Recently leaked computer vulnerabilities Meltdown and Spectre offer yet another reminder of how hard the digital age makes it to keep private information – even cryptocurrency private keys – safe.
Unveiled Wednesday, the widespread hardware vulnerabilities simultaneously impact Intel, ARM and AMD computer chips, which power the vast majority of the world's computers, mobile devices and servers, making it possible to steal private data such as passwords, financial information or just about anything stored on any device that uses one of these chips.
Where this is important for cryptocurrency in particular is, hackers can potentially use the specific attack vector to pinch the private keys that allow users to control their bitcoins on the blockchain.
And though there's no evidence that any passwords have been compromised, experts say it wouldn't be surprising if hackers or the NSA have been exploiting the attack.
If you're already following best practices for cryptocurrency storage, then you're probably fine. But if not, or if you're a newer user, experts say it's important to keep private keys on a safe device.
"Better safe than sorry," said Bitcoin Core developer Bryan Bishop told CoinDesk, adding:
It's important to note that the advice to store private keys on a secure device is nothing new. (Crypto developers have long warned against storing private keys on laptops or other devices that interact with the internet.)
But the reasons why might not be obvious for newer users. Even though bitcoin and other cryptocurrencies are secure protocols, they must interact with the open internet and regular computers. In short, storing private keys so close to the internet can potentially expose users to hacks and theft.
And the new CPU vulnerabilities make the situation even worse, as a chain of actions can lead to error and compromise.
"If the protected memory problem is real, then a browser plugin or even a website may access your private keys," said Bitcoin Core contributor Jonas Schnelli.
The full details of the issue aren't yet public, so it's unclear what the precise attack vectors are. Still, others suggested a similar impact could be likely.
"To get hit by this attack, all you would have to do is click a link by accident and maybe you end up on a website that serves a bad ad with the malware code that steals your data," Bishop added.
And while these scenarios might sound far-fetched, most of today's malware prey on similar vulnerabilities that have yet to be patched. It's just impossible to know who and when they'll actually hit.
Operating system fixes are now available that users should use to patch up their Windows, Mac, and Linux devices. But, for cryptocurrency users, the better option is not to store private keys on an internet-connected device at all, a recommendation common far before this particular vulnerability.
One option is to store private keys on a so-called "hardware wallet," such as Ledger or Trezor. The small devices might not be quite as easy to use, but they are more secure in that their not connected to the internet.
Pavol Rusnak, CTO of SatoshiLabs, the company behind Trezor, went as far as to argue "Using a [hardware] wallet is now more important than ever!" While ethereum developer Lefteris Karapetsas quipped, "I bet Spectre and Meltdown is the best thing that could have happened for cryptocurrency cold wallet businesses."
Exchange treasure troves
Beyond solo consumer devices, a much bigger, more worrying target is cryptocurrency exchanges and businesses, which store cryptocurrency private keys for millions of users at once.
Some cryptocurrency exchanges use cloud hosting services such as Amazon Web Services and Google Cloud to run their websites, rather than spin up their own servers.
While these platforms make websites easier to manage, they are particularly vulnerable to these attacks. A hacker could theoretically spin up a server using the same hardware as a cryptocurrency startup running operations on such a cloud platform and suddenly have access to all of their data.
In the crypto world, a hacker could hypothetically use this attack vector to steal private keys.
On the one hand, many of the most popular cloud platforms quickly unrolled fixes. On the other hand, researchers worry that deep-rooted vulnerabilities could spawn unfixed variants, with possible lingering effects to come.
Bitcoin in the dark image via Shutterstock
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.