Following the AsicBoost controversy, Bitmain has now responded to the accusations of having purposefully programmed a backdoor into the firmware of multiple Antminer models.
Bitmain Can Remotely Turn Off Its Miners
In what is being called “Antbleed,” this backdoor could shut down 70% of the global Bitcoin network, which could put the world’s first decentralized cryptocurrency at great risk.
“Bitmain has put themselves in a position where they can kill the majority of Bitcoin hashing power instantly,” Core developer Peter Todd commented on the news.
Meanwhile, the exposé website, Antbleed, describes the backdoor as so:
The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return ‘false’ which will stop the miner from mining.
Bitmain responded to the allegations in a blog post. The company explained why this backdoor exists in the first place and apologized for the “misunderstanding.”
Bitmain:
This bug has now been pointed out in context of Bitcoin’s scaling roadmap debate and has caused considerable misunderstandings within the Bitcoin community. We apologize for this.
The issue affects several Antminer models (S9, R4, T9, L3, L3+) allowing the company to shut down miners at will and also link them to the customer sales and delivery records, exposing the identity of each miner.
Bug or Feature?
While Bitmain confirmed the backdoor, the mining giant says it’s simply “bug,” an intentional feature that was never finished and was left in the firmware. According to Bitmain, this backdoor was meant to be used by the product owners in case of theft.
“We need to clarify the intention of having this feature,” they wrote. “We planned to add this feature to the code to empower customers to control their miners which often times can be hosted outside their premises.”
Although the reason provided by Bitmain makes sense to a certain extent, the question of why customers weren’t warned about this feature/bug/backdoor arises.
It is also unclear why it would be left in the firmware in the first place, given that Antminer has admitted that this kill-switch caused “a degraded level of security.”
It is even more curious when it appears that Bitmain could have fixed this issue with ease, which means anyone who stole the miners could just as easily tweak a file to turn off this “anti-theft” feature.
“Moving on, we have released the new updated source-code on GitHub and new firmware on our website which removes this bug,” Bitmain wrote.
The company also goes a long way to categorize the backdoor as a bug. “It is a bug to leave the code there before the feature is fully complete and acknowledged to the users.”
However, Wikipedia defines a software bug as “an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.”
Bitcoin Core developers such as Luke Dashjr took to Twitter to comment on the latest Bitmain-related scandal, noting the distinction between the Antbleed backdoor and a bug.
“That’s not a fix, it’s a workaround. It’s also not a bug, but intentional malware,” he said.
Core developer Peter Todd called the company “incompetent” tweeting:
Bitmain claims Antbleed was to remotely shutdown stolen miners.
tl;dr: W/ no authentication and it easily bypassed, Bitmain's incompetent.
— Peter Todd/mempoolfullrbf=1 (@peterktodd) April 27, 2017
Slush Pool founder Marek Palatinus slammed Bitmain, saying the purpose of the backdoor is clear: “to shut down miner on remote flag.”
Meanwhile, Andreas Antonopoulos said that he doesn’t see the backdoor as a deliberately malicious act by the company though “intent doesn’t matter if anyone can use it.”
I honestly doubt #antbleed was in any way malicious. It shows the intention to centrally control customers, is reckless & poorly implemented
— Andreas (aantonop Team) (@aantonop) April 27, 2017
Is Antbleed simply a misunderstanding or an intentional backdoor?Let us know what you think below!
Images courtesy of Shutterstock, Twitter