Blockchain bandits plunder weak wallets.
Saturday, June 1, 2019
Adrian Bednarek is a senior research analyst at Independent Security Evaluators. He and his colleagues looked at weak private cryptocurrency keys on the Ethereum blockchain in an attempt to discover how and why they are being generated as well as how bad actors are taking advantage of them.
The original research is here:
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire’s Research Saturday, presented by Juniper Networks. I’m Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper’s connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper’s connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper’s connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It’s the industry’s first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data – all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Adrian Bednarek: [00:01:53] I’m a security analyst, and one of our clients was doing a blockchain-based solution.
Dave Bittner: [00:01:58] That’s Adrian Bednarek. He’s a senior security analyst at Independent Security Evaluators. The research we’re discussing today is titled, “Ethercombing: Finding Secrets in Popular Places.”
Adrian Bednarek: [00:02:10] And as a security analyst, we have to understand all components that make up the blockchain and how a bad guy could abuse it. One of those things was an Ethereum public address on the private key. Basically, the way you interact with the blockchain is you have a secret, which is known as a private key. If you’re the holder of that private key, you can commit funds to the blockchain and you can take funds out. So, basically, the private key is basically like a PIN number to your bank account. If anybody is able to get that private key, they can steal your funds. So, I was researching one day how exactly your private key is generated, and during my research, I found that people were using the private key of 1. The private key is supposed to be 78 digits long…
Dave Bittner: [00:02:58] (Laughs)
Adrian Bednarek: [00:02:58] …But, , you know,, somebody decided, hey, let’s use 77 digits, all of those being zero, and then the last digit is 1.
Dave Bittner: [00:03:03] Huh.
Adrian Bednarek: [00:03:03] So, effectively, they had the private key of 1. And if you go in and look at that address that’s generated from a private key of 1, you’ll see that there’s thousands of transactions committed to that key. So there’s been lots of people, like, interacting and colliding using this shared private key, basically.
Dave Bittner: [00:03:19] Is that private key of one – is your sense that that was created accidentally or intentionally?
Adrian Bednarek: [00:03:25] I think it’s a mixture of both. It’s hard to say exactly what caused this, because all we have is the evidence. We can’t reconstruct time backwards and say what exactly caused this. I suppose it’s just somebody else like me that was playing around, and they’re like, hey, can I actually send money to this, and will it get stolen? So, curious people sent money here, sometimes maybe developers were testing some code, and they were like, I don’t want to generate a 78-digit number, I’ll just use the private key of 1.
Adrian Bednarek: [00:03:51] So, it’s likely that there’s just a bunch of test code, and possibly a wallet that was out there was somehow generating a private key of 1 for people. There is a lot of transactions behind it, and that’s unusual. So, we decided to look at other private keys. Like, we were like, is 2 used? And we found that, yes. So we went to, like, 3, 4, 5, 6, 7, 8. We found pretty much all of them were used. So, we were like, okay, this is an interesting issue.
Dave Bittner: [00:04:16] Because if you were generating truly random keys, then that would not be what you would expect to find.
Adrian Bednarek: [00:04:23] Absolutely. So, here’s, like, a rabbit hole I dove down. Scanning each key manually took, you know, a minute or two at a time. I was like, I need to scan a lot of keys, like, more than I can do manually. So, I automated the scanning technique, and I ran it on lots of computers up in the cloud. And I was able to scan 4 billion keys, you know, within an eight-hour period. And I found that, within that 4 billion key range, I found, you know, a few hundred keys. So, I was like, okay, this is interesting. I scanned a lot of keys, and I found a lot more keys that I could interact with. So then I wanted to scan a lot more ranges within the private key space of a private address. And the total sum of the addresses we found that we were able to basically interact with were 732.
Dave Bittner: [00:05:15] Now, when you say, “interact with,” when you have the private key, does that give you complete control over that account?
Adrian Bednarek: [00:05:21] Yes. Basically, you become the owner of that account. It becomes like a shared bank account with whoever else has the private key.
Dave Bittner: [00:05:26] I see. So you can put funds in, you can take funds out…
Adrian Bednarek: [00:05:30] Yep.
Dave Bittner: [00:05:30] …But, again, it shouldn’t be this easy to stumble across these private keys.
Adrian Bednarek: [00:05:35] Right. So there’s an issue, we don’t know what is, and then we kind of went down another rabbit hole. We kind of started investigating like some of the weirder private keys. Like, say, “80000” was a private key that was used. We kind of looked at it, then we said, who’s using this key, where did the money come from, where is the money going? And then we saw that there was a few inbound transactions, thousands of dollars, if not more. It wasn’t too significant. But we saw that there was an outbound transaction to a guy that was holding like 45,000 units of Ethereum. Which was a significant amount. In present day value, that’s almost eight million dollars.
Adrian Bednarek: [00:06:12] So we kind of looked around and saw that this guy was also interacting with more than just that single private key that we had shared knowledge of. He was interacting with, I believe it was like between eight and twelve private keys. So this guy was doing the exact same thing, but he was a lot more successful at it.
Dave Bittner: [00:06:28] So you suppose that, like you, he had stumbled upon or, I guess, even bruteforced his way into finding some private keys, and was he just standing by and waiting for something to go into these accounts, and then he would take it out quickly?
Adrian Bednarek: [00:06:42] So there’s multiple interesting things with this person. We kind of dubbed him the “blockchainbandit,” because we didn’t know what to call him. Might not be a single person, it could be an entity – we have no idea who it is. Hopefully, you know, once public awareness reaches a certain level, then maybe some people might, you know, infer who that might be. But this person has basically held onto the stolen loot without actually withdrawing any of it. He made some withdrawals in May of 2017. And those were pretty small. He only withdrew seventy thousand dollars worth. Between May of 2017 and June of 2018 – that’s when the crypto bubble, like, really took off. Bitcoin was worth $20,000, Ethereum went to, like, $1,300. This person or entity was worth $54 million in January of 2018.
Dave Bittner: [00:07:27] Hmm.
Dave Bittner: [00:07:28] Between that time, he really didn’t sell anything off, which is interesting, because I guess his penance for stealing all of this was participating in the crypto crash and, you know… (Laughs).
Adrian Bednarek: [00:07:36] …This person or entity saw their $54 million dollars dwindle down to, you know, a paltry $7.7 million dollars right now.
Dave Bittner: [00:07:46] Hmm, easy come easy go, right? (Laughs)
Adrian Bednarek: [00:07:47] (Laughs) Exactly.
Dave Bittner: [00:07:49] Wow. So, what else do you think could be at play here? I mean, the first thing that I think of is, could this be some sort of method for laundering money?
Adrian Bednarek: [00:07:57] There’s a lot of weird things going on in the blockchain space, because some of the coins provide anonymity, so – where you could use it for malicious activities like laundering money, buying goods that you shouldn’t be able to buy, and things like that.
Adrian Bednarek: [00:08:10] But the other interesting thing about this crypto bandit is, we tried two experiments: one, we sent a dollar to a private key we both interacted with in the past, just to see how long it would take to steal it. And we sent him a dollar to a private key we both had shared knowledge of, and that disappeared within, like, two seconds.
Dave Bittner: [00:08:29] Oh, wow.
Adrian Bednarek: [00:08:29] I sent a dollar in, I refreshed the page to see what the balance was, and it was immediately gone.
Dave Bittner: [00:08:35] Easy come, easy go, right? There you go. (Laughs)
Adrian Bednarek: [00:08:37] Yeah, exactly. And I could see that it went to this crypto bandit guy. So I was like, okay, that’s interesting. So then we sent a dollar to a brand new address that is likely to be a weak key. So, it’s an address that’s never been used before. It’s a brand new account. But it’s using what we’d consider a weak private key.
Dave Bittner: [00:08:57] Would you consider to be a weak private key?
Adrian Bednarek: [00:09:00] So, a strong private key would be a random 78-digit number. For a weak private key, we just used a 10-digit number.
Dave Bittner: [00:09:07] Okay.
Adrian Bednarek: [00:09:07] So, we sent a dollar there. We expected, you know, to maybe wait a few minutes, maybe hours or days, for the dollar to disappear. But we were surprised, and the guy immediately stole it again, within seconds.
Dave Bittner: [00:09:19] The same guy.
Adrian Bednarek: [00:09:20] Yep.
Dave Bittner: [00:09:20] OK. Connect the dots for me there.
Adrian Bednarek: [00:09:22] With a catch though. So, this brand new address – there were three people that attempted to take the money out, because when you interact with a blockchain, you say, hey, I want to take some money out. The first person to do so successfully gets the money. So, three separate people tried to take money out. One of them was the crypto bandit, but he was a few milliseconds too slow. Like, somebody else snaked him, and got the dollar first.
Adrian Bednarek: [00:09:46] So there’s basically a minefield, or, I don’t know, booby traps set on weak private keys, where just groups or entities or people watching key spaces where weak random keys exist, and they basically immediately monitor transactions coming into those keys and they immediately take money out.
Dave Bittner: [00:10:05] Well, help me understand, because if this was a brand new account on this blockchain that hadn’t previously existed…
Adrian Bednarek: [00:10:13] Mm-hmm.
Dave Bittner: [00:10:12] …When you spin up the account, does some sort of notice go out, or is there a method by which they can just be pinging the network and checking to see if an account with this week private key has been created?
Adrian Bednarek: [00:10:25] That’s a good point. Here’s another interesting misconception people have about the blockchain, you know…
Dave Bittner: [00:10:29] Yeah.
Adrian Bednarek: [00:10:30] …A lot of people think that when you create an account on the blockchain, it’s like kind of going into your bank, and you create a new account, you get your number, and then you can interact with it. That’s not really the case – the account is created automatically when you send money into it…
Dave Bittner: [00:10:44] Hmm.
Adrian Bednarek: [00:10:44] …Which is kind of strange to think about. But basically, as soon as we sent a dollar to a new account generated from a private key that was never used before, that transaction was then recorded on the blockchain. That was the first time that account would appear on the blockchain, is with that transfer of a dollar. And somehow these people were monitoring it, and they saw, hey, this account I have the private key to, therefore I can steal the money out of it. And they did so within 200 milliseconds.
Dave Bittner: [00:11:16] So, do you suppose, I mean, they are out there generating these weak private keys, and then just monitoring for when they get used? Is that what’s going on?
Adrian Bednarek: [00:11:25] Yep, absolutely. So, we assume that they’re basically generating tons of weak private keys, creating a database of them. And if they see a transaction come in, they look up that transaction’s address in their database, and if that – if there’s a match, then they know they have the private key to it, therefore they can take the funds out of that account.
Dave Bittner: [00:11:45] Help me understand another component of this, because I’m fuzzy on it, which is, you have your private key and you have your public key – what’s going out on the blockchain for public consumption? Is it the public key that’s derived from the private key, or – do you follow my line of questioning here? How are they able to get to that private key?
Adrian Bednarek: [00:12:02] Basically, a transaction on the blockchain uses digital signatures. Basically, you sign a transaction using your private key…
Dave Bittner: [00:12:09] Hmm.
Adrian Bednarek: [00:12:09] …It creates a value that can then only be decrypted using your public key, which is publicly known. Therefore, it proves ownership, because if you send out an encrypted message, and you say, hey, use my public key to decrypt it, then therefore, the only person that created that message could be only the account holder of the private key. If that makes sense.
Dave Bittner: [00:12:32] Hmm. Yeah.
Adrian Bednarek: [00:12:32] It’s a little hard to wrap your head around, because basically you create a message using your private key, without revealing your private key…
Dave Bittner: [00:12:40] Right.
Adrian Bednarek: [00:12:41] …And people use that public key that’s derived from your private key to verify that your message was signed by your private key, without knowing your private key.
Dave Bittner: [00:12:50] I see.
Adrian Bednarek: [00:12:50] It’s kind of proving ownership of a transaction.
Dave Bittner: [00:12:54] Right. So, out there in the real world, why do you suppose some of these weak keys are getting spun up?
Adrian Bednarek: [00:13:01] There’s a lot of reasons. Some of them could be malicious wallets generating weak private keys on purpose. We’ve seen that – and a really good example of that was with IOTA coin, I-O-T-A, and that’s where a person maliciously compromised the random number generator to basically create deterministic private keys that only he could derive the knowledge of.
Dave Bittner: [00:13:26] Hmm.
Adrian Bednarek: [00:13:26] And the interesting thing was, his wallet was open-source, anybody could review it, but he made his code so convoluted and obfuscated that people really had a hard time reading it, so it was really hard to audit exactly what was going on. So, he got away with injecting malicious code into public code that was then used by people to create wallets, that then he was able to come back, you know, a few months later and basically robbed them blind, and I think he stole twenty-five million dollars worth of IOTA coin. And he got caught, and I think he’s sitting in a German prison right now.
Dave Bittner: [00:14:02] Yeah. All right.
Adrian Bednarek: [00:14:02] This is something that kinda unrolled within the past six months. So, you know, there could be malicious wallets. There could be coding errors. Like, some wallets could be generating really good random numbers that are 78-digits long, but in the way computers work and processors work, they might be using code that takes that 78-digit number and truncates it down to like a 6-digit number, or something like that. So it’s not using the full key once it goes to, you know, the magic that actually makes the wallet generation happen.
Adrian Bednarek: [00:14:32] And that’s about it. I mean, there could be developers that are just using test code. They’re just randomly putting in keys. Some wallets have the functionality of recovering your private key from a passphrase, but maybe some people misuse it and they actually put in the private key without knowing what’s going on. So, you know, the wallet asks for their private key, and they enter in, you know, 1000 or whatever.
Dave Bittner: [00:14:54] Hmm.
Adrian Bednarek: [00:14:55] There’s a lot of weird different reasons that these keys could exist, but it’s hard to say which one is the most prevalent. It’s probably a mixture and a combination of everything…
Dave Bittner: [00:15:05] Yeah.
Adrian Bednarek: [00:15:04] …That’s going on at the same time.
Dave Bittner: [00:15:07] Now, another thing that your research highlights here is the use of null strings, and how some folks have sort of, I guess maybe fallen into that trap. It seems maybe accidentally there’s been a good amount of funds lost by I guess some coding errors there. What’s going on with that one.
Adrian Bednarek: [00:15:24] Null strings refers to brain wallets. Brain wallets are basically using passphrases to generate a private key. If you use a brain wallet and you use the passphrase “ABC123” for your wallet, then if another person uses that same passphrase “ABC123,” then both of you have access to each other’s funds. You’ve basically collided wallets. And since a lot of people tend to use passwords – like, people will use “password123” very commonly – so it’s very likely to be collided with other people. That’s why using brain wallets is typically frowned upon in the crypto community.
Adrian Bednarek: [00:15:57] The blank pass phrases – so those are from brain wallets. And there was one wallet that allowed people to use blank passphrases. So, basically, the software asks the user for a password to protect your private key, and people would just hit enter and just ignore it. They’d be like, I don’t want to use a password, or whatever.
Dave Bittner: [00:16:18] Hmm.
Adrian Bednarek: [00:16:17] Like people typically do, you know? So, they were using a blank passphrase wallet that anybody else that did the same thing, you know, just skip the password creation step, they could interact with each other’s wallets.
Dave Bittner: [00:16:31] Wow.
Adrian Bednarek: [00:16:32] And, you know, the bad guys caught onto that, that a lot of people were using a blank passphrases. And, you know, there was 5,200 Ethereum that went into wallets that had a blank passphrase.
Dave Bittner: [00:16:44] Wow. That’s a lot of money.
Adrian Bednarek: [00:16:47] Yep. At one point, that was worth $5.2 million.
Dave Bittner: [00:16:51] Okay, yeah, adds up. So, what are your recommendations in terms of people actually being able to generate truly random private keys, and being able to verify that they’re actually doing so, what are the best practices there?
Adrian Bednarek: [00:17:05] I think the main takeaway is to use well-used and trusted software. If people are getting into the crypto space to, you know, invest or use cryptocurrency as a utility to trade for goods and services, they should look into communities that are using various cryptocurrency wallets and look to see which ones are popular, which once people recommend. Stay away from random things they find on search engine results, because some of those can be polluted with malicious software or wallets. So, the takeaway would be just use well-known wallets that are accepted by the community.
Adrian Bednarek: [00:17:42] Blockchain and cryptocurrencies are a new technology, and anytime you have a new technology, there’s benefits that are brought in by it, and then you have bad actors that come in to see how they can exploit it to benefit themselves. So, you always have to be careful when new things come out, and make sure to use software that is in line with best practices and accepted by the community.
Dave Bittner: [00:18:10] Our thanks to Adrian Bednarek from Independent Security Evaluators for joining us. The research is titled, “Ethercombing: Finding Secrets in Popular Places.” We’ll have a link in the show notes.
Dave Bittner: [00:18:20] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:18:31] And thanks to Enveil for their sponsorship. You can find out how they’re closing the last gap in data security at enveil.com.
Dave Bittner: [00:18:39] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I’m Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.