Fun

‘Dark Skippy’ method can steal Bitcoin hardware wallet keys

News Feed - 2024-08-09 07:08:05

Christopher Roark1 hour ago‘Dark Skippy’ method can steal Bitcoin hardware wallet keysMalicious firmware can embed secret data into a public Bitcoin transaction, which the attacker can then use to extract a person’s seed words.1824 Total viewsListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTCOINTELEGRAPH IN YOUR SOCIAL FEEDFollow ourSubscribe onSecurity researchers have discovered a troubling new method that hackers can use to extract private keys from a Bitcoin hardware wallet even with only signed two transactions, which they’ve named “Dark Skippy.”


The vulnerability potentially affects all hardware wallet models — though it can only wor if the attacker tricks the victim into downloading malicious firmware.


A previous version of the method required the victim to post “dozens” of transactions to the blockchain. But the new “Dark Skippy” version can be performed even if the victim only posts a couple of transactions to the blockchain. In addition, the attack can be executed even if the user relies on a separate device to generate seed words.


The disclosure report was published by Lloyd Fournier, Nick Farrow, and Robin Linus on Aug. 5. Fournier and Farrow are co-founders of hardware wallet manufacturer Frostsnap, while Linus is a co-developer of Bitcoin protocols ZeroSync and BitVM.Source: Nick Farrow.


According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces” which are then used to sign transactions. The resulting signatures get posted to the blockchain when transactions are confirmed. The attacker can then scan the blockchain to find and record these signatures.


The resulting signatures contain only “public nonces,” not the portions of seed words themselves. However, the attacker can enter these public nonces into Pollard’s Kangaroo Algorithm to successfully compute the secret nonces from their public versions.


Pollard’s Kangaroo Algorithm, discovered by mathematician John M. Pollard, is an algorithm in computational algebra that can be used to solve the discrete logarithm problem.


According to the researchers, a user’s full set of seed words can be derived using this method, even if the user only produces two signatures from their compromised device and even if the seed words were produced on a separate device.


Related:Major Wallet Vulnerability Revealed As User Barely Reclaims 9 BTC


Previous versions of the vulnerability have been documented in the past, the researchers stated. However, these older versions relied upon “nonce grinding,” a much slower process that required many more transactions to be posted to the blockchain. Even so, the researchers stopped short of calling Dark Skippy a new vulnerability, claiming instead that it is “a new way of exploiting an existing vulnerability.”


To mitigate against the threat, the report suggests that hardware wallet manufacturers should take extra care to prevent malicious firmware from getting into users’ devices, which they can do through features like “secure boot and locked JTAG/SWD interfaces […] reproducible and vendor signed firmware builds[,...] [and] various other security features.” In addition, it suggests that wallet owners may want to employ practices to keep their devices secure, including “secret places, personal safes, or maybe even tamper-evident bags,” although the report also suggests that these practices may be “cumbersome.”Dark Skippy mitigation techniques. Source: Dark Skippy researchers.


Another suggestion it provides is for wallet software to use “anti-exfiltration” signing protocols, which prevent the hardware wallet from producing nonces on its own.


Bitcoin wallet vulnerabilities have caused significant losses to users in the past. In August, 2023, cybersecurity firm Slowmist reported that over $900,000 worth of Bitcoin had been stolen via a flaw in the Libbitcoin explorer library. In November, Unciphered reported that $2.1 billion worth of Bitcoin held in old wallets may be in danger of being drained by attackers because of a flaw in BitcoinJS wallet software.


Magazine: ‘Elon Musk at Bitcoin 2024’ scam, Lazarus Group hacks, MOG phishing: Crypto-Sec# Bitcoin# Blockchain# Cybersecurity# HacksAdd reaction

News Feed
Jack Dorsey and Elon Musk Raise Concerns Over Web3 as Skepticism About Ownership Grows
Jack Dorsey and Elon Musk Raise Concerns Over Web3 as Skepticism About Ownership Grows Former Twitter CEO Jack Dorsey has ignited a debate about web3 after Tesla CEO Elon Musk crit
2021-12-23 10:00 AM
Crypto enthusiasts warn against naira trade ban on exchanges
Amaka NwaokochaJun 08, 2024Crypto enthusiasts warn against naira trade ban on exchangesDue to the rapid decline of the naira and the resulting almost three-decade-high inflation rate of 29.9%, the Nigerian government has
2024-06-08 18:38 PM
Memecoin trader nets $8.9M profit in an hour, raising ‘insider’ allegations
Zoltan Vardai8 hours agoMemecoin trader nets $8.9M profit in an hour, raising ‘insider’ allegationsThe wallet added over $1.04 million worth of Shroom coins during the same block when new liquidity was deployed.1446
2024-03-21 00:48 AM
Bank of America Market Strategist Says ‘Summer Rally Is Over’ as Crypto and Stocks Slide Ahead of Fed Rate Hike This Week
Bank of America Market Strategist Says ‘Summer Rally Is Over’ as Crypto and Stocks Slide Ahead of Fed Rate Hike This Week Digital currency markets, precious metals, and stocks
2022-09-20 05:30 AM
‘Survival games’ as Bitcoin hash price skirts near all-time low
Brayden Lindrea4 hours ago‘Survival games’ as Bitcoin hash price skirts near all-time lowDespite the hash price crash, most Bitcoin mining machines remain profitable for the time being.1844 Total views6 Total sharesL
2024-06-25 13:41 PM
Amazon takes minority share in ChatGPT rival Anthropic AI
Savannah Fortis1 hour agoAmazon takes minority share in ChatGPT rival Anthropic AIAmazon has fulfilled its $4-billion investment commitment to AI startup Anthropic, announcing a minority ownership stake in the company an
2024-03-28 16:41 PM
SUI Defies Odds With A Sharp Rebound Above $4.9: New Highs Loom?
Este artículo también está disponible en español. SUI has made an impressive comeback, defying market expectations with a robust rebound that propelled its price above th
2025-01-11 02:00 AM
What does Bitcoin smell like? AI startup wants to ‘teleport’ digital scents
Tristan Greene3 hours agoWhat does Bitcoin smell like? AI startup wants to ‘teleport’ digital scentsThe technology could also help detect diseases such as cancer.1306 Total views5 Total sharesListen to article 0:00Ne
2024-08-19 05:47 AM
Crypto-Friendly Bank Backed by Warren Buffett’s Berkshire Hathaway Plans $2 Billion IPO on Nasdaq
Crypto-Friendly Bank Backed by Warren Buffett"s Berkshire Hathaway Plans $2 Billion IPO on Nasdaq Nubank, a Brazilian digital bank backed by Warren Buffett&rsquo
2021-08-16 08:30 AM
Amaka Nwaokocha48 minutes agoPro-XRP lawyer claims SEC prioritizes corporate capitalism over investorsJohn Deaton believes the unequal treatment raises concerns about the regulatory body’s effectiveness and fairness, a
2023-07-30 17:11 PM
Spanish Soccer League Laliga Partners With Globant to Support New Web3 and Metaverse Initiatives
Spanish Soccer League Laliga Partners With Globant to Support New Web3 and Metaverse Initiatives Laliga, the premier soccer league organization in Spain, has announced a partnershi
2022-10-01 19:30 PM
Best Crypto to Buy as Top Hong Kong Investment Firm Buys More Bitcoin
Este artículo también está disponible en español. HK Asia Holdings Limited, a top investment firm in Hong Kong, is the latest to join the Bitcoin buying spree among insti
2025-02-24 23:32 PM