Fun

‘Dark Skippy’ method can steal Bitcoin hardware wallet keys

News Feed - 2024-08-09 07:08:05

Christopher Roark1 hour ago‘Dark Skippy’ method can steal Bitcoin hardware wallet keysMalicious firmware can embed secret data into a public Bitcoin transaction, which the attacker can then use to extract a person’s seed words.1824 Total viewsListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTCOINTELEGRAPH IN YOUR SOCIAL FEEDFollow ourSubscribe onSecurity researchers have discovered a troubling new method that hackers can use to extract private keys from a Bitcoin hardware wallet even with only signed two transactions, which they’ve named “Dark Skippy.”


The vulnerability potentially affects all hardware wallet models — though it can only wor if the attacker tricks the victim into downloading malicious firmware.


A previous version of the method required the victim to post “dozens” of transactions to the blockchain. But the new “Dark Skippy” version can be performed even if the victim only posts a couple of transactions to the blockchain. In addition, the attack can be executed even if the user relies on a separate device to generate seed words.


The disclosure report was published by Lloyd Fournier, Nick Farrow, and Robin Linus on Aug. 5. Fournier and Farrow are co-founders of hardware wallet manufacturer Frostsnap, while Linus is a co-developer of Bitcoin protocols ZeroSync and BitVM.Source: Nick Farrow.


According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces” which are then used to sign transactions. The resulting signatures get posted to the blockchain when transactions are confirmed. The attacker can then scan the blockchain to find and record these signatures.


The resulting signatures contain only “public nonces,” not the portions of seed words themselves. However, the attacker can enter these public nonces into Pollard’s Kangaroo Algorithm to successfully compute the secret nonces from their public versions.


Pollard’s Kangaroo Algorithm, discovered by mathematician John M. Pollard, is an algorithm in computational algebra that can be used to solve the discrete logarithm problem.


According to the researchers, a user’s full set of seed words can be derived using this method, even if the user only produces two signatures from their compromised device and even if the seed words were produced on a separate device.


Related:Major Wallet Vulnerability Revealed As User Barely Reclaims 9 BTC


Previous versions of the vulnerability have been documented in the past, the researchers stated. However, these older versions relied upon “nonce grinding,” a much slower process that required many more transactions to be posted to the blockchain. Even so, the researchers stopped short of calling Dark Skippy a new vulnerability, claiming instead that it is “a new way of exploiting an existing vulnerability.”


To mitigate against the threat, the report suggests that hardware wallet manufacturers should take extra care to prevent malicious firmware from getting into users’ devices, which they can do through features like “secure boot and locked JTAG/SWD interfaces […] reproducible and vendor signed firmware builds[,...] [and] various other security features.” In addition, it suggests that wallet owners may want to employ practices to keep their devices secure, including “secret places, personal safes, or maybe even tamper-evident bags,” although the report also suggests that these practices may be “cumbersome.”Dark Skippy mitigation techniques. Source: Dark Skippy researchers.


Another suggestion it provides is for wallet software to use “anti-exfiltration” signing protocols, which prevent the hardware wallet from producing nonces on its own.


Bitcoin wallet vulnerabilities have caused significant losses to users in the past. In August, 2023, cybersecurity firm Slowmist reported that over $900,000 worth of Bitcoin had been stolen via a flaw in the Libbitcoin explorer library. In November, Unciphered reported that $2.1 billion worth of Bitcoin held in old wallets may be in danger of being drained by attackers because of a flaw in BitcoinJS wallet software.


Magazine: ‘Elon Musk at Bitcoin 2024’ scam, Lazarus Group hacks, MOG phishing: Crypto-Sec# Bitcoin# Blockchain# Cybersecurity# HacksAdd reaction

News Feed
Ex-OpenAI chief scientist Ilya Sutskever launches SSI to focus on AI safety
Derek Andersen2 hours agoEx-OpenAI chief scientist Ilya Sutskever launches SSI to focus on AI safetyThe new company will develop AI safety and capabilities in tandem.1681 Total views1 Total sharesListen to article 0:00Ne
2024-06-20 06:45 AM
Technical Analysis: XRP Falls 10%, as ANC Climbs Higher
Technical Analysis: XRP Falls 10%, as ANC Climbs Higher XRP fell by over 10% on Tuesday, as bearish pressure once again intensified in crypto markets. As of writing, the global cry
2022-02-23 03:39 AM
Bitcoin Struggles Below ATH After Weeks Of Failed Attempts – $109K Level In Focus
Reason to trust Strict editorial policy that focuses on accuracy, relevance, and impartiality Created by industry experts and meticulously reviewed The highest standards in reporting and pu
2025-06-29 16:00 PM
Helen Partz2 hours agoStandard Chartered-owned crypto platform Zodia launches in Hong KongDemand for crypto in Hong Kong is mainly driven by institutional investors rather than retail customers, Zodia CEO said.1298 Total
2023-10-30 15:55 PM
Gemini Just Tokenized a Bitcoin-Heavy Stock – 3 of the Best Altcoins to Ride the Wave
Reason to trust Strict editorial policy that focuses on accuracy, relevance, and impartiality Created by industry experts and meticulously reviewed The highest standards in reporting and pu
2025-06-28 23:54 PM
Germany Enters Recession as Over 100 Banks Charge Negative Interest Rates
Germany Enters Recession as Over 100 Banks Charge Negative Interest RatesGermany has plunged into a recession with the worst quarterly contraction since the global financial and eco
2020-05-18 09:05 AM
Ethereum Transfer Fees Drop From Recent Highs, L2 ETH Solutions Between 46-97% Cheaper
Ethereum Transfer Fees Drop From Recent Highs, L2 ETH Solutions Between 46-97% Cheaper At the end of August, Ethereum network gas costs skyrocketed and tapped a high of $59 per tra
2021-09-13 22:30 PM
Ethereum Bulls Aim For $4,100 As Key Resistance Comes Into Focus
Este artículo también está disponible en español. Ethereum is once again making headlines as it edges closer to the critical $4,100 resistance level. After building stead
2024-12-16 20:30 PM
XRP Bull Targets $2.80 Breakout — Key Levels To Consider
Este artículo también está disponible en español. According to data from CoinMarketCap, XRP recorded a substantial price decline in the past trading week losing 16.78% of
2025-02-10 05:30 AM
RBI to Challenge Supreme Court Verdict on Cryptocurrency
RBI to Challenge Supreme Court Verdict on Cryptocurrency The Reserve Bank of India (RBI) is reportedly seeking to file a review petition challenging the supreme court verdict whi
2020-03-06 21:05 PM
Algorand Wins Sharia Compliance Certificate to Enter $70 Billion Market
Algorand has been certified as sharia-compliant, the company said Monday. The certification was provided by Bahrain-based Shariya Review Bureau (SRB) and indicates that the Algorand
2019-10-23 06:30 AM
How to buy USD Coin (USDC) in the United States
Liza Savenko9 hours agoHow to buy USD Coin (USDC) in the United StatesUnlock the potential of stablecoins and diversify your portfolio with our beginner’s guide to safely buying USD Coin (USDC) in the United States.537
2024-02-23 23:03 PM