Blockchain bandits clear out weakly protected Ethereum addresses
sand. Image by Vilmos Vincze via Flickr.com. License: Creative Commons
Addresses are always safe? Only if the private key behind it is good. A security researcher shows how a hacker could steal several ten thousand ether because the private key was too weak.
An article in the WIRED reports on Adrian Bednarek, a security advisor who has dealt with Ethereum. Bednarak has tried to find out what weaknesses Ethereum could have. Rather for fun, he started with a very trivial method: he looked at what happens when you use a private key that has the value “1”.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
One should know that private keys at Ethereum is a 78-digit series of numbers. A wallet usually chooses it by chance and calculates the address from it. If the private key is really accidental, it is impossible to crack such an address. Bednarek comparison the chance of finding a private key so that you can choose a grain of sand on a beach, and later ask a friend, to pick up the same grain of sand by chance. It is almost impossible, as if you are winning the jackpot in the lottery a dozen times one after the other.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
But that only applies if the private key is random. On the other hand, if, as tested by Bednarek, he has the value “1”, the ether stored on it is hardly protected. To his surprise, he found that the address, which is derived from the private key “1”, had once stored ether. The coins have been transferred for a long time; The consultant assumes that it was a thief who had the same idea as he had.
The chance aroused his curiosity. He tried private keys 2, 3, 4 and so on – and found the same result: an address on which Ether was once stored, but which had already been emptied. So he started to automate the method and prohibit a few billion keys. The results throw a shocking light on security practice at Ethereum: he discovered a few hundred easy-to-do private keys-and a “blockchain bandit” that had emptied all of these addresses. Around 45.000 ether – currently just under 7 million euros – were stolen in this way.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
In order to track the bandits, Bednarek Ether, worth a dollar, transferred to an address with a weak key that had already been emptied. The ether were further transferred in a few seconds. Then he transferred a dollar to a new, weak address. This was also cleared within seconds, this time by another bandit. Shortly afterwards Bendarek saw that the first bandit tried to transfer the coins too. But another came to him by milliseconds. This indicates that there are several bandits that invest a lot of computing power to scan the Ethereum blockchain for weak addresses.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
He cannot say who the bandit is. The WIRED quotes him by “not surprised if a state actor is behind it, such as North Korea, but that’s speculation.“Likewise, he can only speculate about how Ether would be on such poorly protected addresses with a not inconsiderable value. The wallets may have a bug in key generation; The software may also be manipulated in order to create weak keys. Perhaps the users have selected the private key themselves, maybe they have formed a brainwallet in a careless way.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
A brainwallet believes that the private key – or the seed phrase from which it is derived – neither writes nor wrote, but only remembers. This tempt you to use simple keys. An author on our blog warned in 2014 about the dangers of brainwallets at Bitcoin:
Every year Tech magazine publish a list of the most popular passwords. Some of them are shocking imaginative: 123456, Password1, Iloveyou, and so on. This is okay if you register a disposable email address or register with a forum to make a single comment. But it’s absolutely not okay when you put on a brainwallet. You could also send your bitcoins on 1 -bitcoinate address dontsendf59kue.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
When researching this article, I have Brainwallet.Org used to guess some private keys. I just entered a few phrases that I thought about it might have used someone. Within a few minutes I had a list of private keys to addresses that actually had bitcoins. The passphrases were about:
Bitcoin
password
password1
1234
These addresses are now empty. Why? I hope because the owners have transferred the bitcoins to a safer place. But it is more likely that they have been stolen. There are bots that carry out sophisticated dictionary attacks. As soon as such addresses receive bitcoins, they are transferred to other addresses. If you want to test it, just transfer a tiny Bitcoin amount to such an address … You won’t have to wait long to watch bots in action.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
So the phenomenon is not necessarily new. But it reminds what happens in the background: machines run around the clock to react lightly when a user makes a mistake. So it is appropriate to exercise caution.
But not only Brain Wallets are in danger. Wallets that have a mistake in algorithm with which you generate the private key can also be a risk. For example, the “Large Bitcoin Collider” tried to crack addresses on the Bitcoin blockchain indiscriminately. In the interview, the operator explains that the theoretical security that a Bitcoin address should offer is not entirely found in practice, but without being able to give a reason-and he speculates that there will be ASIC-MINER in the future that will not try to generate a new Bitcoin block, but to crack addresses.
a:hover imgbox-shadow:0 0 20px 5px rgba(255,0,0,0.6);
