Fun

‘Dark Skippy’ method can steal Bitcoin hardware wallet keys

News Feed - 2024-08-09 07:08:05

Christopher Roark1 hour ago‘Dark Skippy’ method can steal Bitcoin hardware wallet keysMalicious firmware can embed secret data into a public Bitcoin transaction, which the attacker can then use to extract a person’s seed words.1824 Total viewsListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTCOINTELEGRAPH IN YOUR SOCIAL FEEDFollow ourSubscribe onSecurity researchers have discovered a troubling new method that hackers can use to extract private keys from a Bitcoin hardware wallet even with only signed two transactions, which they’ve named “Dark Skippy.”


The vulnerability potentially affects all hardware wallet models — though it can only wor if the attacker tricks the victim into downloading malicious firmware.


A previous version of the method required the victim to post “dozens” of transactions to the blockchain. But the new “Dark Skippy” version can be performed even if the victim only posts a couple of transactions to the blockchain. In addition, the attack can be executed even if the user relies on a separate device to generate seed words.


The disclosure report was published by Lloyd Fournier, Nick Farrow, and Robin Linus on Aug. 5. Fournier and Farrow are co-founders of hardware wallet manufacturer Frostsnap, while Linus is a co-developer of Bitcoin protocols ZeroSync and BitVM.Source: Nick Farrow.


According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces” which are then used to sign transactions. The resulting signatures get posted to the blockchain when transactions are confirmed. The attacker can then scan the blockchain to find and record these signatures.


The resulting signatures contain only “public nonces,” not the portions of seed words themselves. However, the attacker can enter these public nonces into Pollard’s Kangaroo Algorithm to successfully compute the secret nonces from their public versions.


Pollard’s Kangaroo Algorithm, discovered by mathematician John M. Pollard, is an algorithm in computational algebra that can be used to solve the discrete logarithm problem.


According to the researchers, a user’s full set of seed words can be derived using this method, even if the user only produces two signatures from their compromised device and even if the seed words were produced on a separate device.


Related:Major Wallet Vulnerability Revealed As User Barely Reclaims 9 BTC


Previous versions of the vulnerability have been documented in the past, the researchers stated. However, these older versions relied upon “nonce grinding,” a much slower process that required many more transactions to be posted to the blockchain. Even so, the researchers stopped short of calling Dark Skippy a new vulnerability, claiming instead that it is “a new way of exploiting an existing vulnerability.”


To mitigate against the threat, the report suggests that hardware wallet manufacturers should take extra care to prevent malicious firmware from getting into users’ devices, which they can do through features like “secure boot and locked JTAG/SWD interfaces […] reproducible and vendor signed firmware builds[,...] [and] various other security features.” In addition, it suggests that wallet owners may want to employ practices to keep their devices secure, including “secret places, personal safes, or maybe even tamper-evident bags,” although the report also suggests that these practices may be “cumbersome.”Dark Skippy mitigation techniques. Source: Dark Skippy researchers.


Another suggestion it provides is for wallet software to use “anti-exfiltration” signing protocols, which prevent the hardware wallet from producing nonces on its own.


Bitcoin wallet vulnerabilities have caused significant losses to users in the past. In August, 2023, cybersecurity firm Slowmist reported that over $900,000 worth of Bitcoin had been stolen via a flaw in the Libbitcoin explorer library. In November, Unciphered reported that $2.1 billion worth of Bitcoin held in old wallets may be in danger of being drained by attackers because of a flaw in BitcoinJS wallet software.


Magazine: ‘Elon Musk at Bitcoin 2024’ scam, Lazarus Group hacks, MOG phishing: Crypto-Sec# Bitcoin# Blockchain# Cybersecurity# HacksAdd reaction

News Feed
Time for Serious Global Crypto Regulation, Germany Says
Time for Serious Global Crypto Regulation, Germany Says Germany’s financial watchdog has issued a call for global regulation of the crypto industry in the aftermath of the FTX co
2022-12-15 21:30 PM
Moody’s States Inflation Is Affecting Economic Recovery in Part of Latam
Moody"s States Inflation Is Affecting Economic Recovery in Part of Latam Moody’s, the asset quality rating agency, has warned the high rate of inflation that some countries
2022-08-25 19:00 PM
Bitcoin․com’s Director of Engineering Answers Verse Questions in AMA
Bitcoin․com’s Director of Engineering Answers Verse Questions in AMA With the Verse token sale slated for June, and registration already open at getverse.com, Bitcoin.comȁ
2022-05-25 15:30 PM
Bitcoin Flashes Buy Signal After Price Closed 2nd Green Month Candle In A Row
Este artículo también está disponible en español. The Bitcoin priceenjoyed its second consecutive green candle in October after closing the month with a 10% price gain. C
2024-11-03 06:00 AM
Turner Wright3 hours agoGerman regulator raised concerns about Binance CEO prior to license application withdrawal: ReportBaFin reportedly advised Binance that CEO Changpeng Zhao wouldn’t pass a “fit and proper” te
2023-07-29 05:30 AM
Ezra Reguerra14 hours agoCurve Finance founder’s $100M debt could trigger a DeFi implosion: ReportCurve Finance founder Michael Egorov has a total of $100 million in debt backed by over 400 million CRV tokens.3957 Tota
2023-08-01 19:00 PM
Brayden Lindrea7 hours agoLido assures LDO, stETH tokens remain safe despite flaw in token contractThe “fake deposit” attack enables bad actors to execute a transfer where the requested value is larger than what the
2023-09-11 10:37 AM
Bitcoin Mining Operation Reveals Plans to Convert Coal Ash Landfill Into Solar Farm
Bitcoin Mining Operation Reveals Plans to Convert Coal Ash Landfill Into Solar Farm Following the announcement from Greenidge Generation Holdings that detailed t
2021-07-30 06:30 AM
Bitcoin FilmFest: Lights, camera, halving as Bitcoin cinema hits Warsaw
Bryan O"Shea11 hours agoBitcoin FilmFest: Lights, camera, halving as Bitcoin cinema hits WarsawThe second edition of Bitcoin FilmFest in Warsaw, Poland, screened over a dozen movies and documentaries and coincided with t
2024-04-23 21:06 PM
Brand New Protocol, DIGITALAX, Brings NFT Adoption Into the Real World
Brand New Protocol, DIGITALAX, Brings NFT Adoption Into the Real World DIGITALAX, a digital fashion focused NFT protocol on Ethereum, launched less than 2 months
2020-12-17 02:00 AM
UK crypto hodlers get a call from the tax grinch
David Attlee11 hours agoUK crypto hodlers get a call from the tax grinchHis Majesty’s Revenue and Customs has issued a warning to crypto, NFT and utility tokenholders about paying their taxes on time or facing the cons
2023-11-29 21:54 PM
Egyptian Billionaire Remains Bullish on Gold, Says It’s Wrong to Compare Precious Metal to Bitcoin
Egyptian Billionaire Remains Bullish on Gold, Says It"s Wrong to Compare Precious Metal to Bitcoin Egyptian billionaire Naguib Sawiris has said he remains bullish on gold and has n
2021-11-14 13:30 PM