On April 23, the security consulting firm Independent Security Evaluators (ISE) published a document concerning a number of unsound public and private key pairs tied to the Ethereum blockchain. The probability of chance needed to crack 256-bit encryption would take years for hackers to access random private keys. However, ISE recently queried 49,060 ETH transactions which found 732 “weak” public keys, essentially revealing the corresponding private keys.
732 Private Keys and Discovering the Blockchain Bandit
An independent security consulting firm headquartered in Baltimore, Maryland has recently released a new study concerning “weak keys” found on the Ethereum blockchain. The researchers ISE detail that this trend could be detected on any blockchain implementation that uses public key signing based on ECDSA encryption. According to ISE they devised a scheme that can discover private keys that were generated by using either faulty code or defective random number generators (RNG), and a combination of both.
While studying the matter, ISE found an individual or group they dubbed ‘Blockchain Bandit’ who has been pilfering these weak key addresses. ISE claims Blockchain Bandit managed to steal 37,926 ETH valued at $54.3 million by January 13, 2018.
“Even when faced with this statistical improbability, ISE discovered 732 private keys as well as their corresponding public keys that committed 49,060 transactions to the Ethereum blockchain,” explains the study. “Additionally, we identified 13,319 Ethereum that was transferred to either invalid destination addresses, or wallets derived from weak keys that at the height of the Ethereum market had a combined total value of $18,899,969.”
Highly Successful Hacking Campaigns
In addition to the 732 key pairs found, there were 60,286,012 ERC20 based tokens held within these keys. ISE says with 50 million public Ethereum addresses there’s likely to be some weak keys found or a general lack of randomness. One of the biggest would be key truncation which is when the key length of the symmetric 256-bit encryption is generated but only a small subset is used due to errors. All kinds of errors can exist like type confusion, random device or RNG errors, seed re-use, memory reference errors, memory corruption, code logic errors and entropy errors. While querying another region of key space on the chain, the researchers discovered more vulnerable key pairs.
“Scanning this region of the key space yielded 8,920 transactions through 464 private keys,” the ISE paper details. “The total value of transactions using these weak private keys was 28.9456 Ethereum — While transactions are common in this range, there is currently a balance of 0 ETH.”
The ISE paper underscores that the use of weak private key pairs is not a “widespread problem” and it took the researchers 1024 hours total to complete the task. But the researchers note that any similar cryptographic algorithms can be examined for key generation errors which would include networks like BTC, ZEC, XRP, XMR and others. Because these cryptocurrencies are so popular, ISE can envision “highly successful hacking campaigns ongoing to steal these virtual currencies.” If the cryptocurrency network effect continues to grow, ISE stresses that software developers who build infrastructure need to incorporate every defense mechanism available to keep private keys safe. Innovative measures need to be taken to counter successful attackers like Blockchain Bandit and future hacking attempts.
What do you think about the private keys found by ISE due to errors and weak key pairs? Let us know what you think about this subject in the comments section below.
Image credits: Shutterstock, Independent Security Evaluators (ISE), and Pixabay.
Have you tried the open source, noncustodial Bitcoin.com Wallet? Try it today over 3.9 million wallets created so far!