Research: Hackers Could Install Backdoor in Bitcoin Cold Storage

A researcher in Berlin has described a way to compromise a core algorithm underpinning bitcoin so that transactions leak private-key data.

AccessTimeIconJan 16, 2015 at 10:35 a.m. UTC
Updated Sep 11, 2021 at 11:27 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Even a bitcoin wallet in cold storage, widely thought to be the most secure way to hold the digital currency, could leak its private keys to an attacker, a security researcher has found.

An attacker could reverse-engineer a compromised wallet's private keys from as little information as a single transaction issued by that wallet.

The attack is particularly worrying because it would be successful even if the victim maintained a wallet on an air-gapped machine without an Internet connection – or even in space, as wallet provider Xapo is attempting to do –  according to the paper by Stephan Verbücheln.

Verbücheln, a researcher at Humboldt University's Institute for Computer Science in Berlin, said:

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Conventional wisdom has it that coins in cold storage are safe from attacks because the private keys never come in contact with the Internet or any other network.

In general, this is true. Even if the cold storage device could be compromised by malware, stolen private keys would fail to be transmitted to a thief because it isn't connected to the Internet.

How it works

Verbücheln's paper, which is titled, How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys, sets out an attack that centres on bitcoin's cryptographic algorithm.

This mathematical formula, known as ECDSA or the Elliptic Curve Digital Signature Algorithm, is used in the bitcoin protocol to ensure funds can be only be spent by their rightful owners.

When a bitcoin transaction takes place, it contains one or more ECDSA signatures. The number of signatures in a transaction depends on the number of inputs that it contains and are used to prove the transactions were authorised by their rightful owners. The amount of bitcoin contained in a transaction consists of the sum of its inputs.

The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection', which was first described in a 1997 paper by Adam Young and Moti Yung. That paper described a similar attack on the Digital Signature Algorithm, on which ECDSA is based.

Each time a bitcoin transaction is signed, the signature is generated partly from a random number known as 'k'. The compromised ECDSA uses a specific formula to select 'k', which is in turn used to compute a further value 'k2'.

The attacker will now watch for consecutive signatures signed by the compromised ECDSA. Because he knows how 'k2' was computed in the first place, he will be able to calculate that value from two consecutive signatures. With 'k2' in hand, the attacker can work backwards to calculate 'k' and the private key to that address.

"After the attacker knows 'k2' for an ECDSA signature, it is easy for him to compute the private key," Verbücheln said.

An observer of the blockchain – and even the attacker himself –  looking at signatures from this compromised elliptic curve would not be able to detect any faults. Unlike a general observer, however, the attacker would be running his extraction formula on every signature on the blockchain, hoping to find the 'k2' value from signatures generated by his malicious ECDSA.

Eventually, the attacker will hit on the signatures signed by his handiwork, allowing him to discover 'k2' and ultimately derive the addresses' private key.

"He can now store the extracted private keys and watch the addresses' balance. He can use them to steal money at any point in time," Verbücheln said.

The good news

Verbücheln said his paper has not been submitted for publication yet, although he is giving a talk on the topic at a conference in Amsterdam next week.

While the scenario described by Verbücheln is frightening – private keys essentially leaked to the blockchain – the good news is that it's a difficult attack to carry out on a large scale.

, a researcher at the University of Luxembourg's cryptology research group, said an attempt to smuggle compromised ECDSA code into a popular open-source wallet, for example, would be discovered by the public.

"In open-source [software] on a large scale ... The code will be analysed at some point in time and the malicious implementation detected," he said.

Verbücheln largely shares this assessment, although he cautions that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition.

Both Verbücheln and Pustogarov say that the most likely way for such an attack to be mounted would be through dedicated wallet services running proprietary software. Devices designed specifically for secure cold-storage of coins, for example, would be prime candidates for this sort of attack.

"Even if the manufacturer claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

According to Pustogarov, the Verbücheln paper describes an attack that is related to the 'repeated r-values' flaw that white-hat hacker 'Johoe' famously exploited to grab more than 500 BTC from wallet provider Blockchain.

"These two issues are related. The [Verbücheln] paper describes a more general approach, and repeated r-values is a sub-case," he said.

Verbücheln said he does not know if the attack he described has actually been carried out. Nevertheless, the possibility that one of the core cryptographic algorithms underpinning bitcoin could be cunningly compromised, allowing a thief to pick the lock of even the most secure addresses, presents a chilling scenario.

"This attack has been known for many years for related crypto systems, so you can't know for sure," he said.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.