-
[Translated by Pekka P]
-
(KYBS2004 course assignment at JYU.FI)
-
♪ (38C3 intro music) ♪
-
*clap*
-
Hey everyone,
-
it's an honor to be here,
-
and it's great to see so many familiar faces
-
and so many new faces.
-
I know it's 11 a.m. on the last day,
-
so I'm impressed to see so many people here.
-
And welcome to the chaos of everything.
-
I'm John Nolte.
-
I'll be speaking today.
-
Someone who's not on stage
-
but is in each and every slide here
-
is Christian, the lead researcher
-
for the MilkSAD team.
-
I'm going to be talking about the story of MilkSAD,
-
the story of researching cryptocurrency wallet theft
-
in 2023,
-
and very happy to do so.
-
Very honored to be here.
-
Here's some of their names.
-
You see them as names.
-
I see them as friends, as trusted colleagues,
-
ex-coworkers,
-
random people I've never met
-
on the internet.
-
The only thing we had in common for the most part
-
was we were all in the same Matrix channel
-
diving into a problem.
-
Listeners, beware.
-
I might not be 100% factual
-
with everything I say.
-
I am excited to be here,
-
a little nervous to be here.
-
And there's a lot of information to go over.
-
So, it's too much for a 30-minute talk,
-
too much for a 45-minute talk.
-
And there's just a lot of research that the team did.
-
It's well represented at MilkSAD.info.
-
You can see the talk notes,
-
slash 38C3.
-
You can scan this QR code.
-
Trust me, it's safe.
-
I hope.
-
Yeah.
-
And let's go over this talk.
-
We're going to get a little intro to cryptocurrency wallets.
-
Who here has ever heard of cryptocurrency?
-
Okay.
-
There's people that drank their herbamatas
-
and their coffee today.
-
It's nice to see some reactions.
-
We're going to talk about a theft
-
that happened about a year and a half ago
-
in July of 2023.
-
Then some of the additional work we did
-
and a lot of the ethical dilemmas and conflict
-
inside and outside of the team.
-
How many here are security researchers?
-
I'd like to know a little bit about the audience I'm addressing.
-
Okay.
-
So, there's a few.
-
So, there might be people who haven't been exposed
-
to discovering vulnerabilities in the wild
-
and all the things that can happen there.
-
So, I'll make sure to cover that.
-
And then we'll also just talk about the story
-
of people losing money on the internet
-
with magic internet money
-
and maybe ways to defend
-
against that type of thing.
-
So, to start,
-
let's talk about cryptocurrency wallets.
-
Okay.
-
Another question.
-
Who here has ever used a cryptocurrency wallet?
-
I feel so sorry for you.
-
It's so hard
-
and there's just a lot of stuff that happens when you set up a wallet.
-
A lot of things aren't well explained.
-
You just kind of go,
-
you install your app or run your software.
-
You get sometimes 12 magic words
-
or 24 magic words and you put them in your pocket.
-
You, you know, take a picture
-
and put that up on your cloud storage.
-
You know, really no one walks you through
-
what a safe way to do cryptocurrency wallet stuff,
-
you know.
-
So, it can be really confusing.
-
At the end of the day, what happens
-
is you're trying to capture some type of entropy.
-
You're trying to generate some type of random seed.
-
And from that seed, derive a bunch
-
of private keys and public keys.
-
A lot of cryptographic operations and cryptocurrencies based on asymmetric cryptography.
-
So, there's a public-private key pair.
-
Your public key, you can share to the world.
-
They can identify you by that key.
-
So, you know, be warned.
-
It is a tool to track that particular address,
-
that particular identity.
-
And then there's a private part.
-
And it really is like a private part.
-
Like, you don't really want to show that everywhere.
-
So, you know, there's these public-private keys.
-
And long ago, people were just generating single keys
-
and storing them, backing them up.
-
And it was quite a hassle.
-
So, the Bitcoin folks and community
-
came up with this improvement proposal, BIP39,
-
where they're like,
-
why don't we keep this little seed,
-
this magic little seed of entropy into words,
-
you know, mnemonics,
-
mnemonic seed phrases.
-
It's a lot easier to remember 12 words or 24 words
-
than it is to remember a bunch of random characters
-
that are maybe base 58 or base 64 encoded.
-
And so, BIP39 was a way to make things a little bit more human-readable
-
to keep a secret safe.
-
And from that secret, you could derive a bunch of private keys.
-
And BIP32 is the Bitcoin improvement proposal, number 32,
-
to have hierarchical deterministic wallets.
-
So, from an initial seed, you can derive
-
a large number of public-private key pairs.
-
And you can use those for all kinds of things.
-
If I have a wallet, I might want to receive money
-
with one address and send money with another.
-
I sometimes don't want to reuse my address.
-
And there's a number of reasons of why I might not want to do that,
-
one being privacy, another being security
-
and some elements of cryptography with non-swe use and whatnot.
-
But at the end of the day, the moral is,
-
with a simple seed, you can have a large number of private keys.
-
And that composed together is a cryptocurrency wallet.
-
There's software to help you do this.
-
And some of it is good.
-
Some of it is bad.
-
But today, I think most of it is just awkward for the regular user.
-
Another thing to note is,
-
in order to do this, you need randomness.
-
You need chaos from the universe.
-
You need to acquire that chaos somehow
-
and put it in your little bits and bytes
-
and package it in a safe, secure way.
-
And so, you know, cryptography needs this as a core primitive.
-
And if you don't have good randomness,
-
terrible things will happen, not to be too foreboding.
-
The problem is, computers are really bad at generating good randomness.
-
They're really great at following instructions.
-
They're really bad at doing random things.
-
They like to do what they're told.
-
You know, I don't know about new age quantum cryptography
-
or computers or whatnot. But, like, the computers I've been working with are pretty random.
-
Or not pretty random.
-
They're pretty just regular.
-
They do what you tell them, and that's what they do.
-
So there's a lot of reasons why you need randomness in your compute.
-
If you're making video games,
-
you want your characters to maybe start in random places.
-
If you're making API keys, maybe you want to,
-
you know, you don't want them to be predictable.
-
And so you need to have a good way to get random numbers.
-
There's good ways, and there's easy ways,
-
and there's these cryptographically secure ways to get random numbers.
-
They're used for different purposes.
-
Some are lightweight, fast, and don't require a lot of compute resources.
-
Others may take up more resources
-
but give you outputs that are not predictable
-
and don't reveal any of the inputs.
-
And so cryptographically secure PRNGs,
-
the pseudo-random number generators, are kind of the ideal in a lot of situations when you're dealing with generating keys for wallets.
-
So that's randomness.
-
And another thing to note is this is a talk about cryptocurrency,
-
but people use BIP39 mnemonic seed phrases to back up all kinds of things.
-
I don't know who here has heard of PGP.
-
Yeah, nice, nice, nice, nice.
-
So other places that would be like, what's that?
-
Well, it's pretty good privacy.
-
But there's ways to have, like, a 24-word mnemonic seed phrase
-
be used to derive PGP keys, which is pretty cool.
-
But anyways, the point there is, like, it's not just cryptocurrency.
-
Let's talk about the theft.
-
So I've never seen a bank get robbed
-
except in Hollywood movies.
-
And, oh, the slides aren't showing.
-
Did they just stop showing
-
or have they not been showing?
-
Okay, I'll do the good old plug it.
-
Okay.
-
Thanks for the call out.
-
So anyways, a theft.
-
Who's ever seen a robbery?
-
I haven't.
-
I hope you never have to.
-
But on Reddit, it kind of looks like this.
-
You just see someone, hey, my money's gone.
-
I think a bunch of other people's money's gone.
-
What happened?
-
And that's not where our journey started.
-
My journey started when I got a message from a friend
-
saying, hey, do you still have your Bitcoin?
-
I was like, what?
-
I don't know.
-
Let me go check.
-
So I have to go swim into my underwater cave,
-
feed the alligators, pop up, open the vault.
-
Yeah, it's still there.
-
Actually, it's not that hard.
-
You can just, if you know your addresses, you can just look.
-
But, yeah, my Bitcoin was there.
-
My money, you know, I don't know what money is,
-
but I like to think of Bitcoin as money that I like to use.
-
And I was like, dude, where's yours?
-
And they were like, it's not there anymore.
-
That sucks.
-
It's not, you know, you open your wallet and a dollar bill's there today.
-
And then tomorrow you look and it's not there.
-
You know, paper doesn't just evaporate.
-
Maybe it gets wet and disintegrates, but there's still remnants.
-
People put, like, ceramic disks in that stuff, you know.
-
And there's always a trace of where money went.
-
And on the blockchain, it's no different.
-
So, we saw that a bunch of money moved
-
and was consolidated.
-
And we knew two people in our social group.
-
You know, I don't have a lot of friends,
-
so this is like a large portion of my social network had been compromised.
-
And I was curious to understand how and why.
-
Maybe I'll never understand why, except for human greed.
-
But the how was very interesting for me,
-
because this is magic math,
-
and magic math is no different than regular math.
-
It just takes sometimes a little bit more for muggles like me to understand.
-
So, overall, we saw a 37-bitcoin move at this time.
-
And, you know, we saw that it wasn't just two people
-
that were in my friend's group.
-
We saw many other people.
-
So, a team forms, you know.
-
And we're not like the Avengers.
-
We don't have fancy suits.
-
I work in a garage in my house.
-
And other people work all over the world.
-
The good thing is we did have people
-
who knew how they generated their keys.
-
They knew how they stored them.
-
They knew the security models they were up against were...
-
They took precautions, let's say.
-
They weren't just downloading an app, running something on an online computer.
-
They were very tight about the attack surface
-
and generated keys and air-gapped machines
-
that had never touched the light of the internet,
-
running minimal Linux operating systems.
-
And so, it was very curious.
-
What we discovered in our research
-
was the common denominator was a software called LibBitcoin Explorer.
-
And so, you know, you try and understand how your well gets poisoned
-
and you look upstream
-
and, you know, or downstream.
-
We stand upon the shoulders of giants
-
and sometimes those giants just rot and die.
-
And in this case, we discovered some rot
-
and we decided to take a closer look at this software.
-
Now, LibBitcoin Explorer is kind of a random software.
-
And one of the questions some people were asking is, like,
-
well, how did these people even start using this software?
-
Well, they tried to do things by the book, literally.
-
The problem with dead trees is they don't get updated
-
as often as digital bits and bytes.
-
And what's true yesterday is not always true today.
-
So, when a book says something, generate a random seed
-
using operating system random number generator,
-
and your operating system is Linux, you feel like you have some guarantees
-
with a thousand eyes, all bugs are shallow,
-
or whatever that saying is.
-
Unfortunately, this turned out not to be true.
-
The bxseed command from LibBitcoin generates wallets
-
via the Mersenne Twister,
-
and it's not just a little dance here.
-
We're talking, like, you know, just numbers and stuff.
-
But numbers can dance, too, if you look at them right.
-
Some of them wiggle.
-
Some of them squirm.
-
And in this case, with this variant of Mersenne Twister,
-
this whole MT19937,
-
I'd be curious if anyone knows what that number is.
-
It's a prime number.
-
2 to the 119th.
-
Anyways, 32 bits of initial state
-
was all that was allowed in this implementation for generating random numbers.
-
Now, 32 bits seems like a number,
-
but it's not a very – it doesn't allow for a lot of possibility, possible outcomes.
-
And when we saw this, our heads kind of exploded
-
because we were expecting 256 bits of chaos and entropy
-
entering our little random number generator.
-
So, to not see that was a shock,
-
and definitely we felt like we were on the right track.
-
And so, you know, again, these numbers,
-
32 bits is a little over 4 billion.
-
And 128 bits is a little over 360 –
-
340 undecillion, I guess.
-
It's like 10 to the 36.
-
I don't know.
-
Undecillion is an interesting word.
-
In British English, it means something different.
-
And it also – yeah, anyways, look it up.
-
Undecillion.
-
But, yeah, so once an attacker knows your master key,
-
it's game over
-
because this whole key derivation stuff.
-
Like, once they know the initial state of how you derived all these other keys,
-
they can just walk down your path and check
-
and see if there's any cherries left over.
-
In this case, cherries are cryptocurrencies, you know, assets.
-
And so, theft is trivial.
-
With 32 bits, you can rent a cheap box at Hetzner.
-
You can have a gaming computer brute force this
-
in a matter of days, if not less.
-
And also, it's – this is not just Bitcoin.
-
People were using this, you know, for Ethereum,
-
a bunch of other cryptocurrencies,
-
and, yeah, it's – you know, maybe people were using it
-
for PGP, too.
-
I don't know.
-
But, anyways, we're talking about cryptocurrency here.
-
So, what did we do?
-
We saw an active exploit.
-
And by we, I mean the Milkside team.
-
We saw that this was happening in the wild.
-
We knew that this was – there was some entity
-
that was moving money,
-
and it wasn't the entity that was originally owning that money
-
or owning that currency.
-
So, with active exploits, we wanted to expedite
-
the disclosure process and inform the public
-
so they could have an informed decision what to do with their assets.
-
Now, you know, it's a social norm to do 90 days.
-
With Google Project Zero, they kind of set a standard for this
-
for, like, seven days if you see active in the wild.
-
And that's what we did.
-
We filed a CVE.
-
We did a detailed public write-out.
-
We reached the – you know, reached out to the maintainers of the software
-
and told them before we were doing this to have a coordinated disclosure.
-
They didn't see the world as we saw the world,
-
and that's okay.
-
But when people's money is on the line,
-
we had to make a choice,
-
and we decided to make the choice that made us sleep peacefully at night.
-
We wanted to tell the people to protect them.
-
And the name – I love the name Milk Sad.
-
I felt very sad when I learned about this,
-
and people didn't lose just, you know, their milk money.
-
They lost their savings.
-
They lost a belief in the rigidity
-
of a cryptocurrency system.
-
And that's a hard thing to build back.
-
When we first discovered that the initial state
-
was reproducible,
-
that we could generate the same mnemonic seed phrase
-
over and over again by setting some parameters
-
and depending supposedly on, like, system entropy
-
and getting the same mnemonic seed phrase,
-
we were kind of stunned.
-
And we realized, you know, kind of what the problem was,
-
everything else after that was just diving into the problem,
-
fully understanding it,
-
fully documenting it,
-
and preparing public disclosures for that.
-
We also, again, like, we were curious about how the attackers did this
-
and how big this problem was,
-
and was it just us using this software?
-
Or were there other softwares out there,
-
cryptocurrency wallet implementations that had similar issues?
-
Again, you don't need advanced degrees in cryptography.
-
You don't need specialized hardware to do what we did.
-
You just need to understand how these numbers work.
-
And once you understand initial PRNG seed states
-
for these systems,
-
you can simply enumerate over all the potential address space
-
that you want to spend time deriving
-
and checking if that address had ever been used on the blockchain.
-
And if so, you can see that address was vulnerable,
-
and that money was vulnerable,
-
and maybe it was stolen, maybe it wasn't.
-
But voila, you get answers to how much money
-
moved through these weak wallet systems.
-
This was a lot of time to dive through all the aftereffects
-
of this attack and exploit,
-
and we can still spend hours, days, months, years
-
diving into everything.
-
You can be your crypto sleuth like ZachXBT
-
and trace where all the money went.
-
We didn't do that.
-
You know, we didn't find all the answers to all the questions.
-
And, yeah, there's a lot of other coins out there,
-
cryptocurrencies that we could have looked at that we didn't.
-
Bitcoin, Ethereum, Doge, XRP,
-
these are all, like, cryptocurrencies,
-
and these are all systems that were affected by this compromise.
-
We're also not alone here.
-
There were other researchers that were working on this problem,
-
and from them we drew inspiration, and, in some ways, collaboration.
-
I don't know who here, any Drake fans here?
-
Okay, I feel sorry for the one person that raised their hand.
-
So, TrustWallet, not like us.
-
They didn't like the users in some ways.
-
They made some mistakes,
-
and not just one mistake.
-
They made multiple mistakes,
-
which is sad for the downstream users,
-
sad for the team that built this product and built a reputation around trust.
-
If I say, trust me, bro,
-
you're going to trust me, I'm sure.
-
Maybe, you know.
-
But probably not.
-
I'm just a stranger on the Internet most of the time.
-
And it's just, again, this is in the wild.
-
These weren't vulnerabilities we found.
-
These are just out there.
-
You can look them up.
-
And in this case, the PRNG was seeded with time,
-
which is really not a good idea.
-
Unix time starts in 1970,
-
and we're in 2024.
-
So, like, no matter what,
-
it's just not a lot of years to go through,
-
which is why I always set my clock 100 years in advance.
-
My plots are measured in centuries.
-
And just for this meme, you know, I don't know what Drake is all about.
-
He just is a super predictable person, though.
-
And he just doesn't like the good stuff.
-
He's just not like us.
-
So, we avoid him.
-
We try not to be like him.
-
I'm sorry if he's your idol.
-
This is my opinion.
-
I'm not speaking on behalf of the Milksed research team or anyone else here.
-
And if I offend you, I apologize.
-
I just like to be honest with myself and the audience.
-
But, yeah, what the highlights, you know?
-
We're done with Drake.
-
There were nine wallets that we discovered
-
with lots of money.
-
So, in cryptocurrency land, they call them whales.
-
And these whales had quite the dork of a wallet.
-
67,000-plus bitcoins.
-
Went through these wallets.
-
At the time, that's about a billion dollars.
-
At 20,000 U.S. dollars per Bitcoin.
-
Today, that's five times as much.
-
I think Bitcoin hovers around $100,000.
-
In my world, one Bitcoin will always equal one Bitcoin.
-
And everything else is everything else.
-
But, again, this shows you that it wasn't just retail,
-
random people reading books.
-
This was people who were spending a lot of time and energy,
-
had a lot of assets involved and vulnerable,
-
which was quite impressive and surprising.
-
We don't know what happened with this money.
-
We don't know if these people or entities
-
that had control of these wallets moved them safely.
-
We kind of assumed they did.
-
We don't know if they knew what was happening here in 2020.
-
Mind you, we discovered this issue in 2023.
-
So, it was three years later.
-
But, yeah, just kind of crazy.
-
That's a lot of money to just float around the Internet and be able to be grabbed.
-
Cake.
-
I like cake.
-
I hate when my cake has poison in it or razor blades.
-
If you ever eat an apple on Halloween, be careful.
-
Check it twice.
-
Some people are naughty.
-
Some people are nice.
-
And, in this case, Cake Wallet was not so nice.
-
You know, a lot of programming languages have, like, random SDKs.
-
It's just easy native library implementations where you can get randomness.
-
And, a lot of them don't have secure, cryptographically secure randomness
-
by default, which I find really awkward.
-
I think that's something we should talk about here.
-
Like, why don't we provide safe defaults
-
for all the programming languages as, you know, a primitive?
-
So, something to think about if you're developing languages.
-
Default to safety first, please.
-
And, yeah, we knew that this was insecure,
-
but a lot of people didn't know how or, you know, how to derive these addresses.
-
And, luckily, lead researcher Christian,
-
our knight in shining armor,
-
saw the puzzle and decided he needed to break it.
-
You know, he was kind of nerd-sniped by this.
-
And, a lot of us were not spending as much time
-
diving into Cake Wallet because we already were moving on to things.
-
But, the fixation Christian, you know, spent was well worth it.
-
He discovered that they weren't using 32 bits of seeding
-
when you expected 128 or 256.
-
They were actually using 20 bits.
-
You know, and 20 bits means I can almost do the calculations with my hands and toes.
-
But, I lost a lot of touch in my pinky toes
-
due to frostbite.
-
So, it would be difficult for me, but if you are talented
-
with all your digits, you can show me how to calculate stuff with them.
-
That would be super cool to do by nay.
-
But, 20 bits is not a lot.
-
So, easy to brute force.
-
And, Cake Wallet is a software product that a lot of people use.
-
It's great.
-
It has... It's not great.
-
I don't know.
-
I shouldn't say that.
-
It is what it is.
-
But, the cool thing about it is you can reach out to the users,
-
unlike open source projects, which is a little bit harder.
-
You know, you can send out something to the mailing list or not.
-
So, our team, Christian, reached out to Cake Wallet people,
-
and they're like, yeah, we'll throw a notification up,
-
and we'll tell people.
-
The problem is, people don't update their software.
-
They didn't get the notification.
-
They probably just set it and forget it, you know.
-
And, we waited six months
-
until we disclosed this issue.
-
Six months of just sitting there, hoping things were going to be good.
-
Two days after disclosure, the remaining funds
-
in those vulnerable wallets were removed.
-
We suspect they were removed by not the originators of those funds.
-
Sad times.
-
Sad times. Sad times.
-
So, back to our team and what we were up to.
-
There was a lot of debate, a lot of turmoil.
-
I would say, you know, I trust everyone that I worked with,
-
and you had to.
-
Because, when there's a big bag of money on the ground,
-
and anyone can just pull up and pick it up,
-
anyone in our team could have done this.
-
Anyone in the world who knew about this
-
could have done this, who reviewed the open source software.
-
And, you know, what do you do with that?
-
As a good Samaritan, you see
-
a 100-year-old note or something on the ground.
-
You might take it to the police station and say, hey, I found this money.
-
I don't know who it belongs to, but I'm sure they need it.
-
They want it.
-
But, in cryptocurrency land, how do you verify,
-
like, that indeed was the person that, you know,
-
how does anyone verify that that's their 100-year-old note?
-
It's kind of tricky.
-
Maybe there's CCTVs in the area.
-
You can see someone slip, you know, slip their glove,
-
and a dollar falls out or whatever.
-
But, in cryptocurrency land, it can be quite difficult.
-
And there's a lot of legal and tax implications.
-
And we come from many jurisdictions,
-
from Canada, the U.S., Germany.
-
I don't know where all our research team comes from,
-
but we definitely debated this, and it was a hot topic.
-
Another hot topic was, do we open source the code that we use to derive these addresses?
-
Do we share it with the world?
-
We're proud of the work we did.
-
We spent a lot of hours.
-
We spent a lot of time working together,
-
making sure we understood the scope of some of these issues.
-
And we didn't get unanimous consent
-
to release all the source code.
-
We had a lot of disagreements.
-
There's some people who live and die
-
by the open source sword in our social group, in our research team.
-
And to them, it was a tragedy to not share this with the commons.
-
And then there was others who just don't want to give people
-
who don't want to spend the time understanding the situation,
-
even if they have bad intent, easy resources to do this for cryptocurrencies
-
and extend it to other potential networks
-
that might not have been compromised in the initial attack.
-
So, again, it was a tricky situation.
-
We wanted to share some things with the public.
-
We didn't want to share everything with the public.
-
We did allow people to look up to see
-
if they had compromised mnemonic seed phrases.
-
You could go to a website, provide a SHA-256 hash
-
of the seed phrase, and check to see
-
if it was in our database.
-
Obviously, that was even discussed internally,
-
because what if people put their entire seed phrase in there and then blame us for being compromised?
-
And that is a tricky, sticky situation.
-
But we did want to provide some type of public service
-
for people to check before they swept their funds.
-
But, yeah, some numbers,
-
lots of money through this.
-
This isn't money that was necessarily stolen.
-
This, and by money, I just mean Bitcoin,
-
or, you know, that's what we're looking at here.
-
But these are Bitcoins that move through compromised wallets that could have been stolen at any point in time.
-
And I just find that fascinating.
-
This is world-changing money.
-
This can fund your nuclear arsenal.
-
This can buy you many islands
-
or politicians or Twitters or whatever.
-
Actually, maybe not Twitters.
-
I don't know.
-
It depends on the price.
-
But, yeah, this is a lot.
-
And it was crazy to see so much of this asset
-
go through weak systems.
-
It just felt weird.
-
What can you do?
-
That's a good question.
-
As a developer, how can you protect yourself?
-
How can you protect the people you're building software for?
-
A lot of us are building software for people.
-
Sometimes people are building software for, like, robots
-
and stuff and non-peoples.
-
But that's also great.
-
You should still protect those entities as well.
-
Question everything.
-
My mom always told me to question authority.
-
And I carry that with me everywhere I go.
-
I really doubt everything I see.
-
And really have to strive for understanding
-
to feel confident and comfortable
-
to use technology that I would use in a secure system.
-
And when I'm building software, I always like to check it twice.
-
I like to get it externally audited.
-
And, you know, when you're using randomness,
-
make sure you're not just doing silly mistakes.
-
And this is a question of how we get people
-
to break this cycle of repeating the same mistake over and over again.
-
So, as the average user, if you entrust your money to software,
-
if you entrust critical things like your privacy to software systems,
-
demand security audits, you know, request them,
-
demand them, pay for them.
-
Do what you can to help the systems
-
keep your stack updated.
-
So, again, this is not a full enumeration.
-
These are just useful, you know, things I find useful.
-
One thing to note with the BIP39 setup mnemonic seed phrase
-
is if people added a password, which is part of the BIP39 spec,
-
a passphrase, to their setup, they probably wouldn't have been compromised
-
in the initial attack.
-
People, the attackers would have had to try and crack the password
-
in order to then enumerate all of the downstream addresses.
-
So, that was something interesting about this particular incident
-
is some people were protected just by adding that simple passphrase.
-
But, yeah, open source is great,
-
but it doesn't guarantee safety, as we all know.
-
In conclusion, chaos is required for some things
-
in compute and in life, as we know in the Chaos Congress.
-
There's often good chaos everywhere,
-
and you try to avoid the bad chaos.
-
Be careful.
-
It is used everywhere in passwords, session tokens, all this stuff.
-
Try not to let it happen to you.
-
Try to understand and do your research
-
and do what you can to build confidence in the technology you're using,
-
and that's for everything.
-
Where do we go from here?
-
Well, we spent a lot of work proving over 20,000 weak wallets
-
existed in the cryptocurrency space.
-
A lot of us have full-time jobs, families,
-
mouths to feed, breaks to take, you know, sleep.
-
And so, we're doing a bunch of other things,
-
but we're still very interested in this area,
-
and there's a lot of research and investigations that can still happen here.
-
So, we're constantly pushing out updates,
-
and by we, I typically mean Christian, but the lead researcher.
-
If you have anything interesting or, you know, comments or feedback
-
or you want to learn more,
-
always feel free to reach out to us.
-
And we're hosting a longer Q&A session
-
with the research team.
-
You know, I'm just a puppet here being pulled by the slides,
-
but if you want to meet more of us, please do so.
-
We'll be in Sol 6, which is, I think, a floor below us,
-
and love to see your faces,
-
love to talk to you about this problem
-
and find solutions that can really break the cycle
-
of bad entropy in good intended systems.
-
Also, shout-out to Mo at Millieways.
-
These slides and the template come from him,
-
and originally that was derived from the 38C3 design team,
-
and I just love the design.
-
So, thank you very much, everyone, for coming here
-
to listen to this talk,
-
and I'd love to field your questions for what I can answer
-
and for anything I can't,
-
I will just shepherd you downstairs to Sol 6.
-
John Nolte and the Milk Set team, thanks a lot for this research,
-
thanks a lot for the presentation,
-
thanks a lot for the disclosure.
-
Anybody coming up with questions?
-
I see some questions here.
-
However, hold on for a second.
-
We want to have a look at the internet.
-
Are there online questions?
-
Yeah, please.
-
The first question from the internet would be,
-
were all wallets using Mercy and Twister
-
to generate the seed at that point?
-
If not, how did the hackers identify the ones which did use it?
-
So, I don't know how the hackers identified the weak wallets in their systems,
-
but the answer to the first question is no.
-
They weren't all using Mercy and Twister.
-
You can look at the other implementations in our write-ups,
-
but yeah, there was a few implementations
-
and issues there.
-
Is there anything else from the internet?
-
Yes, we have one more.
-
The question is if this flaw is still out in the wild,
-
especially for non-Bitcoin cryptocurrencies.
-
Is the flaw still out in the wild?
-
Yeah, the software, you know,
-
once you publish the software version,
-
it's there forever, most of the time.
-
You know, there's people who archive all kinds of things,
-
so most things on the internet don't die.
-
What's dead can never die.
-
And as far as active exploits,
-
if you put money in one of these compromised wallets,
-
it'd be a fun game to see how fast it moves
-
by not your hands, not your system.
-
I assume now there's just people who are listening
-
or systems that are listening,
-
waiting for money to enter a weak wallet
-
and snatching that money immediately.
-
A fun game to play would be to see
-
if they pay more gas than the money's worth.
-
If they're sophisticated, they'll check that first.
-
If they're unsophisticated, they won't.
-
But yeah, it's definitely still active.
-
There's still these issues.
-
And there's, you know, systems that we haven't identified yet.
-
So that's still up in the open.
-
Okay, for everybody else in the room,
-
just line up at the microphones.
-
Therefore, microphone number three, please.
-
Thank you.
-
Great talk.
-
I would like to know whether this applies to Monero as well.
-
And have you looked into Microsoft Research Z3?
-
Answering second question first, I haven't.
-
I'd love to know what that is.
-
And so I'll mentally note that down,
-
but probably forget it.
-
So I'll try and write it down later.
-
But it's recorded.
-
So I'll just actually I'll just watch the recording.
-
But yeah, as far as Monero and other cryptocurrencies are compromised,
-
it's outside of the realm of cryptocurrencies.
-
It's more in the realm of the cryptographic implementation for the wallet is flawed.
-
And people were using these mnemonic seed phrases for all kinds of things, not just Bitcoin, not just Ethereum.
-
I don't know if we we didn't do any research in Monero.
-
So that's an interesting field for privacy coins.
-
I think we did see Zcash.
-
Not everyone like makes Zcash private, I guess.
-
So but but yeah, I would assume Monero
-
Monero wallets would be compromised
-
if they generated their their seeds with this software stack.
-
OK, thank you.
-
Thank you.
-
And again, microphone number three, please.
-
So using a non cryptographically secure pseudonym PRNG,
-
it's kind of a basic pentest finding.
-
At least that's what my experience in my professional deformation, I guess.
-
So I would be kind of scared when I see it
-
in software like like this, that's supposed to be all that that's supposed to be developed by competent developers.
-
Have people considered this to be a supply supply chain attack on the ecosystem?
-
I mean, a compromised supply chain, that's what happened here.
-
So, yeah, like the well was poisoned.
-
People trusted software and they stood upon the shoulders of giants
-
and they realized those giants didn't have a strong foundation
-
and everything they had kind of crumpled into dust.
-
So 110% supply chain problem,
-
definitely recommend having supply chain security solutions
-
to, you know, mitigate against this.
-
And that's where a lot of code review comes in.
-
But yeah, it was mostly like code review probably would have caught this.
-
It wasn't a fancy thing like no one compromised the build server
-
and there was a build release artifact published
-
that was at issue.
-
But the source code was clean, like SolarWinds or whatnot.
-
So, yeah, it was just bad code put into the system.
-
Flawed, I guess, code.
-
Maybe the, I don't know.
-
Yeah.
-
Okay.
-
Yeah, it's fair that I'm not that paranoid about it.
-
But yeah, shit happens.
-
Definitely be paranoid.
-
Every pull request is a potential input for compromise.
-
So, constant vigilance.
-
That's one of my favorite Harry Potter characters.
-
Mad-Eye Moody would say.
-
He was compromised.
-
Anyways, yeah, by a supply chain attack.
-
But yeah, cool.
-
Any other questions?
-
No, thanks.
-
Well, in here, microphones are empty.
-
What about the internet?
-
Some more questions from there?
-
No.
-
Anybody interested in anything particular here from John?
-
No?
-
Well, then, let's thank John again for this.
-
*clap*
-
♪ (38C3 outro) ♪
-
[Translated by Pekka P]
-
(KYBS2004 course assignment at JYU.FI)
