ready devices.

Then, to add insult to injury, the company earned a Pwnies award at security conference Defcon. The award was given for worst vendor response. As hackers began dismantling the device, BitFi went on the defensive, consistently claiming that their device was secure. And the hackers had a field day. One hacker, 15-year-old Saleem Rashid, was able to play Doom on the device.

The hacks kept coming. McAfee, for his part, kept refusing to accept the hacks as genuine.

Unfortunately, the latest hack may have just fulfilled all of BitFi’s requirements. Rashid and Tierney have been able to pull cash out of the wallet by hacking the passphrase, a primary requirement for the bounty. “We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney said. “We believe all conditions have been met.”

The end state of this crypto mess? BitFi did what most hacked crypto companies do: double down on the threats. In a recently deleted Tweet they made it clear that they were not to be messed with:

The researchers, however, may still have the last laugh.

Google isn’t sure how to spell ‘Fortnite Battle Royale’
Google isn’t sure how to spell ‘Fortnite Battle Royale’ 150 150 Jordan Crook

The launch of Fortnite Battle Royale has left Google in a slight predicament. While Google is in no way hard up for cash, Fortnite Battle Royale for Android certainly represented the potential for a relatively big revenue stream for an app. That is, until Epic Games decided it would launch Fortnite for Android from its own website, circumventing the Play Store.

But revenue aside, there’s also the matter of Google probably not liking the idea of huge titles circumventing the Play Store as a precedent. Plus, the lack of Fortnite Battle Royale within the Play Store poses a slight security risk to users, as there are quite a few V-bucks scams and malicious clones looking to capitalize on the popularity of Fortnite.

That’s why the Google Play store now displays a message to users in response to searches for “Fortnite,” “Fortnite Battle Royale” and other similar search queries.

“Fortnite Battle Royal by Epic Games, Inc is not available on Google Play,” reads the message.

That’s right. Google misspelled the “Royale” in Battle Royale. It was likely an honest mistake, but given the fact that Epic Games is making upwards of $300 million in revenue a month, which Google is not getting a cut of, it makes for some fun back-and-forth for us spectators.

Google lists PUBG Mobile, Fortnite’s biggest competitor, at the top of all Fortnite Battle Royale queries, but doesn’t include anything in its message around how to actually find the real Fortnite Battle Royale for Android .

While Google Play’s app review process should catch the vast majority of malicious clones, the message is at least moderately helpful for folks hearing about the Android version of Battle Royale without knowing the details around Epic’s launcher.

For what it’s worth, Fortnite for Android isn’t yet available to everyone. The game launched yesterday as a Samsung exclusive for folks with a Galaxy S 7 or higher, and will become available to all Android phone owners on August 12.

[via 9to5Google]