In the wake of the mtgox fiasco, we are seeing some overdue attention paid to exchange security, which reduces to wallet security when you are thinking about the building blocks.
The ultimate security in bitcoin world is a cold wallet, usually a file on an unconnected computer, possibly with a fresh operating system install for added security; and just software for bitcoin signing running on it, nothing else. Keys are kept in bank vaults, with the highest value keys split among multiple banks with shamir sharing so even the banks can’t steal the funds out of their own safe deposit boxes unless they collude with the other banks, whose identity they don’t even know.
How does one steal funds from such a veritable bitcoin fort knox?
Lots of ways!
The attacks all boil down to, don’t worry about how securely the cold funds are locked down. You don’t need to use dynamite and liquid nitrogen on the lock if you can walk in through the screen door out back.
The key is to confuse the operator into withdrawing their own funds in an insecure way. Since the operator is presumed to be operating a compromised Windows ME machine running kazaa and various other porn downloading utilities, and flash games in the browser, this is where our attacker should be concentrating their efforts.
The recent attack on mtgox used a technique called transaction malleability to trick mtgox operators (aka bank tellers) into thinking that withdrawals had failed when in fact they had succeeded but with a changed transaction id. MtGox operators would then re-issue the withdrawal. This could be done many times, and the end result seems to be that their cold wallet funds were drained. No one is sure yet how much (maybe not even mtgox) but I guess we will know soon whether mtgox is bankrupt or just playing around.
Assuming mtgox is solvent, I think they will slowly build up their reputation again as a place that “has survived every hack.” People new to bitcoin will continue to make their initial bitcoin buys there because “it is so cheap!” So mtgox will be around in 2015 to deliver unto bitcoin yet another lesson in cyber security, along with a buying opportunity for the patient as the bitcoin price tanks with headlines “Mtgox hacked again!”
How will the next big hack work?
My money is on address tampering, where the attacker substitutes an address they control for the real address.
There are a lot of variants of this attack, and they are really tricky to stop.
Here are some variants.
Simplest one: merchant has a sticker with his bitcoin address at his shop. Attacker slaps a similar looing sticker over it. Funds sent to merchant are now sent to attacker. Lesson: don’t use stickers, don’t reuse addresses.
Slight variant: Merchant uses a vanity address instead with merchants name munged in the address. Attacker can use same attack, but now they have to spend some money to generate a fake vanity address. Lesson: there is some deterrent effect of using a vanity address, but it’s not foolproof. Don’t use stickers, don’t re-use addresses.
Attack on mtgox cold bitcoin: compromise computer that generates transactions to be signed, do address substitution there.
Mitigation: Human operators must manually verify signed transactions before rebroadcasting.
Problem: Humans are fallible.
looks a lot like
(1 character changed.)
Well, that second one probably isn’t a valid address, since I just changed a character at whim, but the problem for the attacker reduces to generating a vanity address on the fly that can confuse a human operator. This can be done with rainbow tables I think.
A really evil attacker (perhaps an insider) would attack the mtgox accounting system, so that the funds flowing into the bad address would show up as funds going into the real mtgox online warm wallet, and it would appear that nothing is wrong, until user withdrawals start failing. (Similar feel to transaction malleability attack.)
Cold computers should be loaded up with signing keys of recipient computers, where the identity of recipients is known; at least for recipients getting high value payments. (You need to do this anyway for AML/KYC.)
Recipient computers should generate signed payment requests. The cold computer can check these payment requests against the transactions to be signed, to verify that on tampering took place. If somehow a thieving transaction slips through the cracks and is signed by the cold computer, the attacker had to create a fake identity with a signing key to get the funds, which increases the cost of the attack.
Another nice thing about signed payment requests is that if a user computer is compromised (a mtgox depositor in this scenario), the user is still protected against address substitution. Just like mtgox could require cold computer only send funds to payment requests from vetted (mtgox warm) recipients; mtgox could validate withdrawals only to payment requests that have been signed by vetted merchants.
Anyway the good news is there is a lot that could be done to prevent address tampering; but the bad news is we’re not currently doing it.
So what will probably happen is some huge heist will happen with address tampering (most likely at mtgox) and then there will be a mad scramble to stop this after the fact.
I will try to resist crying “Told ya!” when this happens. People hate that.
Meanwhile… to the moon!
Note: StandardCrypto security officer Mike Klein and I have had a number of conversations about gaming cold wallet security, so I’d like to give Mike credit concerning where a lot of these ideas originated. Especially the really evil ones.