By Tim Copeland
8 min read
Bitfi Wallet is the world’s first unhackable device—or so it was branded by John McAfee, the tech entrepreneur behind McAfee Antivirus software. Except for one thing: it wasn’t.
When the claim was made, with an accompanying bounty program, cyber security experts were up in arms about how nothing is unhackable. Even McAfee himself said so in February, 2016. After the claims were proven wrong and Bitfi removed the “unhackable” slogan from its website, McAfee admitted the whole thing was just a marketing stunt.
It certainly did get a lot of attention, but perhaps at the expense of Bitfi’s reputation.
Now, Bitfi has brought out an upgraded version—the DMA-2—which supposedly solves these issues.
I thought I’d give the wallet a try and see if it comes close to its promises of “huge innovation” and Fort Knox-like security.
So, how did it rate under the cynical Decrypt eye?
The wallet arrives in a generic, nothing special, cardboard case with the logo imprinted on the front. On each side of the box, there is a piece of tape but these are not tamper-proof security —as the manufacturers are confident this version of the device can't be hacked, unlike the previous one.
Does this tape prove the device hasn't been tampered with? Photo Credit: Decrypt
Inside the box was the Bitfi device, which looks like a cheap Android phone, in a blue case featuring the Bitfi logo and the word “KNOX” on the front. On the inside of the case are two credit card-sized pockets and a larger one, which would fit little more than a few dollar bills. The device comes with a charging cable, a warranty and an instruction leaflet.
First, I needed to register my wallet online. Once I had signed up, I entered the 6-digit code that was on the hardware wallet, into the sign-in screen on my laptop. Then, I was asked to sign out, and back in, which just took a few seconds. All pretty reasonable and easy to do.
Next, it was time to set up the wallet: I clicked on the wallet ID and was taken to a dashboard. There, I was prompted to create a “salt,” which can be generated from any easy-to-remember information such as an email address, or a mobile phone number. It’s the equivalent of a username—and enables you to sign on on other devices, something we’ll come to in a moment.
The next bit was more tricky. I needed to create my own secret phrase. Usually secret phrases are calculated by the software you’re using, especially with software wallets. However, it is much safer to calculate your own one using a random method. In this case, the Bitfi wallet ships with a garden-variety die, in case you don’t have one already.
That was the start of an arduous process.
The device recommends a secret phrase with a minimum of seven words including special characters or nine words without any. A typical secret phrase for most hardware wallets is 12 words long. I went for 12 words, just to be on the safe side.
To create a 12-word secret phrase, you need to roll the die five times per word, so 60 times overall. Using this word list, you look up each five digit number and write down the associated word. I found this tedious so starting using the Ctrl-F search function which was much quicker—but probably a bad idea in case my laptop had been hacked, or had malware on it. Once you’ve compiled your secret phrase you need to enter—twice—into the Bitfi wallet.
Notice the Bitfi Knox Wallet comes with a die for randomness. Photo Credit: Decrypt
Despite it’s somewhat cheesy exterior, the Bitfi device is a reasonably functional bit of kit. It has a large touchscreen and performs basic actions. It does have one issue: Typing on the keyboard can be fiddly. It often entered the wrong letter more frequently than when I use my phone. While it just means pressing backspace and trying again, it can be frustrating.
Worse, though, on a wallet, it could have tragic consequences. If you happened to make the same spelling mistake on both entries, you would lose any money you put into the wallet. Granted, that’s pretty unlikely, and won’t happen if you exercise normal care. And there is a fail safe of sorts: If you make an error in just one of the entries, it won’t let you progress. You must do it again, which is a good feature.
The bigger usability problem however was actually using the wallet. I tried to simply look at my balance—and “simply” wasn’t part of the process. I had to enter both my salt and my secret phrase, which was tedious in the extreme, and unlike any other wallet I’ve used. Had I wanted to receive a transaction, I’d have to go through this entire process again. Most other wallets use a four-digit pin number, instead.
In fairness, this “extra security” does give the Bitfi wallet a unique feature: Because of the way the wallet works—it calculates a private key for your wallet every time you login—you can actually access your wallet from any other Bitfi wallet. In the instructions it says, “If you ever lose your device, you can simply order a new one (or use someone else’s) and operate it exactly the same as the one you have now, with the exact same secret phrase.”
Which sounds like a good idea, but it isn’t. As researchers proved, the first Bitfi wallet was hacked in various ways, such as with a man in the middle attack. This is when the device is compromised so it leaks entered information to the hacker. This means with the original version, if you use someone else’s device—especially if you order it second hand online—it could well be compromised. And while Bitfi claims that this wallet cannot be hacked—they were proved wrong last time, meaning it's probably best to not do this.
With this is mind, let’s try using the wallet.
A hardware wallet is primarily used to store cryptocurrencies, rather than for making transactions in everyday situations (see here for some ideas.) So, the main criteria here is optimizing the wallet to make and receive transactions.
First, I tried to send some Bitcoin to the device.
I entered the salt and the secret phrase on the device, and brought up the wallet address (instead of logging in online.) Then when the QR code popped up, I scanned it from a Coinbase wallet I had, and sent $2 of Bitcoin. This soon turned up in the wallet. So far, so good.
The Bitfi Knox Wallet resembles an Android phone. Photo Credit: Decrypt
Then I tried making a transaction. Hmmm. It looks like you can’t do this on the hardware wallet itself—it only shows receiving addresses, and doesn’t have a function to make payments.
That’s a bit strange. So, I went to the website, logged back in and made a transaction, sending Bitcoin out of the wallet. This has to be signed on via the Bitfi Knox wallet, which meant entering the salt and the secret phrase again. Once I’d done that, I signed the transaction and off it went.
All in all, it was a pretty pretty painful process. But Bitfi claims no pain, no gain. Indeed, it says its system offers two benefits. First, you don’t need a private key that must be kept safe somewhere. But then, you'll need to remember the entire secret phrase (which you’ll probably write down anyway.) Second, you can sign in on any device. Except that it isn't a good idea to use anyone else’s device—unless it’s straight from the manufacturer. Which means both purpoted advantages don't have any real benefit, making all this aggravation seem, well, pointless.
I’m not sure what the point of the Bitfi Knox wallet really is. In a way, it’s more like two factor authentication—where you use a second device to confirm that it’s you when you make a transaction. But instead of being fast and easy to use like Google Authenticator, it is a frustrating, slow experience. One that I would not want to go through, even if I’m only making a few transactions a month.
The Bifti Knox wallet is branded as a next-generation hardware wallet but it seems more like an early prototype. And the “Fort Knox” security has been shown to be a load of hot air. Yet, it does work, albeit slowly, and could be useful for people who want to regularly send cryptocurrency to their wallet—and not touch it. Perfect for the good old fashioned HODLer, I guess.
Get the best of Decrypt where you want it most.
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.