 is everybody ready for this? So like I said, I said I'd be dressed as a clown. I'm not dressed as a clown. I'm dressed as Pikachu kind of, some kind of fucked up Pikachu. Now I'm gonna use the word fuck a lot in this. So if you're offended by the word fuck, probably best to leave the room. I'll try to keep it to the minimum, but that's probably quite high level. I'd imagine most of you here know what bit-fi is. So this is a bit-fi thing. I don't really know what you should call it. It's a device. It's not the wallet, but there's one there. We've got one that's broken, one that's working, but the claim that bit-fi said was it was unhackable. They said the device was completely unhackable. Now to work out why they said it's unhackable, we've got to go into cryptocurrencies a bit. So the way that cryptocurrencies work is you've got a private public key pair. You deposit funds onto the public key and you need to use the private key to spend those funds. It's pretty simple. Now the problem is if someone gets hold of your private key, they take your private key, they can steal your funds. So protecting that private key is important. So what people started doing at first is they started moving their keys onto USB sticks. So the key wasn't always stored on your laptop. Now that kind of works. It had some protection, but the problem is you have to move that key back to the laptop to sign. When you do that, if your laptop's compromised, you'll lose your key. You've lost your funds. Now the next problem, people, they invented things called wallets and those wallets, they're a black box that holds your key. So they store the key inside. The key never has to leave. The idea is you send a transaction through to the wallet and it will sign it. Now the problem there is if someone steals your wallet, they can still send a transaction to it and sign it. So to combat this, what they did was they added pin numbers to the wallet. So you can type a pin number in to protect that key. So ledger, tracer, you'll type a pin number in before you can use that key. Again, this is added protection. Things are getting better and better. So the next stage what people do is they said, well, what happens instead of saying send one bitcoin to cybergibbons, what happens if I say send 100 bitcoins to McAfee. The device, you don't know what it's signing. You can't tell what it's signing. So they added displays to them. So it will say the transaction you're trying to carry out. Next problem, if I ask someone to generate a password, they'll make a bad password. So instead of letting users choose passwords, what they do is they use a random number generator that's inside the device and that will generate the password for you. So it becomes unpredictable. So we've got these four things that normal hardware wallets do. Bitfy's different though. Bitfy's very different. Do we actually have anyone from Bitfy here? They're maybe not admitting it then, we'll see. So what Bitfy does is the user has the key. The user has a seed and a phrase and every time they want to do a transaction, they'll type it into the device. It will then sign that transaction and send it. Now most people would call this a brain wallet. It's stored in your brain. So their kind of thing was your private keys are never stored anywhere except your brain brain. Now to me, this sounds like bullshit. That has got to be typed into the device. There's no way that key doesn't also exist on the device. So they set up this bounty. This is what got us really interested. It was actually my colleague at the back there who I'm not going to name because I don't know what his name is. Dave? G? Whatever. Ali G. Let's go for that. Now this bounty, it said that they deposit the coins onto a Bitfy. Then they give you the Bitfy. They'll send a Bitfy to you and you have to recover the keys from that device. Now this kind of sounds like a rigged fairground game to me. The bounty here, it's only going to cover one very, very specific attack which is just attacking the device they've sent you. They made this really weird statement. The bounty program is not intended to help Bitfy identify security vulnerabilities since we already claim that our security is absolute. So they're saying their device cannot be hacked. So what's the point in setting up a bounty program if your device can't be hacked? So what they actually mean by unhackable is it's not vulnerable to one very, very specific attack. Them sending you a device that they've put a seed and phrase on, probably turned the power off, sent it to you for days in the post and then you've tried to recover the funds off that. So what we're looking at here is a rigged cold boot attack versus evil maid. If I can backdoor your device, that's a much more powerful attack. Now everything I'm going to talk about here, it wasn't me. I'm just a dick on the internet, to be honest. Most other people did the work here. So I'm presenting other people's work. So we have got the team. Oddly we got known as Thick Magascal which is the hacker collective mistakenly known as Cyber Givens and somehow sometimes called Oversoft. The media actually took this and ran with it. They started calling us Thick Magascal in stories. It was mainly made up of me, a couple of colleagues who don't want to be named. Spadawea, who's somewhere between the age of four and 16 depending on who you speak to. Oversoft, Ryan Castellucci who may well be here, I'm not sure, but lots and lots of different people. Now the claims that Bitfine made, now you all know John McAfee, yeah? Yeah? The inventor of cybersecurity? Well, he was involved with the marketing of this product and the first thing he does is he says there is no memory to hack in this device. No data. All of your money is stored in a memorable phrase of your choice in your head. There's no memory to hack. So we got the Bitfine. That chip, the one that says 4C in big letters is an EMMC flash memory chip. So we kind of challenged him on this and he says there is no RAM. There is no RAM on the device. That says LPDDR3, which low-power DDR RAM. That's RAM. It's not looking good here, is it really? The Bitfine wallet is only 120 US dollars. As a computing device, it's much more costly to manufacture than ordinary hardware wallets. It's a shitty media tech phone. There's nothing to it. You can buy these devices on Aliexpress for 30 bucks. There's nothing to it. We call it a phone. It's absolutely not a cell phone or anything, even resembling a cell phone. All cell phones are hackable. That fucking looks like a phone to me. There was some kind of corroborating evidence here, though. Yeah, SIM1. Subscriber identity module maybe? I don't know. This isn't my specialist subject, to be honest. There's their website. The image on their own site. Smartphone-1.PNG. Fucking hell. Key functions. Now this is from the FCC documentation. If you sell a device in the US that transmits Wi-Fi cellular, you have to get it FCC certified. But we were quite surprised they actually went to this extent. It's fairly common. We've actually managed to get, was it a Bluetooth cock ring, I think, withdrawn from the market because it didn't have FCC certification. But anyway, that's another story for another time. But the FCC certification calls it a phone. I'm fairly sure that McAfee is wrong here. Now people are asking, can't someone just look over your shoulder and see what phrase they are typing? No, no, no. The Bitfire wallet has a screen with an extremely narrow viewing angle. Try it. No one would be able to see anything. Again, I'm not an expert in angles or anything like that. That looks not narrow to me. You can read my phrase off that. It got better though. So some guy who I think was kind of a bit of a shill posted this image saying that you can't read the key off the screen. So what we did was we enhanced the contrast and reduced the brightness slightly. And thanks to Ryan's help, we wrote a little script that allowed us to convert that. And what we found out was that the pass raise was in fact, why is Dan so crazy about Monero? And the seed was test70 at Bitfire.com. So we reconstructed that key from someone posting an image on the internet proving the point that had a narrow viewing angle. We are quite kind about the way we demonstrated this. We stole his money. We transferred it to another account and paid the transaction fees though because we're nice people fundamentally. The best thing was another one of these kind of guys, he kept on pimping it on Twitter. He said, but in this case, thanks to imagery editing software or techniques such as techniques required to read Poison's pass phrase, it would be possible to attain his phrase. Without changing brightness contrast, his funds would have been safe. These are advanced tools. You thought the NSA had good stuff? I've got paint. So we're going to move on to the actual hacks. Now, the first thing that seemed weird was, I don't know if Elliot, whose name I've forgotten is here either. He got his and what he noticed was the serial number that's printed in the back of the case differed to the serial number that was on the box that he received. Now, this isn't great for something where supply chain tampering could be a problem. In fact, it's quite a big problem that it might have been tampered with. They didn't really have a particularly good response to that to be honest. I didn't really have a particularly good response to any of this. The first attack we came up with was really simple. The digitizer, the thing on the screen that detects where your finger goes is I2C, a serial protocol. And it's unencrypted and exposed. So I could take a bit fire and I can attach to the I2C bus and sniff the key presses. It's exposed. So you can see the ribbon there where it's got those on. It's even labeled them for me. So you could definitely fit that in this case. There's a lot of room. It's not a very advanced attack. The next thing we wanted to do was root it. Now, I'd imagine a few people in this room have worked with media tech phones before and they kind of got this reputation for being really, really easy to root. First thing we do is we use their own tool to pull the flash memory out through USB. That gives us access to all of the partitions, which is pretty easy. The data partition was actually encrypted, which was unexpected. So we had to root it by modifying the RAM disk and at which point we had root on that device. What we then did was took a memory dump off my device. So I had made a transaction, sent the memory dump to Ryan, and he wrote a little script that pulled out potential candidates. And you can see there, one, one, one, two, two, two, two. That's my seed in phrase. So he could now steal my funds. Now, at this stage, BitFi had already been kicking off a bit and we won a pony. So this was last year. Well, I'd say we won a pony. BitFi won a pony. But I think it might have been a bit more to do with us. So we got this little gold pony, which is great. It got better though. We had root. And so what we decided to do was the typical thing, play doom on it. So this is, this is, this is Salim, Spadawea, who's, who's doing this. We posted this to prove we've rooted the device. BitFi said that this wasn't a problem. You might have noticed right at the beginning of that. There was some wires taped onto the back and the back was open. You don't need to do that. We were just using it to distract from the fact that it was so easy to root. Now the thing was, they said you could purchase it from any source. Now, Tracer and Ledger, the supply chain tampering issue, if someone intercepts the Tracer or the Ledger and puts their own firmware, changes the hardware, this is a problem. These guys were claiming that it wasn't a problem. So someone couldn't man in the middle the hardware. They said it wouldn't work because each device has a specific digital signature. And they were so confident about this. They actually started another bounty. So I got a bit fine. I rooted it. And there you can see the two different processes running. The Nox Admin one that does the bulk of the firmware stuff and the Rokitz one that does the actual wallet. I can see it establishing connection out there. I put my certificate on the device and I could intercept all the requests coming to and from the device. So now when it asks me to sign and pay as an attacker, I've got the ability to send arbitrary transactions to a device. Like a man in the middle of them. So this digital signature thing, it's crap. It doesn't exist. The next attack was, after we'd rooted it, what we realized was on Android it's really easy to find the coordinates where you touch the screen. So you can just read out the ITC, the coordinates where it's coming from the digitizer. So I wrote a little script to deal with this. And what that does, you type in the seed and phrase. And if we skip a bit because it's a bit slow, no, can't work out to do that. We do that. It harvests those events and it sends them through to a remote computer. So now again we've got the seed and parse phrase. It wasn't a particularly advanced attack. But we've made a transaction with the man in the middle bit fine. We recovered the seed and phrase. It's done. Selene of course is about 80 times more hardcore than me and he made a much better attack. He made it so that it automatically sent it. There was none of this messing about the coordinates. He recovered it from memory. It was much more effective. We pretty much demonstrated that evil made was a real problem. We told them and they cancelled the bounty. So once we got the bounty they said the bounty wasn't there anymore. Up until this point they hadn't admitted the keys were ever in RAM. And then in the direct message exchange they did actually say the keys do stay in RAM for a brief period of time. So someone can extract that memory. They can get them. This is kind of what a bit file looks like. You've got USB going into the microcontroller. You've got the keys which will be stored in DDR RAM at some point. Now they've made an assumption. They said we think that if the guy was able to retrieve the private key from the device or something like that it would have to be done on a routed device. But if you route a device you have to restart it and it wipes the RAM clean. Now we're hackers. When you restart it it wipes the RAM clean. Now Ryan who I've just spotted said much of hacking is about understanding systems better than those who built them and using that knowledge to do what is supposed to be impossible. So they'd assumed because we rebooted the device there'd be no way to pull those keys from RAM. They were wrong. Once again Selim he wrote an app and this was incredible. It was an Android app. So we've got an unmodified bit file there. He's typing is don't be too salty and my very, very salty tears or whatever it is as his sultan phrase. Once he's done that, oh there's no sound. Oh okay it doesn't matter. It processes that request. So it sent that transaction. Success. He's now going to power off the device. So he's proving it's not modified like a magician. Plugs in USB, reboots the device. The attacking device then routes it after it's rebooted, scans the memory and within a few seconds it's recovered the key. Now this is a complete break of the device. Not only is evil made a problem but cold boot is also a problem. It's not better than storing it on a USB stick to be honest. Then it gets fun. That's a technical bit. Now the fun starts. It's their response. No one gas a ramen penny from the wallet. All these hat claims are meaningless. No one came close to taking the coins from it. Gas the ramen! It took a bit of a dark turn. So McAfee was denying it and then bit file tweeted this out. This is my last tweet as my shift is ending but did you guys ever bother to look into who you picked to fight with and the resources these people have? Not wise. Remember the lies and deception you deliberately spread about bit file can have consequences. That's quite a threatening tweet in the general scheme of things. I mean it's, I'd rather get that than the dick pic but when it comes down to it, well, now they claimed that it was actually to do with this. Now we modified their logo somewhat. My colleague over there is a genius at stuff like this. I couldn't have done it so good. That was my avatar for a while. It did appear to irritate bit file quite a bit. I guess that was the point. They also came out with some other brilliant stuff. We also think it's rather disappointing that a lot of media picked up on claims made by some person hiding behind a picture of a cat. Now we're not quite sure if they're actually talking about Daniel Gallagher who is also part of the team or me. I mean, I kind of look like a cat with the hood up a bit I guess but I don't really know. Very strange. And if you look at that guy who's been posting all this, Cybergibbons, the guy posts something every two seconds, 24 hours a day like he doesn't sleep or something. No, I don't. If somebody had a real job in cybersecurity they wouldn't have so much time to spend on Twitter. It might have a point. Now here's a smart dude making some sense around here. The yellow cat took too much acid and lost it. Now this was an account that was shilling for Bitfie on Twitter. Now an interesting thing that we noticed is that when you try and recover a password on Twitter, it leaks some information. So it leaks the last two digits of the phone number and it leaks the first two letters of the first part of the email and the last bit as well. Now Bitfie.com is five characters.com and Daniel Kasin, the CEO or something of Bitfie would fit in that first bit there. You can also note that down the bottom there, Love Crypto as well, 58. This was clearly linked to Bitfie. McAfee really got involved at this point. Am I a wannabe? I fucking invented cyber security. Get your fucking facts right. I mean he wasn't being about for a while. I can't remember who made this but they sent it to me. I just love it. He put a challenge out to me. Okay. I have 20 million on my Bitfie. I will pay your way to the states, put you up at my house for as long as you need. If I give you a wallet. So he was putting this challenge down. 20 million. If I went to the states and attacked his wallet to get those 20 million in coins. Now I don't know if you know McAfee. I don't know if you follow him on Twitter. But about the same time, serious dudes on a serious mission just received an order of one off M4s. That's his house. He's got guns. Really serious guns. He also hasn't been sober for 41 years. So he's invited me into his house with big guns and he hasn't been sober for 41 years. I mean it's already sounding bad. Anti-virus inventor John McAfee went on a naked shooting spree because the Belize government wants to assassinate him. He was in the middle of having sex with his wife when the dog started barking. He shot holes in the ceiling. I don't think it's really worth 20 million to be honest. He then got a bit threatening on DM. Your career is finished. You'll be the laughing stock of the world. You lost dude. Go hide under a rock. He keeps on going with this and then he sends me this weird link. Now I don't know if you've heard of clone zone. It's like this website. It used to be able to take the New York Times and various websites, clone it and you could modify it and then you know make spoof articles about other people. So he made it. Well I don't know if he made it. Someone made this one about me. Andrew Tierney, that's me. Okay, so I've given to me. Cyber security professional, cyber pervert enthusiast. This whole story is about how I'm some kind of like Pikachu pervert. But it had this absolutely brilliant phrase in it. Smash my jigglypuff. I still haven't actually found my jigglypuff. So 11 months later, we thought it all died down. We didn't really think that much was going to happen. But Daniel Kacin came along and set up his own Twitter account and he started getting a bit responsive. Your tweets are boring and annoying. You keep trying to prove to the world that bitfire is not perfect. You ever knows it's not perfect and we're not saying it's perfect. Now the thing was they still haven't informed the customers that they have these problems with their device. They haven't told them about the evil maid, the cold boot. They haven't allowed their customers to adjust to the change in the threat landscape. This tweet is brilliant. They're not in RAM. They are in RAM for much less than a second making extraction impossible. Now we all work in security. We know things aren't binary like that. Some things are hard. Some things are easy. Things are very, very rarely impossible. It's the bit at the bottom though. How many innocent people's lives have you put at risk with your clown act? I mean I think it's a bit unfair calling me a clown but I'm just thinking what I'm doing right now stood on this stage and yeah, maybe I am. Even more threatening stuff. When the marketing machine turns on and the media is covering all this, you're incompetence, arrogance, ill intent towards others, manipulation, irresponsible security practices, an endless list of epic disasters will be fully revealed to the world. I mean, come on it's just a vulnerability. This is epic. We aren't doing the testing so they were claiming that they were getting a third party into test. I don't know if they are. I've got no way of telling if anything they say is true but they aren't doing the testing. They're saying that Selbright are doing the testing. Now I've got a lot of respect for Selbright. They do some very impressive stuff but it's a bold claim to say that on the internet and then the VP of research at Selbright comes along and says they did contact us with a request which we declined. Muppets. Now just to kind of actually give some kudos to them and they said they were going to open source the code. This is so hot. They said they were going to open source the code. And they did actually allow access to the code. Now to get access to it you've got to download a binary and do some crazy stuff and send them a key and eventually you get access to this tool and you get access to the source code. Now we were kind of expecting some things to have changed since last year. Not really. Now it's important to note that if you ever want to wipe keys from memory in a device simply overwriting them with zeros is really not enough. I mean this is really bad. This is not the kind of code. This is the sort of thing you do when you're 17 and messing about. It's really bad. It's not going to wipe keys from memory. Important thing to note about the way that Bitfy works is it's running on an Android device so you've got the bare metal on the outside. You've got the Android OS within that. Then you've got the Android ART inside of that but it's also mono. It's C sharp so it's got another layer of indirection and finally you've got the Bitfy application within that. So we're talking a lot of different layers where things can go wrong. If you wipe memory within mono it's not going to wipe it all the way up the stack. C shop and mono use garbage collection. So if you put something on the heap you've actually got no idea where it's going to stay on the heap. Things can move about. This is why we could originally recover the keys. Now they've come up with this really interesting way of obfuscating the keys. So previously they were stored simply as ASCII bytes I believe. I think that was how it was. So now what they do to combat us scraping the memory for ASCII bytes. Those long base 64 encoded strings are PNGs of the characters. So it's a PNG of the letter A. So rather than have one byte that represents the letter A you've now got about 60 bytes that represent the letter A. Now our cold boot attack sometimes failed. Sometimes the memory would degrade somewhat. You'd lose a bit of that memory and you have to guess the remaining characters. With this scheme loads of that can degrade and you're still able to recover the data. Which we did quite easily. We lost one character from that. You can see that the second byte in the sort there is set to zero. That has actually been successfully wiped. It's quite bad. So a guy called Ben Tasker did a code review. A really, really in depth code review is way too much for me to cover here. He went through a memory dump and he can recover what my sort and phrase are from that. So you can see we've lost that letter E in one location in memory. That's it. That's how ineffective it is. Just looking at the rest of the code quality as well. This is the SSL validator. So it makes a connection out using SSL to their servers. Now you've got to check that that connection is valid. And you can see there it says starts with www.bitfi.com. If you've ever done code review I can register www.bitfi.com.cybergibbons.com and I can intercept SSL communications to these devices. This code is garbage. It's really bad. We haven't even gone into the other parts of it that to sign Bitcoin transactions, sign Apollo transactions, they've just imported arbitrary third party libraries that don't take account of this. So we got a pony last year which Ryan collected, which was absolutely awesome. But we also got a pony this year. So I think this is the first time that we've managed it. One product's got a pony twice for the same thing. So lamest fender on both of them. The thing I most like about getting the pony is this though. That's Charlie Miller. Look at his face. Now kind of getting a bit into more how we'd fix this. Now they always say the keys are never stored in RAM. That's a very different thing to say in the keys are stored in RAM for a very, very short period of time. Now in reality the bottom part is what's happening. But if you threat model for that top bit, assuming the keys are never in RAM, you're not going to be truthful to your customers. There will always be a way to recover those keys from RAM, whatever it is. So they need to communicate this to their users. They need to say this device is broken. So can it be fixed? Well maybe. Could we improve the existing hardware? Well, yeah, if it had secure boot, if they locked the boot loader so the USB just couldn't pull it out, if they cut the USB data lines, which I know was recommended to them, and if they made it take longer than two minutes to root it, it might be a little bit more secure. Could they improve the software? Well, yeah, if they stripped down Android a little bit, it was running a browser, an alarm clock, you know, the standard Android stuff in the background. So there was always a tax service they had that was unnecessary. If you get closer to the metal, if you look at Ledger and Trasl, they're running on microcontrollers using custom code. It's much easier to validate that. Secure development practices would be a good thing to do. And also just fucking test the thing. It took a kid, like Selim is not, he's not had the world experience. He's not spent hundreds of hours working these things. It took him probably three or four days to go from nothing to a fully working cold boot attack. That's really quite extreme. If they're going with new hardware, well, we'd suggest they use a microcontroller, secure element, minimize the OS and things like that. But I think fundamentally the thing with bitfires they need new people. They've abused the trust of their customers. You know, this device is not secure. It never has been secure for the last 11 months as far as we're aware, nothing's changed. Now, they could demonstrate they've changed. They could get someone to pen test it. I'm not fucking doing it. But they are going to be here tomorrow, they say. So I'm not sure if they're going to be here or over in the hardware hacking village. So I'd suggest maybe if someone could be bothered to take a look at themselves. We can certainly give you some guidelines on how to route it, how to recover stuff from the memory. The results might be interesting. Anyway, that's the end of the talk. You're all staring at me. If anyone's got any questions, please ask. Oh, hi, Ryan. Oh, yeah, yeah, yeah. OK. So yeah, if you just want another amusing story, they did send us a bounty device eventually. It took a lot of convincing. And when they sent us a bounty device, we routed it. And we found that Daniel Kacin's SSID and PSK for his home Wi-Fi were stored in the device and left in the device. So we provisioned it at home, put the funds onto it, and left them in there, which allowed us to geoloquate his house. Good op sec. There's a million funny things that happened that I've probably completely forgotten about. It was good fun. Anything else from anybody? Am I going to get jumped on the way out by Bitfy? Hope so. Thank you, people.