I agree with McAfee here. Just because they accessed something they weren't supposed to, doesn't mean it was hacked. The system fails when someone gets access to the coins, because that's what the system was designed to protect. I'm not claiming McAfee is correct about anything else, or that the system really is secure, but the point stands that a system designed to secure coins, can only be considered a failure if you manage to extract coins.
Then perhaps I'm naive about how all this works. But to me there's a difference between accessing keys, and accessing funds. Are these the exact keys, in the exact format, that someone could use to access the coins? For example, if someone were to "hack" my site, and get access to hashed passwords, this would be seen as a breach, and my system would be described as insecure (which is fair), and it could cause issues for people, but getting a hashed password is not the same as getting a plain text password. Are the keys they recovered from the device the equivalent of a plain text password, or a hashed password? Let's say I create a hardware wallet that stores 2 keys (123 and 456), and it uses those two keys to create a private key by doing stuff to it. So 123 and 456 create the pk 132435. Of course this is a terrible system, and not safe at all, but my point is, accessing 123 and 456, is not the same as accessing the actual pk (132435).
The article makes it super unclear whether or not you can steal the coins. Somebody is obviously trying to muddy the water, but I can't tell if it is McAfee or the researchers.
If it is McAfee, he is doing an excellent job, judging by the other comments in this thread.
I think it could be heaps clearer. To almost everyone outside of a small slice of people in the world, there's a bit difference between "The wallet was hacked and funds were successfully removed from it", and "The wallet was hacked and a key and salt were recovered".
Just because something CAN be done, that doesn't mean it's trivial. Someone's PK "can" be guessed, it's just incredibly unlikely. So for people, like myself, not 100% knowledgable on this type of tech, if someone goes through all the trouble to get the keys, but doesn't complete the final step of actually removing coins, it looks like either for some reason they can't or they are just completely naive and assuming everyone else knows exactly what they've done.
Well, that's the researcher's claim. The article also presents Bitfi's claim which says the exact opposite, and makes no effort to debunk one or the other. Hence my confusion.
Since knowledge of the salt and passphrase is sufficient to generate all the private keys needed to conduct transactions, the ability to extract those values is equivalent to being able to take any associated coins.
Additionally, the design allows for offline passphrase guessing attacks to be run by anyone without having to directly attack any particular wallet. They managed to re-invent brain wallets with a somewhat better (but still bad) KDF - WarpWallet's better.
If the device is used, then left unattended, the coins can be taken. If it's powered on, there's a reliable cold boot attack. If it's powered off, a backdoor can be installed that will exfiltrate the salt and passphrase on next use.
The original bounty offered was a sham - the sole "valid" attack vector was extracting key material from a device that had been used once and then shipped powered off (in most cases that I'm aware of, with a dead battery), and never had the passphrase entered into it again.
It looks to me like there's no way to make these things secure without a full product recall.
(I'm the researcher who wrote the tooling to automatically identify the salt and passphrase given a memory dump)
11 comments
[ 2.7 ms ] story [ 41.1 ms ] threadAs the article says, the keys have been recovered from a Bitfi, allowing access to the funds.
I am not sure what else you require for it to be called hacked.
https://rya.nc/bitfi-wallet.html
That particular version of the code doesn't print the private key, but it can be trivially modified to do so.
We demonstrated using the salt and passphrase to extract coins from wallets without the hardware several weeks ago.
If it is McAfee, he is doing an excellent job, judging by the other comments in this thread.
Not sure how much clearer it can be stated.
Just because something CAN be done, that doesn't mean it's trivial. Someone's PK "can" be guessed, it's just incredibly unlikely. So for people, like myself, not 100% knowledgable on this type of tech, if someone goes through all the trouble to get the keys, but doesn't complete the final step of actually removing coins, it looks like either for some reason they can't or they are just completely naive and assuming everyone else knows exactly what they've done.
Additionally, the design allows for offline passphrase guessing attacks to be run by anyone without having to directly attack any particular wallet. They managed to re-invent brain wallets with a somewhat better (but still bad) KDF - WarpWallet's better.
If the device is used, then left unattended, the coins can be taken. If it's powered on, there's a reliable cold boot attack. If it's powered off, a backdoor can be installed that will exfiltrate the salt and passphrase on next use.
The original bounty offered was a sham - the sole "valid" attack vector was extracting key material from a device that had been used once and then shipped powered off (in most cases that I'm aware of, with a dead battery), and never had the passphrase entered into it again.
It looks to me like there's no way to make these things secure without a full product recall.
(I'm the researcher who wrote the tooling to automatically identify the salt and passphrase given a memory dump)