Malicious Bitcoin Wallet Generation Software Could Produce Known Private Keys
An anonymous user on Pastebin has provided evidence that some wallet software may be generating private keys that can be easily discoverable, and therefore easy to take any bitcoins associated with that address. There has been no word on what wallet software is possibly affected, nor if this is a malicious act or a simple coding error.
TL;DR – Scroll to the last subsection
What is a Private Key?
I’m going to give a little bit of background and explain some terminology for those who don’t know how bitcoin works under the hood. The first thing is a private key. If you think of your bitcoin wallet address as a lock, the private key is the key used to unlock it and spend the funds inside.
When you generate a wallet on your device, whether it be on a computer or phone or whatever, what it actually does is generate a random set of numbers of letters and numbers (also known as a ‘string’) that is your private key. Your private key is the only thing that gives you legitimate ownership of your coins. Control of your private key is what allows you to spend the coins that are in your wallet. An example private key looks like this
Once your private key is generated, it is run through a hash function. A hash function is a mathematical function that, when you put a number or string it in, will return another string that has no relation back to the first number/string. It is very easy to find the second number from the first, but mathematically impossible to find the first from the second. The reason for this is that the sheer number of possible private keys is so large, it dwarfs the number of seconds since the dawn of the universe by several orders of magnitude. This second number is known as your public key, and this is hashed again to give you your Bitcoin wallet addresses. You can click here for more information about how private keys, public keys, and wallets work.
“Discovering” a Private Key
On to what is actually going on. Since a private key can be literally anything, you could technically take any phrase or string of numbers and letters and use it as your key. You could just throw anything into the hash function and generate the wallet. The public key would be derived from that, and you’d be on your way. This is generally not recommended since it goes to follow that if you can think of your private key so can someone else. It wouldn’t be truly random, which what is needed to create a secure wallet.
BrainWallet.io has a nifty tool that allows users to input whatever they’d like and then derive a private key/public key pair from that. Since the blockchain is an open public ledger, you can go look at some addresses that have been derived from common phrases. Someone used “satoshi nakamoto” to create a wallet, and the addresses associated have had small amounts of bitcoins sent to it, but they were cleared out immediately after. Other phrases like “I find your lack of faith disturbing” and “these aren’t the droids you’re looking for” also have been tagged with a small transaction. There’s no reason to use these as your keys because they’re insecure, but people have sent coins just to leave a mark on the blockchain.
Anonymous Pastebin Guy noted:
If you peer into the blockchain, you will find that people have ‘played’ with the chain by sending small amounts of bitcoins to addresses corresponding to private keys generated using Sha256… It’s quite obvious these were _meant_ to be found. It turns out there are a lot of these addresses. (Keep looking and you will easily find some.) This is nothing new and has been known to the bitcoin community for a while.
The user that posted these findings, who has chosen to remain anonymous, goes much further down the rabbit hole. He began thinking of other ways to “discover” common private keys and downloaded a complete index of all bitcoin addresses that were publicly available on the blockchain and started trying different things to discover keys that possibly had a few bits associated with them. It was kind of a pet project.
Testing Private Keys to Find Bitcoins
The Pastebin user started using pieces of data that are publicly available on the blockchain to see if any of them had been used to create wallets. He used block hashes for every block since the Genesis Block, Merkle roots from every block, common words and phrases that had been hashed multiple times, and finally started testing all bitcoin addresses. Most analysis of all bitcoin addresses will only involve addresses that have unspent balances, but he also decided to include addresses that had a balance of zero.
His first experiment involved checking every block hash to see if any of them had been used as a private key. This is kind of a smart way of remembering your private key, because you’d only need to know the block number to be able to go recover your key. Sure enough, over forty addresses existed that at one point over the past seven years been sent bitcoins. All of them had long been swept, but the user decided to keep investigating.
He then used the Merkle roots of some blocks to check for discoverable keys, and once again found addresses that had coins sent to them. Unfortunately, the balances were all zero, but the hunt was heating up. The third experiment was tested using common words that were hashed multiple times, such as “hello” or “sender”. The hashes of these words are then hashed again and again, giving another layer of added security and much less of a chance that the key will be discovered. If you can hash a word once, you can do it a million times. “hello” was hashed, and that hash hashed, over and over and eventually, it produced a private key that had been used. Several addresses were found using the method that all had transactions sent to them at one point or another. One of the funniest, in my opinion, is the word “password” which after hashing its 1,975 times you get a valid private key that has had funds sent to it. It’s very likely that the creator of this address was born that year.
The last experiment is where the user started asking some questions. He took his index of all bitcoin addresses and tested every public address to see if it had been used as a private key. And again, he searched a fraction of the blockchain and found dozens of addresses. The difference with many of these was that they had received and emptied the bitcoins associated with them within the last weeks or days.
The idea of using a public address as a public key doesn’t really make sense and is very risky because it is discoverable. These addresses were receiving bitcoin and taking it within minutes or hours of it being confirmed. At this point, Anonymous Pastebin Guy started to smell something fishy.
So, What’s Going on Here?
Pastebin Guy’s claim is that some third-party wallet custodial service, such as a mining pool, gambling site, or just a straight-up web wallet, may have malicious code in their backend that will generate private keys based on public addresses, allowing someone to easily steal the coins associated with the address as the private key is public knowledge on the blockchain. He goes on to say that this code has been at work for years, with bitcoins being siphoned out the whole time. He also makes it clear, however, that there is a chance that this is a simply a bug in the system that is creating non-random private keys.
The user created a bot to constantly scan these addresses and snag any bitcoin that was sent to them, and through dumb luck, he caught a transaction of 9.5 bitcoins to an address with a discover-able private key. Unfortunately, the bot was not working as expected and didn’t generate a transaction in time. The bitcoins were swept from the wallet, off to their next destination. He started getting very suspicious, however, and continued running the bot and noticed the same “collection address” being used for many of these key discovery methods. At least one address from all the methods was funneling bitcoin, bit by bit, to whoever was controlling this system. He was watching 6+ transactions come through his database of private keys per day.
/u/fitwear’s missing 9 BTC
A Reddit user by the name of /u/fitwear posted about his blockchain.info wallet getting hacked and getting just about nine bitcoins stolen. You can see the original Reddit post here. Blockchain.info support’s response was the typical “your account must have gotten compromised” canned reply, but in reality /u/fitwear had done everything right. A good password, proper two-factor authentication – none of it mattered and the coins were still gone.
The anonymous user from the Pastebin article managed to find the 9 bitcoins on an address to which he had a copy of the private key in his database. /u/fitwear was lucky and the user returned the coins to him/her, but further investigation of the address proved to be concerning.
According to /u/fitwear:
I entered the security key in Blockchain.info on my fully security enabled 2fa account & manually entered all of the information to avoid copy and pastes e.t.c……The 9 BTC left my account & hit my new block chain wallet. After 4 seconds it then bounced to a random address that I have no connection with a high transaction fee to push it through quickly. I’ve tried emailing support and they insist that someone must have my account information or I have some malware that has injected my copy & paste.
A compromised key managed to get imported into /u/fitwear’s blockchain.info wallet. Some non-blockchain.info-damning scenarios include someone compromised his account in the past and is just now claiming funds, or that there was some browser malware that affected the blockchain.info wallet. The thing that really doesn’t make sense is that if it was malware, it is logical that the developer would create a private key off of some private piece of info, not just some random address. The fact that it is a random address gives anyone who has caught on to this scheme a chance to take the coins before the hacker can send them to a wallet under his control. It just doesn’t add up.
The code that would be needed to generate discovered private keys is surprisingly simple – it’s just a couple of hash functions. If it was some third-party wallet provider, this bit of malware would be hidden among the thousands and thousands of lines of code that make up a back end. Also, this function wouldn’t draw too much attention during a code audit because it is just hashing a public address. Hence the hiding in plain sight analogy. If the malware was coded in a way that a private key was created that only the hacker and the hackee knows, that would be much more suspicious than coding a key generation system that produced an easily discover-able private key.
So, What Now? Are Cryptocurrencies Screwed?
While this data is very concerning, Bitcoin’s underlying security is not affected. 99.999% of private keys that are generated are generated randomly, and if a key is generated with a proper level of entropy, or randomness, it is statistically impossible for someone to discover your keys. Back to the number of seconds since the birth of the universe example, trying to discover a randomly generated key would be like trying to guess one specific second out of all the seconds from then until now. It is ridiculously unlikely that you would even guess the same year, let alone the same month, day, hour, minute, or second. If you are using a private wallet where you control the private keys, you are 100% not affected.
The people who should be concerned about this are those with coins held by custodial third parties, such as exchanges or web wallets. However, I want to make it very clear that there is ZERO direct evidence proving blockchain.info or anyone else had direct involvement in /u/fitwear’s theft or any other weird transaction that the user found on the blockchain.
Basically, rest easy. If you control your own private keys and they were generated randomly, you have no chance of being affected by this possible attack vector. If you want to read more about this user’s findings, you can read the whole Pastebin article here.
What do you think about this possible exploit? Are you securing your coins accordingly? Have any more questions? Let us know in the comments below!
Images courtesy of blockchain.info, Wikimedia Commons, Pixabay