38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys

Rollback to version 4

0:00 - 0:02

[Transcribed by Pekka P]
0:02 - 0:03

(KYBS2004 course assignment at JYU.FI)
0:03 - 0:15

♪ (38C3 intro music) ♪
0:15 - 0:16

clap
0:17 - 0:18

Hey everyone,
0:18 - 0:19

it's an honor to be here,
0:19 - 0:21

and it's great to see so many familiar faces
0:21 - 0:24

and so many new faces.
0:24 - 0:26

I know it's 11 a.m. on the last day,
0:26 - 0:29

so I'm impressed to see so many people here.
0:30 - 0:33

And welcome to the chaos of everything.
0:34 - 0:35

I'm John Nolte.
0:35 - 0:36

I'll be speaking today.
0:37 - 0:38

Someone who's not on stage
0:38 - 0:41

but is in each and every slide here
0:41 - 0:42

is Christian, the lead researcher
0:42 - 0:45

for the MilkSAD team.
0:45 - 0:48

I'm going to be talking about the story of MilkSAD,
0:48 - 0:51

the story of researching cryptocurrency wallet theft
0:51 - 0:53

in 2023,
0:53 - 0:56

and very happy to do so.
0:57 - 0:58

Very honored to be here.
1:03 - 1:04

Here's some of their names.
1:04 - 1:06

You see them as names.
1:06 - 1:08

I see them as friends, as trusted colleagues,
1:08 - 1:09

ex-coworkers,
1:09 - 1:11

random people I've never met
1:11 - 1:12

on the internet.
1:13 - 1:16

The only thing we had in common for the most part
1:16 - 1:18

was we were all in the same Matrix channel
1:18 - 1:20

diving into a problem.
1:20 - 1:24

Listeners, beware.
1:25 - 1:26

I might not be 100% factual
1:26 - 1:28

with everything I say.
1:29 - 1:30

I am excited to be here,
1:30 - 1:33

a little nervous to be here.
1:34 - 1:36

And there's a lot of information to go over.
1:36 - 1:38

So, it's too much for a 30-minute talk,
1:38 - 1:41

too much for a 45-minute talk.
1:42 - 1:45

And there's just a lot of research that the team did.
1:46 - 1:49

It's well represented at MilkSAD.info.
1:49 - 1:51

You can see the talk notes,
1:51 - 1:52

slash 38C3.
1:53 - 1:54

You can scan this QR code.
1:55 - 1:56

Trust me, it's safe.
1:57 - 1:58

I hope.
2:00 - 2:00

Yeah.
2:00 - 2:02

And let's go over this talk.
2:03 - 2:07

We're going to get a little intro to cryptocurrency wallets.
2:07 - 2:09

Who here has ever heard of cryptocurrency?
2:11 - 2:12

Okay.
2:12 - 2:14

There's people that drank their herbamatas
2:14 - 2:16

and their coffee today.
2:16 - 2:18

It's nice to see some reactions.
2:19 - 2:20

We're going to talk about a theft
2:20 - 2:23

that happened about a year and a half ago
2:23 - 2:24

in July of 2023.
2:24 - 2:26

Then some of the additional work we did
2:26 - 2:29

and a lot of the ethical dilemmas and conflict
2:29 - 2:32

inside and outside of the team.
2:34 - 2:36

How many here are security researchers?
2:37 - 2:39

I'd like to know a little bit about the audience I'm addressing.
2:40 - 2:40

Okay.
2:40 - 2:41

So, there's a few.
2:42 - 2:44

So, there might be people who haven't been exposed
2:44 - 2:47

to discovering vulnerabilities in the wild
2:47 - 2:49

and all the things that can happen there.
2:49 - 2:51

So, I'll make sure to cover that.
2:51 - 2:54

And then we'll also just talk about the story
2:54 - 2:56

of people losing money on the internet
2:56 - 2:58

with magic internet money
2:58 - 3:00

and maybe ways to defend
3:00 - 3:03

against that type of thing.
3:04 - 3:06

So, to start,
3:06 - 3:08

let's talk about cryptocurrency wallets.
3:09 - 3:09

Okay.
3:09 - 3:10

Another question.
3:10 - 3:12

Who here has ever used a cryptocurrency wallet?
3:12 - 3:14

I feel so sorry for you.
3:14 - 3:16

It's so hard
3:16 - 3:19

and there's just a lot of stuff that happens when you set up a wallet.
3:19 - 3:21

A lot of things aren't well explained.
3:22 - 3:24

You just kind of go,
3:24 - 3:25

you install your app or run your software.
3:26 - 3:28

You get sometimes 12 magic words
3:28 - 3:31

or 24 magic words and you put them in your pocket.
3:32 - 3:34

You, you know, take a picture
3:34 - 3:36

and put that up on your cloud storage.
3:36 - 3:39

You know, really no one walks you through
3:39 - 3:42

what a safe way to do cryptocurrency wallet stuff,
3:42 - 3:43

you know.
3:43 - 3:45

So, it can be really confusing.
3:45 - 3:48

At the end of the day, what happens
3:48 - 3:50

is you're trying to capture some type of entropy.
3:50 - 3:53

You're trying to generate some type of random seed.
3:53 - 3:55

And from that seed, derive a bunch
3:55 - 3:57

of private keys and public keys.
3:57 - 4:03

A lot of cryptographic operations and cryptocurrencies based on asymmetric cryptography.
4:03 - 4:05

So, there's a public-private key pair.
4:05 - 4:08

Your public key, you can share to the world.
4:08 - 4:11

They can identify you by that key.
4:11 - 4:12

So, you know, be warned.
4:13 - 4:15

It is a tool to track that particular address,
4:15 - 4:18

that particular identity.
4:18 - 4:19

And then there's a private part.
4:20 - 4:22

And it really is like a private part.
4:22 - 4:23

Like, you don't really want to show that everywhere.
4:23 - 4:28

So, you know, there's these public-private keys.
4:28 - 4:32

And long ago, people were just generating single keys
4:32 - 4:34

and storing them, backing them up.
4:36 - 4:37

And it was quite a hassle.
4:38 - 4:42

So, the Bitcoin folks and community
4:42 - 4:44

came up with this improvement proposal, BIP39,
4:44 - 4:46

where they're like,
4:46 - 4:49

why don't we keep this little seed,
4:49 - 4:52

this magic little seed of entropy into words,
4:52 - 4:54

you know, mnemonics,
4:54 - 4:56

mnemonic seed phrases.
4:57 - 5:00

It's a lot easier to remember 12 words or 24 words
5:00 - 5:04

than it is to remember a bunch of random characters
5:04 - 5:08

that are maybe base 58 or base 64 encoded.
5:08 - 5:12

And so, BIP39 was a way to make things a little bit more human-readable
5:12 - 5:14

to keep a secret safe.
5:14 - 5:18

And from that secret, you could derive a bunch of private keys.
5:18 - 5:22

And BIP32 is the Bitcoin improvement proposal, number 32,
5:22 - 5:25

to have hierarchical deterministic wallets.
5:25 - 5:28

So, from an initial seed, you can derive
5:28 - 5:33

a large number of public-private key pairs.
5:34 - 5:36

And you can use those for all kinds of things.
5:37 - 5:40

If I have a wallet, I might want to receive money
5:40 - 5:43

with one address and send money with another.
5:44 - 5:46

I sometimes don't want to reuse my address.
5:46 - 5:50

And there's a number of reasons of why I might not want to do that,
5:50 - 5:52

one being privacy, another being security
5:52 - 5:56

and some elements of cryptography with non-swe use and whatnot.
5:56 - 6:00

But at the end of the day, the moral is,
6:00 - 6:03

with a simple seed, you can have a large number of private keys.
6:04 - 6:07

And that composed together is a cryptocurrency wallet.
6:07 - 6:09

There's software to help you do this.
6:10 - 6:11

And some of it is good.
6:11 - 6:13

Some of it is bad.
6:13 - 6:18

But today, I think most of it is just awkward for the regular user.
6:19 - 6:22

Another thing to note is,
6:22 - 6:24

in order to do this, you need randomness.
6:24 - 6:26

You need chaos from the universe.
6:26 - 6:29

You need to acquire that chaos somehow
6:29 - 6:32

and put it in your little bits and bytes
6:32 - 6:34

and package it in a safe, secure way.
6:36 - 6:38

And so, you know, cryptography needs this as a core primitive.
6:38 - 6:42

And if you don't have good randomness,
6:42 - 6:45

terrible things will happen, not to be too foreboding.
6:46 - 6:49

The problem is, computers are really bad at generating good randomness.
6:50 - 6:52

They're really great at following instructions.
6:52 - 6:54

They're really bad at doing random things.
6:54 - 6:55

They like to do what they're told.
6:55 - 6:59

You know, I don't know about new age quantum cryptography
6:59 - 7:02

or computers or whatnot. But, like, the computers I've been working with are pretty random.
7:03 - 7:04

Or not pretty random.
7:04 - 7:05

They're pretty just regular.
7:06 - 7:07

They do what you tell them, and that's what they do.
7:09 - 7:14

So there's a lot of reasons why you need randomness in your compute.
7:14 - 7:17

If you're making video games,
7:17 - 7:19

you want your characters to maybe start in random places.
7:19 - 7:22

If you're making API keys, maybe you want to,
7:22 - 7:26

you know, you don't want them to be predictable.
7:27 - 7:30

And so you need to have a good way to get random numbers.
7:31 - 7:34

There's good ways, and there's easy ways,
7:34 - 7:37

and there's these cryptographically secure ways to get random numbers.
7:38 - 7:39

They're used for different purposes.
7:39 - 7:43

Some are lightweight, fast, and don't require a lot of compute resources.
7:43 - 7:46

Others may take up more resources
7:46 - 7:50

but give you outputs that are not predictable
7:50 - 7:53

and don't reveal any of the inputs.
7:53 - 7:57

And so cryptographically secure PRNGs,
7:57 - 8:04

the pseudo-random number generators, are kind of the ideal in a lot of situations when you're dealing with generating keys for wallets.
8:06 - 8:08

So that's randomness.
8:08 - 8:12

And another thing to note is this is a talk about cryptocurrency,
8:12 - 8:17

but people use BIP39 mnemonic seed phrases to back up all kinds of things.
8:18 - 8:20

I don't know who here has heard of PGP.
8:21 - 8:23

Yeah, nice, nice, nice, nice.
8:23 - 8:26

So other places that would be like, what's that?
8:26 - 8:27

Well, it's pretty good privacy.
8:27 - 8:31

But there's ways to have, like, a 24-word mnemonic seed phrase
8:31 - 8:34

be used to derive PGP keys, which is pretty cool.
8:34 - 8:38

But anyways, the point there is, like, it's not just cryptocurrency.
8:39 - 8:40

Let's talk about the theft.
8:41 - 8:44

So I've never seen a bank get robbed
8:44 - 8:45

except in Hollywood movies.
8:47 - 8:50

And, oh, the slides aren't showing.
8:51 - 8:53

Did they just stop showing
8:53 - 8:54

or have they not been showing?
8:54 - 8:58

Okay, I'll do the good old plug it.
8:58 - 8:59

Okay.
9:00 - 9:01

Thanks for the call out.
9:02 - 9:03

So anyways, a theft.
9:04 - 9:05

Who's ever seen a robbery?
9:06 - 9:07

I haven't.
9:07 - 9:08

I hope you never have to.
9:08 - 9:10

But on Reddit, it kind of looks like this.
9:11 - 9:13

You just see someone, hey, my money's gone.
9:13 - 9:15

I think a bunch of other people's money's gone.
9:16 - 9:16

What happened?
9:18 - 9:21

And that's not where our journey started.
9:21 - 9:24

My journey started when I got a message from a friend
9:24 - 9:28

saying, hey, do you still have your Bitcoin?
9:28 - 9:29

I was like, what?
9:30 - 9:31

I don't know.
9:31 - 9:32

Let me go check.
9:32 - 9:34

So I have to go swim into my underwater cave,
9:34 - 9:37

feed the alligators, pop up, open the vault.
9:38 - 9:39

Yeah, it's still there.
9:40 - 9:40

Actually, it's not that hard.
9:41 - 9:43

You can just, if you know your addresses, you can just look.
9:43 - 9:47

But, yeah, my Bitcoin was there.
9:47 - 9:50

My money, you know, I don't know what money is,
9:50 - 9:53

but I like to think of Bitcoin as money that I like to use.
9:54 - 9:56

And I was like, dude, where's yours?
9:56 - 10:00

And they were like, it's not there anymore.
10:02 - 10:03

That sucks.
10:04 - 10:07

It's not, you know, you open your wallet and a dollar bill's there today.
10:07 - 10:09

And then tomorrow you look and it's not there.
10:09 - 10:11

You know, paper doesn't just evaporate.
10:11 - 10:13

Maybe it gets wet and disintegrates, but there's still remnants.
10:14 - 10:17

People put, like, ceramic disks in that stuff, you know.
10:17 - 10:19

And there's always a trace of where money went.
10:19 - 10:21

And on the blockchain, it's no different.
10:21 - 10:24

So, we saw that a bunch of money moved
10:24 - 10:28

and was consolidated.
10:29 - 10:33

And we knew two people in our social group.
10:33 - 10:36

You know, I don't have a lot of friends,
10:36 - 10:39

so this is like a large portion of my social network had been compromised.
10:40 - 10:44

And I was curious to understand how and why.
10:44 - 10:47

Maybe I'll never understand why, except for human greed.
10:47 - 10:50

But the how was very interesting for me,
10:50 - 10:52

because this is magic math,
10:52 - 10:54

and magic math is no different than regular math.
10:54 - 10:58

It just takes sometimes a little bit more for muggles like me to understand.
10:59 - 11:02

So, overall, we saw a 37-bitcoin move at this time.
11:03 - 11:06

And, you know, we saw that it wasn't just two people
11:06 - 11:08

that were in my friend's group.
11:09 - 11:10

We saw many other people.
11:11 - 11:13

So, a team forms, you know.
11:13 - 11:14

And we're not like the Avengers.
11:14 - 11:15

We don't have fancy suits.
11:15 - 11:19

I work in a garage in my house.
11:19 - 11:21

And other people work all over the world.
11:22 - 11:25

The good thing is we did have people
11:25 - 11:27

who knew how they generated their keys.
11:27 - 11:29

They knew how they stored them.
11:29 - 11:32

They knew the security models they were up against were...
11:32 - 11:33

They took precautions, let's say.
11:34 - 11:37

They weren't just downloading an app, running something on an online computer.
11:37 - 11:40

They were very tight about the attack surface
11:40 - 11:46

and generated keys and air-gapped machines
11:46 - 11:48

that had never touched the light of the internet,
11:48 - 11:52

running minimal Linux operating systems.
11:52 - 11:55

And so, it was very curious.
11:56 - 11:59

What we discovered in our research
11:59 - 12:04

was the common denominator was a software called LibBitcoin Explorer.
12:04 - 12:08

And so, you know, you try and understand how your well gets poisoned
12:08 - 12:10

and you look upstream
12:10 - 12:12

and, you know, or downstream.
12:12 - 12:15

We stand upon the shoulders of giants
12:15 - 12:17

and sometimes those giants just rot and die.
12:17 - 12:21

And in this case, we discovered some rot
12:21 - 12:26

and we decided to take a closer look at this software.
12:28 - 12:31

Now, LibBitcoin Explorer is kind of a random software.
12:31 - 12:34

And one of the questions some people were asking is, like,
12:34 - 12:38

well, how did these people even start using this software?
12:39 - 12:42

Well, they tried to do things by the book, literally.
12:42 - 12:46

The problem with dead trees is they don't get updated
12:46 - 12:48

as often as digital bits and bytes.
12:49 - 12:52

And what's true yesterday is not always true today.
12:52 - 12:56

So, when a book says something, generate a random seed
12:56 - 13:00

using operating system random number generator,
13:00 - 13:03

and your operating system is Linux, you feel like you have some guarantees
13:03 - 13:06

with a thousand eyes, all bugs are shallow,
13:06 - 13:11

or whatever that saying is.
13:12 - 13:15

Unfortunately, this turned out not to be true.
13:15 - 13:18

The bxseed command from LibBitcoin generates wallets
13:18 - 13:21

via the Mersenne Twister,
13:21 - 13:24

and it's not just a little dance here.
13:24 - 13:26

We're talking, like, you know, just numbers and stuff.
13:26 - 13:29

But numbers can dance, too, if you look at them right.
13:29 - 13:30

Some of them wiggle.
13:30 - 13:31

Some of them squirm.
13:32 - 13:35

And in this case, with this variant of Mersenne Twister,
13:35 - 13:38

this whole MT19937,
13:38 - 13:40

I'd be curious if anyone knows what that number is.
13:41 - 13:43

It's a prime number.
13:43 - 13:45

2 to the 119th.
13:45 - 13:48

Anyways, 32 bits of initial state
13:48 - 13:53

was all that was allowed in this implementation for generating random numbers.
13:53 - 13:56

Now, 32 bits seems like a number,
13:56 - 14:02

but it's not a very – it doesn't allow for a lot of possibility, possible outcomes.
14:02 - 14:05

And when we saw this, our heads kind of exploded
14:05 - 14:08

because we were expecting 256 bits of chaos and entropy
14:08 - 14:11

entering our little random number generator.
14:11 - 14:14

So, to not see that was a shock,
14:14 - 14:18

and definitely we felt like we were on the right track.
14:19 - 14:22

And so, you know, again, these numbers,
14:22 - 14:26

32 bits is a little over 4 billion.
14:26 - 14:29

And 128 bits is a little over 360 –
14:29 - 14:34

340 undecillion, I guess.
14:34 - 14:35

It's like 10 to the 36.
14:35 - 14:35

I don't know.
14:35 - 14:37

Undecillion is an interesting word.
14:38 - 14:41

In British English, it means something different.
14:42 - 14:44

And it also – yeah, anyways, look it up.
14:44 - 14:44

Undecillion.
14:44 - 14:48

But, yeah, so once an attacker knows your master key,
14:48 - 14:50

it's game over
14:50 - 14:54

because this whole key derivation stuff.
14:54 - 14:57

Like, once they know the initial state of how you derived all these other keys,
14:57 - 15:00

they can just walk down your path and check
15:00 - 15:04

and see if there's any cherries left over.
15:04 - 15:06

In this case, cherries are cryptocurrencies, you know, assets.
15:06 - 15:10

And so, theft is trivial.
15:11 - 15:14

With 32 bits, you can rent a cheap box at Hetzner.
15:14 - 15:18

You can have a gaming computer brute force this
15:18 - 15:20

in a matter of days, if not less.
15:20 - 15:24

And also, it's – this is not just Bitcoin.
15:25 - 15:28

People were using this, you know, for Ethereum,
15:28 - 15:31

a bunch of other cryptocurrencies,
15:31 - 15:33

and, yeah, it's – you know, maybe people were using it
15:33 - 15:36

for PGP, too.
15:36 - 15:37

I don't know.
15:37 - 15:40

But, anyways, we're talking about cryptocurrency here.
15:41 - 15:42

So, what did we do?
15:42 - 15:45

We saw an active exploit.
15:45 - 15:47

And by we, I mean the Milkside team.
15:48 - 15:50

We saw that this was happening in the wild.
15:50 - 15:53

We knew that this was – there was some entity
15:53 - 15:56

that was moving money,
15:56 - 15:58

and it wasn't the entity that was originally owning that money
15:58 - 16:00

or owning that currency.
16:01 - 16:04

So, with active exploits, we wanted to expedite
16:04 - 16:06

the disclosure process and inform the public
16:06 - 16:10

so they could have an informed decision what to do with their assets.
16:11 - 16:13

Now, you know, it's a social norm to do 90 days.
16:13 - 16:16

With Google Project Zero, they kind of set a standard for this
16:16 - 16:18

for, like, seven days if you see active in the wild.
16:18 - 16:21

And that's what we did.
16:22 - 16:22

We filed a CVE.
16:23 - 16:25

We did a detailed public write-out.
16:25 - 16:29

We reached the – you know, reached out to the maintainers of the software
16:29 - 16:33

and told them before we were doing this to have a coordinated disclosure.
16:33 - 16:36

They didn't see the world as we saw the world,
16:36 - 16:38

and that's okay.
16:38 - 16:40

But when people's money is on the line,
16:40 - 16:42

we had to make a choice,
16:42 - 16:47

and we decided to make the choice that made us sleep peacefully at night.
16:48 - 16:50

We wanted to tell the people to protect them.
16:50 - 16:54

And the name – I love the name Milk Sad.
16:55 - 16:57

I felt very sad when I learned about this,
16:57 - 16:59

and people didn't lose just, you know, their milk money.
17:00 - 17:00

They lost their savings.
17:01 - 17:04

They lost a belief in the rigidity
17:04 - 17:06

of a cryptocurrency system.
17:06 - 17:09

And that's a hard thing to build back.
17:09 - 17:12

When we first discovered that the initial state
17:12 - 17:14

was reproducible,
17:14 - 17:16

that we could generate the same mnemonic seed phrase
17:16 - 17:19

over and over again by setting some parameters
17:19 - 17:22

and depending supposedly on, like, system entropy
17:22 - 17:26

and getting the same mnemonic seed phrase,
17:26 - 17:30

we were kind of stunned.
17:30 - 17:33

And we realized, you know, kind of what the problem was,
17:33 - 17:36

everything else after that was just diving into the problem,
17:36 - 17:38

fully understanding it,
17:38 - 17:40

fully documenting it,
17:40 - 17:44

and preparing public disclosures for that.
17:46 - 17:49

We also, again, like, we were curious about how the attackers did this
17:49 - 17:52

and how big this problem was,
17:52 - 17:54

and was it just us using this software?
17:58 - 18:00

Or were there other softwares out there,
18:00 - 18:03

cryptocurrency wallet implementations that had similar issues?
18:03 - 18:06

Again, you don't need advanced degrees in cryptography.
18:06 - 18:09

You don't need specialized hardware to do what we did.
18:10 - 18:13

You just need to understand how these numbers work.
18:13 - 18:16

And once you understand initial PRNG seed states
18:16 - 18:18

for these systems,
18:18 - 18:22

you can simply enumerate over all the potential address space
18:22 - 18:26

that you want to spend time deriving
18:26 - 18:30

and checking if that address had ever been used on the blockchain.
18:30 - 18:33

And if so, you can see that address was vulnerable,
18:33 - 18:36

and that money was vulnerable,
18:36 - 18:39

and maybe it was stolen, maybe it wasn't.
18:40 - 18:43

But voila, you get answers to how much money
18:43 - 18:46

moved through these weak wallet systems.
18:46 - 18:50

This was a lot of time to dive through all the aftereffects
18:50 - 18:52

of this attack and exploit,
18:52 - 18:56

and we can still spend hours, days, months, years
18:56 - 19:01

diving into everything.
19:02 - 19:04

You can be your crypto sleuth like ZachXBT
19:04 - 19:07

and trace where all the money went.
19:07 - 19:08

We didn't do that.
19:09 - 19:13

You know, we didn't find all the answers to all the questions.
19:13 - 19:16

And, yeah, there's a lot of other coins out there,
19:16 - 19:21

cryptocurrencies that we could have looked at that we didn't.
19:22 - 19:26

Bitcoin, Ethereum, Doge, XRP,
19:26 - 19:28

these are all, like, cryptocurrencies,
19:28 - 19:34

and these are all systems that were affected by this compromise.
19:35 - 19:36

We're also not alone here.
19:36 - 19:39

There were other researchers that were working on this problem,
19:39 - 19:43

and from them we drew inspiration, and, in some ways, collaboration.
19:47 - 19:51

I don't know who here, any Drake fans here?
19:53 - 19:56

Okay, I feel sorry for the one person that raised their hand.
19:59 - 20:01

So, TrustWallet, not like us.
20:02 - 20:04

They didn't like the users in some ways.
20:04 - 20:06

They made some mistakes,
20:06 - 20:09

and not just one mistake.
20:09 - 20:12

They made multiple mistakes,
20:12 - 20:14

which is sad for the downstream users,
20:14 - 20:18

sad for the team that built this product and built a reputation around trust.
20:18 - 20:20

If I say, trust me, bro,
20:20 - 20:23

you're going to trust me, I'm sure.
20:23 - 20:24

Maybe, you know.
20:25 - 20:26

But probably not.
20:26 - 20:28

I'm just a stranger on the Internet most of the time.
20:28 - 20:33

And it's just, again, this is in the wild.
20:34 - 20:35

These weren't vulnerabilities we found.
20:35 - 20:36

These are just out there.
20:36 - 20:37

You can look them up.
20:39 - 20:42

And in this case, the PRNG was seeded with time,
20:42 - 20:44

which is really not a good idea.
20:44 - 20:46

Unix time starts in 1970,
20:46 - 20:48

and we're in 2024.
20:48 - 20:50

So, like, no matter what,
20:50 - 20:52

it's just not a lot of years to go through,
20:52 - 20:56

which is why I always set my clock 100 years in advance.
20:58 - 20:59

My plots are measured in centuries.
21:00 - 21:03

And just for this meme, you know, I don't know what Drake is all about.
21:03 - 21:06

He just is a super predictable person, though.
21:06 - 21:08

And he just doesn't like the good stuff.
21:08 - 21:09

He's just not like us.
21:09 - 21:11

So, we avoid him.
21:11 - 21:12

We try not to be like him.
21:12 - 21:14

I'm sorry if he's your idol.
21:15 - 21:16

This is my opinion.
21:16 - 21:20

I'm not speaking on behalf of the Milksed research team or anyone else here.
21:20 - 21:22

And if I offend you, I apologize.
21:22 - 21:25

I just like to be honest with myself and the audience.
21:26 - 21:28

But, yeah, what the highlights, you know?
21:28 - 21:29

We're done with Drake.
21:30 - 21:32

There were nine wallets that we discovered
21:32 - 21:36

with lots of money.
21:36 - 21:38

So, in cryptocurrency land, they call them whales.
21:39 - 21:42

And these whales had quite the dork of a wallet.
21:42 - 21:45

67,000-plus bitcoins.
21:46 - 21:48

Went through these wallets.
21:48 - 21:52

At the time, that's about a billion dollars.
21:52 - 21:57

At 20,000 U.S. dollars per Bitcoin.
21:58 - 22:00

Today, that's five times as much.
22:00 - 22:02

I think Bitcoin hovers around $100,000.
22:03 - 22:06

In my world, one Bitcoin will always equal one Bitcoin.
22:06 - 22:09

And everything else is everything else.
22:10 - 22:12

But, again, this shows you that it wasn't just retail,
22:12 - 22:15

random people reading books.
22:15 - 22:18

This was people who were spending a lot of time and energy,
22:18 - 22:22

had a lot of assets involved and vulnerable,
22:22 - 22:26

which was quite impressive and surprising.
22:26 - 22:28

We don't know what happened with this money.
22:28 - 22:31

We don't know if these people or entities
22:31 - 22:35

that had control of these wallets moved them safely.
22:35 - 22:36

We kind of assumed they did.
22:36 - 22:40

We don't know if they knew what was happening here in 2020.
22:41 - 22:43

Mind you, we discovered this issue in 2023.
22:43 - 22:44

So, it was three years later.
22:45 - 22:48

But, yeah, just kind of crazy.
22:48 - 22:53

That's a lot of money to just float around the Internet and be able to be grabbed.
22:54 - 22:55

Cake.
22:55 - 22:56

I like cake.
22:56 - 23:00

I hate when my cake has poison in it or razor blades.
23:00 - 23:03

If you ever eat an apple on Halloween, be careful.
23:03 - 23:04

Check it twice.
23:04 - 23:05

Some people are naughty.
23:05 - 23:06

Some people are nice.
23:07 - 23:09

And, in this case, Cake Wallet was not so nice.
23:11 - 23:16

You know, a lot of programming languages have, like, random SDKs.
23:16 - 23:20

It's just easy native library implementations where you can get randomness.
23:20 - 23:24

And, a lot of them don't have secure, cryptographically secure randomness
23:24 - 23:26

by default, which I find really awkward.
23:27 - 23:29

I think that's something we should talk about here.
23:29 - 23:33

Like, why don't we provide safe defaults
23:33 - 3:38

for all the programming languages as, you know, a primitive?
23:38 - 23:40

So, something to think about if you're developing languages.
23:41 - 23:43

Default to safety first, please.
23:43 - 23:46

And, yeah, we knew that this was insecure,
23:46 - 23:52

but a lot of people didn't know how or, you know, how to derive these addresses.
23:53 - 23:56

And, luckily, lead researcher Christian,
23:56 - 23:58

our knight in shining armor,
23:58 - 24:01

saw the puzzle and decided he needed to break it.
24:01 - 24:03

You know, he was kind of nerd-sniped by this.
24:03 - 24:07

And, a lot of us were not spending as much time
24:07 - 24:11

diving into Cake Wallet because we already were moving on to things.
24:11 - 24:15

But, the fixation Christian, you know, spent was well worth it.
24:16 - 24:20

He discovered that they weren't using 32 bits of seeding
24:20 - 24:23

when you expected 128 or 256.
24:24 - 24:26

They were actually using 20 bits.
24:27 - 24:31

You know, and 20 bits means I can almost do the calculations with my hands and toes.
24:32 - 24:34

But, I lost a lot of touch in my pinky toes
24:34 - 24:37

due to frostbite.
24:37 - 24:40

So, it would be difficult for me, but if you are talented
24:40 - 24:43

with all your digits, you can show me how to calculate stuff with them.
24:43 - 24:44

That would be super cool to do by nay.
24:45 - 24:47

But, 20 bits is not a lot.
24:47 - 24:48

So, easy to brute force.
24:49 - 24:54

And, Cake Wallet is a software product that a lot of people use.
24:54 - 24:55

It's great.
24:55 - 24:58

It has... It's not great.
24:58 - 24:58

I don't know.
24:58 - 24:59

I shouldn't say that.
24:59 - 25:01

It is what it is.
25:01 - 25:04

But, the cool thing about it is you can reach out to the users,
25:04 - 25:06

unlike open source projects, which is a little bit harder.
25:06 - 25:08

You know, you can send out something to the mailing list or not.
25:08 - 25:12

So, our team, Christian, reached out to Cake Wallet people,
25:12 - 25:14

and they're like, yeah, we'll throw a notification up,
25:14 - 25:16

and we'll tell people.
25:16 - 25:19

The problem is, people don't update their software.
25:19 - 25:20

They didn't get the notification.
25:21 - 25:23

They probably just set it and forget it, you know.
25:23 - 25:26

And, we waited six months
25:26 - 25:30

until we disclosed this issue.
25:31 - 25:34

Six months of just sitting there, hoping things were going to be good.
25:34 - 25:38

Two days after disclosure, the remaining funds
25:38 - 25:40

in those vulnerable wallets were removed.
25:41 - 25:46

We suspect they were removed by not the originators of those funds.
25:47 - 25:48

Sad times.
25:49 - 25:50

Sad times. Sad times.
25:52 - 25:55

So, back to our team and what we were up to.
25:56 - 25:58

There was a lot of debate, a lot of turmoil.
25:58 - 26:01

I would say, you know, I trust everyone that I worked with,
26:01 - 26:03

and you had to.
26:03 - 26:07

Because, when there's a big bag of money on the ground,
26:07 - 26:10

and anyone can just pull up and pick it up,
26:10 - 26:12

anyone in our team could have done this.
26:12 - 26:14

Anyone in the world who knew about this
26:14 - 26:16

could have done this, who reviewed the open source software.
26:17 - 26:19

And, you know, what do you do with that?
26:19 - 26:21

As a good Samaritan, you see
26:21 - 26:22

a 100-year-old note or something on the ground.
26:23 - 26:26

You might take it to the police station and say, hey, I found this money.
26:26 - 26:28

I don't know who it belongs to, but I'm sure they need it.
26:28 - 26:29

They want it.
26:29 - 26:32

But, in cryptocurrency land, how do you verify,
26:32 - 26:34

like, that indeed was the person that, you know,
26:34 - 26:37

how does anyone verify that that's their 100-year-old note?
26:37 - 26:40

It's kind of tricky.
26:40 - 26:42

Maybe there's CCTVs in the area.
26:42 - 26:44

You can see someone slip, you know, slip their glove,
26:44 - 26:47

and a dollar falls out or whatever.
26:47 - 26:49

But, in cryptocurrency land, it can be quite difficult.
26:50 - 26:53

And there's a lot of legal and tax implications.
26:53 - 26:56

And we come from many jurisdictions,
26:56 - 26:57

from Canada, the U.S., Germany.
26:58 - 27:01

I don't know where all our research team comes from,
27:01 - 27:04

but we definitely debated this, and it was a hot topic.
27:06 - 27:11

Another hot topic was, do we open source the code that we use to derive these addresses?
27:11 - 27:12

Do we share it with the world?
27:13 - 27:14

We're proud of the work we did.
27:14 - 27:15

We spent a lot of hours.
27:15 - 27:18

We spent a lot of time working together,
27:18 - 27:21

making sure we understood the scope of some of these issues.
27:22 - 27:25

And we didn't get unanimous consent
27:25 - 27:28

to release all the source code.
27:28 - 27:30

We had a lot of disagreements.
27:31 - 27:33

There's some people who live and die
27:33 - 27:36

by the open source sword in our social group, in our research team.
27:36 - 27:40

And to them, it was a tragedy to not share this with the commons.
27:40 - 27:44

And then there was others who just don't want to give people
27:44 - 27:48

who don't want to spend the time understanding the situation,
27:48 - 27:52

even if they have bad intent, easy resources to do this for cryptocurrencies
27:52 - 27:56

and extend it to other potential networks
27:56 - 28:00

that might not have been compromised in the initial attack.
28:00 - 28:03

So, again, it was a tricky situation.
28:04 - 28:07

We wanted to share some things with the public.
28:07 - 28:09

We didn't want to share everything with the public.
28:09 - 28:12

We did allow people to look up to see
28:12 - 28:15

if they had compromised mnemonic seed phrases.
28:16 - 28:18

You could go to a website, provide a SHA-256 hash
28:18 - 28:22

of the seed phrase, and check to see
28:22 - 28:24

if it was in our database.
28:25 - 28:28

Obviously, that was even discussed internally,
28:28 - 28:31

because what if people put their entire seed phrase in there and then blame us for being compromised?
28:32 - 28:35

And that is a tricky, sticky situation.
28:35 - 28:38

But we did want to provide some type of public service
28:38 - 28:41

for people to check before they swept their funds.
28:41 - 28:44

But, yeah, some numbers,
28:44 - 28:48

lots of money through this.
28:48 - 28:50

This isn't money that was necessarily stolen.
28:51 - 28:54

This, and by money, I just mean Bitcoin,
28:54 - 28:55

or, you know, that's what we're looking at here.
28:56 - 29:01

But these are Bitcoins that move through compromised wallets that could have been stolen at any point in time.
29:01 - 29:04

And I just find that fascinating.
29:04 - 29:06

This is world-changing money.
29:06 - 29:09

This can fund your nuclear arsenal.
29:09 - 29:12

This can buy you many islands
29:12 - 29:14

or politicians or Twitters or whatever.
29:14 - 29:15

Actually, maybe not Twitters.
29:15 - 29:15

I don't know.
29:15 - 29:16

It depends on the price.
29:17 - 29:19

But, yeah, this is a lot.
29:19 - 29:22

And it was crazy to see so much of this asset
29:22 - 29:25

go through weak systems.
29:25 - 29:29

It just felt weird.
29:31 - 29:31

What can you do?
29:32 - 29:33

That's a good question.
29:33 - 29:35

As a developer, how can you protect yourself?
29:36 - 29:38

How can you protect the people you're building software for?
29:38 - 29:40

A lot of us are building software for people.
29:42 - 29:45

Sometimes people are building software for, like, robots
29:45 - 29:47

and stuff and non-peoples.
29:47 - 29:49

But that's also great.
29:49 - 29:51

You should still protect those entities as well.
29:52 - 29:53

Question everything.
29:53 - 29:55

My mom always told me to question authority.
29:55 - 29:58

And I carry that with me everywhere I go.
29:58 - 30:00

I really doubt everything I see.
30:01 - 30:04

And really have to strive for understanding
30:04 - 30:07

to feel confident and comfortable
30:07 - 30:11

to use technology that I would use in a secure system.
30:11 - 30:14

And when I'm building software, I always like to check it twice.
30:14 - 30:16

I like to get it externally audited.
30:16 - 30:18

And, you know, when you're using randomness,
30:18 - 30:20

make sure you're not just doing silly mistakes.
30:20 - 30:24

And this is a question of how we get people
30:24 - 30:28

to break this cycle of repeating the same mistake over and over again.
30:28 - 30:31

So, as the average user, if you entrust your money to software,
30:31 - 30:34

if you entrust critical things like your privacy to software systems,
30:34 - 30:38

demand security audits, you know, request them,
30:38 - 30:40

demand them, pay for them.
30:44 - 30:47

Do what you can to help the systems
30:47 - 30:50

keep your stack updated.
30:50 - 30:51

So, again, this is not a full enumeration.
30:51 - 30:54

These are just useful, you know, things I find useful.
30:54 - 30:58

One thing to note with the BIP39 setup mnemonic seed phrase
30:58 - 31:01

is if people added a password, which is part of the BIP39 spec,
31:01 - 31:04

a passphrase, to their setup, they probably wouldn't have been compromised
31:04 - 31:08

in the initial attack.
31:09 - 31:13

People, the attackers would have had to try and crack the password
31:13 - 31:17

in order to then enumerate all of the downstream addresses.
31:17 - 31:20

So, that was something interesting about this particular incident
31:20 - 31:24

is some people were protected just by adding that simple passphrase.
31:25 - 31:28

But, yeah, open source is great,
31:28 - 31:32

but it doesn't guarantee safety, as we all know.
31:33 - 31:36

In conclusion, chaos is required for some things
31:36 - 31:39

in compute and in life, as we know in the Chaos Congress.
31:39 - 31:42

There's often good chaos everywhere,
31:42 - 31:45

and you try to avoid the bad chaos.
31:46 - 31:46

Be careful.
31:47 - 31:51

It is used everywhere in passwords, session tokens, all this stuff.
31:52 - 31:54

Try not to let it happen to you.
31:54 - 31:57

Try to understand and do your research
31:57 - 32:01

and do what you can to build confidence in the technology you're using,
32:01 - 32:04

and that's for everything.
32:05 - 32:06

Where do we go from here?
32:06 - 32:10

Well, we spent a lot of work proving over 20,000 weak wallets
32:10 - 32:12

existed in the cryptocurrency space.
32:13 - 32:16

A lot of us have full-time jobs, families,
32:16 - 32:19

mouths to feed, breaks to take, you know, sleep.
32:20 - 32:23

And so, we're doing a bunch of other things,
32:23 - 32:25

but we're still very interested in this area,
32:25 - 32:27

and there's a lot of research and investigations that can still happen here.
32:27 - 32:31

So, we're constantly pushing out updates,
32:31 - 32:36

and by we, I typically mean Christian, but the lead researcher.
32:36 - 32:40

If you have anything interesting or, you know, comments or feedback
32:40 - 32:42

or you want to learn more,
32:42 - 32:44

always feel free to reach out to us.
32:44 - 32:46

And we're hosting a longer Q&A session
32:46 - 32:50

with the research team.
32:50 - 32:53

You know, I'm just a puppet here being pulled by the slides,
32:53 - 32:56

but if you want to meet more of us, please do so.
33:00 - 33:02

We'll be in Sol 6, which is, I think, a floor below us,
33:02 - 33:05

and love to see your faces,
33:05 - 33:07

love to talk to you about this problem
33:07 - 33:12

and find solutions that can really break the cycle
33:12 - 33:15

of bad entropy in good intended systems.
33:16 - 33:17

Also, shout-out to Mo at Millieways.
33:19 - 33:21

These slides and the template come from him,
33:21 - 33:24

and originally that was derived from the 38C3 design team,
33:24 - 33:26

and I just love the design.
33:27 - 33:30

So, thank you very much, everyone, for coming here
33:30 - 33:32

to listen to this talk,
33:32 - 33:36

and I'd love to field your questions for what I can answer
33:36 - 33:38

and for anything I can't,
33:38 - 33:41

I will just shepherd you downstairs to Sol 6.
33:52 - 33:54

John Nolte and the Milk Set team, thanks a lot for this research,
33:54 - 33:56

thanks a lot for the presentation,
33:56 - 33:59

thanks a lot for the disclosure.
34:01 - 34:03

Anybody coming up with questions?
34:03 - 34:04

I see some questions here.
34:04 - 34:05

However, hold on for a second.
34:05 - 34:08

We want to have a look at the internet.
34:08 - 34:09

Are there online questions?
34:10 - 34:11

Yeah, please.
34:13 - 34:16

The first question from the internet would be,
34:16 - 34:19

were all wallets using Mercy and Twister
34:19 - 34:22

to generate the seed at that point?
34:22 - 34:26

If not, how did the hackers identify the ones which did use it?
34:26 - 34:31

So, I don't know how the hackers identified the weak wallets in their systems,
34:31 - 34:34

but the answer to the first question is no.
34:38 - 34:39

They weren't all using Mercy and Twister.
34:40 - 34:44

You can look at the other implementations in our write-ups,
34:44 - 34:47

but yeah, there was a few implementations
34:47 - 34:53

and issues there.
34:53 - 34:57

Is there anything else from the internet?
34:57 - 34:59

Yes, we have one more.
34:59 - 35:04

The question is if this flaw is still out in the wild,
35:04 - 35:09

especially for non-Bitcoin cryptocurrencies.
35:09 - 35:14

Is the flaw still out in the wild?
35:14 - 35:16

Yeah, the software, you know,
35:16 - 35:18

once you publish the software version,
35:18 - 35:21

it's there forever, most of the time.
35:21 - 35:24

You know, there's people who archive all kinds of things,
35:24 - 35:26

so most things on the internet don't die.
35:28 - 35:30

What's dead can never die.
35:30 - 35:32

And as far as active exploits,
35:32 - 35:35

if you put money in one of these compromised wallets,
35:35 - 35:38

it'd be a fun game to see how fast it moves
35:38 - 35:42

by not your hands, not your system.
35:42 - 35:46

I assume now there's just people who are listening
35:46 - 35:48

or systems that are listening,
35:48 - 35:50

waiting for money to enter a weak wallet
35:50 - 35:53

and snatching that money immediately.
35:53 - 35:56

A fun game to play would be to see
35:56 - 35:58

if they pay more gas than the money's worth.
35:59 - 36:01

If they're sophisticated, they'll check that first.
36:01 - 36:03

If they're unsophisticated, they won't.
36:05 - 36:07

But yeah, it's definitely still active.
36:07 - 36:08

There's still these issues.
36:09 - 36:13

And there's, you know, systems that we haven't identified yet.
36:13 - 36:16

So that's still up in the open.
36:16 - 36:19

Okay, for everybody else in the room,
36:19 - 36:22

just line up at the microphones.
36:22 - 36:24

Therefore, microphone number three, please.
36:25 - 36:25

Thank you.
36:26 - 36:26

Great talk.
36:26 - 36:29

I would like to know whether this applies to Monero as well.
36:30 - 36:34

And have you looked into Microsoft Research Z3?
36:36 - 36:38

Answering second question first, I haven't.
36:38 - 36:40

I'd love to know what that is.
36:41 - 36:43

And so I'll mentally note that down,
36:43 - 36:45

but probably forget it.
36:45 - 36:47

So I'll try and write it down later.
36:48 - 36:49

But it's recorded.
36:49 - 36:51

So I'll just actually I'll just watch the recording.
36:52 - 36:56

But yeah, as far as Monero and other cryptocurrencies are compromised,
36:56 - 37:00

it's outside of the realm of cryptocurrencies.
37:01 - 37:06

It's more in the realm of the cryptographic implementation for the wallet is flawed.
37:06 - 37:11

And people were using these mnemonic seed phrases for all kinds of things, not just Bitcoin, not just Ethereum.
37:12 - 37:15

I don't know if we we didn't do any research in Monero.
37:15 - 37:19

So that's an interesting field for privacy coins.
37:20 - 37:22

I think we did see Zcash.
37:22 - 37:25

Not everyone like makes Zcash private, I guess.
37:25 - 37:29

So but but yeah, I would assume Monero
37:29 - 37:32

Monero wallets would be compromised
37:32 - 37:36

if they generated their their seeds with this software stack.
37:36 - 37:37

OK, thank you.
37:37 - 37:38

Thank you.
37:39 - 37:41

And again, microphone number three, please.
37:41 - 37:45

So using a non cryptographically secure pseudonym PRNG,
37:45 - 37:48

it's kind of a basic pentest finding.
37:49 - 37:51

At least that's what my experience in my professional deformation, I guess.
37:52 - 37:55

So I would be kind of scared when I see it
37:55 - 37:59

in software like like this, that's supposed to be all that that's supposed to be developed by competent developers.
38:00 - 38:03

Have people considered this to be a supply supply chain attack on the ecosystem?
38:03 - 38:08

I mean, a compromised supply chain, that's what happened here.
38:08 - 38:11

So, yeah, like the well was poisoned.
38:11 - 38:14

People trusted software and they stood upon the shoulders of giants
38:14 - 38:17

and they realized those giants didn't have a strong foundation
38:17 - 38:23

and everything they had kind of crumpled into dust.
38:23 - 38:26

So 110% supply chain problem,
38:26 - 38:30

definitely recommend having supply chain security solutions
38:30 - 38:34

to, you know, mitigate against this.
38:35 - 38:37

And that's where a lot of code review comes in.
38:38 - 38:42

But yeah, it was mostly like code review probably would have caught this.
38:42 - 38:45

It wasn't a fancy thing like no one compromised the build server
38:45 - 38:48

and there was a build release artifact published
38:48 - 38:50

that was at issue.
38:50 - 38:53

But the source code was clean, like SolarWinds or whatnot.
38:54 - 38:58

So, yeah, it was just bad code put into the system.
38:58 - 38:59

Flawed, I guess, code.
39:00 - 39:01

Maybe the, I don't know.
39:02 - 39:02

Yeah.
39:02 - 39:03

Okay.
39:03 - 39:05

Yeah, it's fair that I'm not that paranoid about it.
39:05 - 39:06

But yeah, shit happens.
39:06 - 39:07

Definitely be paranoid.
39:07 - 39:11

Every pull request is a potential input for compromise.
39:11 - 39:14

So, constant vigilance.
39:14 - 39:16

That's one of my favorite Harry Potter characters.
39:16 - 39:17

Mad-Eye Moody would say.
39:18 - 39:19

He was compromised.
39:19 - 39:21

Anyways, yeah, by a supply chain attack.
39:22 - 39:23

But yeah, cool.
39:23 - 39:24

Any other questions?
39:24 - 39:25

No, thanks.
39:26 - 39:28

Well, in here, microphones are empty.
39:28 - 39:29

What about the internet?
39:29 - 39:30

Some more questions from there?
39:30 - 39:00

No.
39:31 - 39:35

Anybody interested in anything particular here from John?
39:37 - 39:37

No?
39:38 - 39:41

Well, then, let's thank John again for this.
39:41 - 39:46

clap
39:46 - 39:51

♪ (38C3 outro) ♪
39:51 - 39:52

[Transcribed by Pekka P]
39:52 - 39:54

(KYBS2004 course assignment at JYU.FI)

Title:: 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
Description:: We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'.
The fatal flaw? Not enough chaos.

more » « less
Video Language:: English
Duration:: 39:55

	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	tfuhk edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
	C3Subtitles edited English subtitles for 38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys

English subtitles

Incomplete

Revisions Compare revisions

Revision 8 Edited

tfuhk
Revision 7 Uploaded

tfuhk
Revision 6 Uploaded

tfuhk
Revision 5 Uploaded

tfuhk
Revision 4 Edited

tfuhk
Revision 3 Edited

tfuhk
Revision 2 Uploaded

tfuhk
Revision 1 API

C3Subtitles

	Revision Number	Author	Created
	8	tfuhk
	7	tfuhk
	6	tfuhk
	5	tfuhk
	4	tfuhk
	3	tfuhk
	2	tfuhk
	1	C3Subtitles

38C3 - Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)