With only 15 years he managed to violate the BitFi portfolio!

A 15-year-old British youth, Saleem Rashid, managed to hack and breach the security of the BitFi wallet, promoted by John McAfee as an "unbreakable" device, one of the methods considered to be the safest way to store cryptocurrencies, the so-called Cold storage, which uses physical devices that are not connected to the Internet.

Rashid used the device to play Doom, a video game of first-person action. The hacker is a renowned cybersecurity researcher.

The teenager posted on his blog that he managed to hack the Ledger Nano S, a USB wallet model that sold millions of units worldwide.

Cold storage devices allow you to store cryptocurrencies such as Bitcoin, Ethereum or Litecoin so that they can only be accessed with a key that only its owner should know.

It is believed that the ruling also affects another model, the Nano Blue, for which the update that would solve the problem will not be available "for several weeks," Ledger's security officer Charles Guillemet confirmed to the Quartz media.

Ledger, the company that manufactures it, said that the problem is already solved thanks to an update.

The attack programmed by Rashid is aimed at the internal systems of the device. One of them, which is responsible for controlling the small screen of the device and the USB functions, does not distinguish between the original firmware (the code that makes the device work) and the one that a third party can create.

An important problem discovered by the teenager is that the attacker would have to have physical access to the device before it reaches the victim. For example, buying it, manipulating it and selling it in an Internet portal.

In his blog, Rashid said he contacted Ledger "a few months ago" and that he sent them the code he had created. He assured that he did not receive any reward for it.

The Ledger cryptocurrency hardware wallet maker continues to refute claims that its devices can be hacked after a teenager committed them.

After 15-year-old Saleem Rashid created the code to "enter through the back door" into Ledger's wallets in November 2017, the company published posts describing the events as "NOT critical" and said that the possible attacks "can not extract the private keys or the seed".

The CEO of Ledger accused the teenager of having "visibly angry" when the company did not present the solution as if it were a "critical security update," and said his decision to publicize the problem "generated a lot of panic."

"It is very difficult to protect any device from an attacker who has physical access to it. That's why it's so important to have reliable manufacturers, dealers and repair services, "said Craig Young, a researcher with security company Tripwire.

"In this particular case, it was discovered that anyone with physical access to the USB wallet could modify it to access the funds. That means that someone who sold the device could then steal the funds that are stored in it. "

Rashid then refuted the claims in social media and in an article on his personal blog titled "Breaking the Ledger Security Model" on March 20, stating that he could still "autonomously extract the root private key". once the user unlocks the device "and use it to cause the manipulation of destination addresses for transactions.

The argument pressures both Ledger and its millions of users, who until now had widely accepted the company's claims that their wallets were 100% secure.

Ledger attempted to repair a total of three security vulnerabilities on its hardware, including that identified by Rashid. In a March 20 post describing the progress of security updates, Ledger told users that they would be fully protected after updating their wallets:

"The update process verifies the integrity of your device and a correct 1.4.1 update is the guarantee that your device has not been subject to any attack. There is no need to take any other action, your seed / private keys are safe. "

Jhon McAfee claims that the hacker managed to access Bitfi's root, but failed to destroy the security of the cryptocurrency system. The conditions to obtain the reward were that the hacker managed to subtract the Bitcoin inside the device and the pirate the only thing he could do was run Doom.

Although the main objective was not achieved, it is only a matter of time before I can obtain a way to transfer the cryptocurrencies of the device.