Huge Security Flaw Allows Crypto Hackers to Steal Private Keys
Storing crypto private keys on a computer, even offline, may not be entirely safe. Known vulnerabilities in widely used processors have added one more pathway that could expose valuable data, including wallet keys.
Intel CPU Attack Not Viable in Real-World Conditions
Just about a year after the revealing of the Spectre and Meltdown vulnerabilities, a new pathway to steal valuable information has emerged. This Tuesday, a new exploit was discovered, one capable of stealing information from Intel’s SGX (Software Guard eXtensions). This digital storage may be used for crypto private keys and other sensitive information.
The data can be accessed via a novel attack, Load Value Injection, reported ArsTechnica. This means sensitive data can be divulged by injections stemming from malicious code or an app. This code could gain access to information usually restricted from sharing such as crypto private keys.
The vulnerability will affect apps that use SGX to create a digital vault for encryption keys, passwords, digital rights management technology and other sensitive information. The new exploit is a cross-vulnerability with a previously known exploit, Meltdown. Intel has released a list of processors affected by the latest flaw.
Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times
Private Keys to Crypto Wallets Usually Exposed Due to Human Error
Intel put out an immediate statement about the attack and its mitigation:
Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface.
The exact scope of the LV attack was presented in detail in special research launching in April 2019. The researchers suggest that the attack is extremely difficult to perform, and will not be likely to attack consumer electronics. So far, no known instances of the attack were known. It is possible the LV attack could affect cloud computing resources.
Owners of crypto coins have always worried about the exposure of their private keys. So far, few thefts from wallets have been reported without having some form of human factor, which exposed the private keys. But gleaning a wallet private key from a consumer device remains a scenario with very low probability.
What do you think about the latest Intel CPU vulnerability? Share your thoughts in the comments section below!
Images via Shutterstock