Millions of cryptocurrency wallets created between 2011 and 2015 are potentially affected by an open source software vulnerability and might need to be regenerated, according to new research from Unciphered.
While helping a customer regain access to a locked Bitcoin wallet last year, Unciphered discovered issues in the open source JavaScript Bitcoin library BitcoinJS that required further investigation. Security researchers at the cryptocurrency recovery firm confirmed that the vulnerability stemmed from a string of programming mistakes -- and realized they were not the first to uncover the cryptocurrency threat.
Unciphered worked on the vulnerability for the last 22 months, engaging in coordinated disclosure with multiple entities, proving that its researchers could break into crypto wallets, working on remediations and alerting millions of users. Public disclosure proved difficult because researchers did not want to tip off attackers.
In addition, because patching alone is insufficient, researchers had to identity and notify cryptocurrency wallet developers that were active between 2011 and 2015 and ask them to warn customers if possible.
Like the disclosure process, the vulnerability was not straightforward either. There is no CVE for the flaw, but it affects the random numbers generated to secure cryptocurrency wallets. In addition, the researchers discovered other issues that, if combined, would allow attackers to gain access to wallet keys. Researchers dubbed the threat "Randstorm."
"Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when brought in contact with each other, combine to dramatically reduce the quality of random numbers produced by web browsers of a certain era (2011-2015)," Unciphered wrote in its FAQ. "Large random numbers are a critical ingredient in the overall security of blockchain technology."
Unciphered disclosed technical details in another blog post Tuesday. Researchers pinpointed the source of the vulnerability to the SecureRandom() function found in the JSBN JavaScript library, which BitcoinJS used through 2014.
The vulnerability chain combines the SecureRandom() function "with weaknesses that existed in major browser implementations of Math.random()." As a result, Bitcoin private keys could have been generated with less than the required amount of entropy, making them more vulnerable to attacks.
While an exact time frame was difficult to establish, researchers observed vulnerable wallets being generated from 2011 to 2015. Bitcoin wallets were affected, but Dogecoin wallets might be as well.
The investigation also determined that Unciphered was not the first to discover security issues in BitcoinJS. Reports of vulnerabilities in the SecureRandom() function that affected numerous cryptocurrency products were detailed in 2018, while issues related to Math.random() dated back to 2015.
Since discovery in January 2022, Unciphered said it has notified Blockchain.com, BitGo, Block.io/Dogechain.info, BitPay, Blockstream Green, Bitaddress.org, Coinkite and BitcoinJS. Not all notified vendors were affected, and Unciphered warned that there could be other unidentified affected parties.
Researchers added that attack impact also varies. Factors include how long the vulnerable code was used, what additional mitigations were enacted and the size of the user base at the time.
"Typically, in order for this attack to be feasible, an attacker would need something which was generated from Math.random() at the time of wallet generation -- this would typically be the wallet GUID or IV. This reduces the amount of necessary work anywhere from 32 to 64-bits," the blog read.
Researchers warned that the vulnerability "potentially affects millions of cryptocurrency wallets" generated between 2011 and 2015. Unciphered estimated that approximately 1.4 million bitcoin are contained in wallets with weak keys. "If we conservatively estimate that only 3-5% of wallets generated during that time were affected, the current value of coins at risk is between 1.2 - 2.1Billion USD (assuming 1 BTC=$30,000)," the company wrote in the FAQ.
While the potential attack scope and fallout could be substantial, Unciphered said the BitcoinJS vulnerability speaks to a bigger issue with the software supply chain that researchers illustrated with an image from the popular webcomic XKCD.
"Almost all substantial software development projects rely on third party libraries. As articulated in the cartoon above, it is not uncommon for popular code to be reliant on projects which are under-staffed or even abandoned," the blog read.
Unciphered highlighted a warning taken from BitcoinJS's GitHub page that urged users to "audit and verify any underlying code." That recommendation should apply for code taken from any open source project, according to the blog.
While Randstorm has not been exploited yet, researchers confirmed that it is possible. Recent attacks show that cryptocurrency remains a popular target for threat actors.
"In the event that software used to generate wallets is discovered to have created vulnerable wallets, the only solution is for the users to move the assets to new wallets, or have those users legally direct someone else to do it on their behalf," the blog read. "This is why we are still dealing with this vulnerability in 2023."
Arielle Waldman is a Boston-based reporter covering enterprise security news.
Visit link:
Cryptocurrency wallets might be vulnerable to 'Randstorm' flaw - TechTarget
- Richmond man charged in $10 million cryptocurrency home invasion theft - Vancouver Sun - November 24th, 2023 [November 24th, 2023]
- DOJ Seizes Nearly $9M Worth of Cryptocurrency Tied to Scammers - MarketWatch - November 24th, 2023 [November 24th, 2023]
- United States Files Forfeiture Action to Recover Cryptocurrency ... - Department of Justice - November 24th, 2023 [November 24th, 2023]
- Cryptocurrency rebounds with strong gains on Thanksgiving 2023 ... - Investing.com - November 24th, 2023 [November 24th, 2023]
- Exploring the Pros and Cons of Government and Institutional ... - Artvoice - November 24th, 2023 [November 24th, 2023]
- Top Crypto That Can Surprise You With Growth This Week - Analytics Insight - November 24th, 2023 [November 24th, 2023]
- The Importance of Cryptocurrency Security: Understanding Risks ... - Artvoice - November 24th, 2023 [November 24th, 2023]
- We are all tech lawyers now the future of cryptocurrency - Law Society Journal - November 24th, 2023 [November 24th, 2023]
- Bitcoin Recovers Strongly as Ethereum Leads Cryptocurrency ... - Proactive Investors USA - November 24th, 2023 [November 24th, 2023]
- Bitcoin in Bundestag: Germany's Bold Leap into Cryptocurrency Recognition - Finance Magnates - November 24th, 2023 [November 24th, 2023]
- Cryptocurrency Optimism's Price Increased More Than 4% Within 24 ... - Investing.com UK - November 24th, 2023 [November 24th, 2023]
- Bitcoin in 2024 how will the cryptocurrency fare next year and ... - Luxury Lifestyle Magazine - November 24th, 2023 [November 24th, 2023]
- Raiffeisenlandesbank to launch Bitcoin trading in early 2024 - Cointelegraph - November 24th, 2023 [November 24th, 2023]
- If Cryptocurrency Exchanges Want To Operate In U.S. they must ... - Tekedia - November 24th, 2023 [November 24th, 2023]
- New Crypto Coins and High Growth Cryptocurrency | Analysis of ... - Analytics Insight - November 24th, 2023 [November 24th, 2023]
- What Is Solana? How Does It Work? Forbes Advisor INDIA - Forbes - November 24th, 2023 [November 24th, 2023]
- Examining the Latest Cryptocurrency Poised for Exponential Growth ... - Analytics Insight - November 24th, 2023 [November 24th, 2023]
- David Sovka: A primer on cryptocurrency, aka a fool and his money are soon parted - Times Colonist - November 20th, 2023 [November 20th, 2023]
- Bitcoin falls 4.94% to $36007 - Reuters - November 20th, 2023 [November 20th, 2023]
- Cryptocurrency market retreats after recent rally, Bitcoin and Ethereum slip By Investing.com - Investing.com - November 20th, 2023 [November 20th, 2023]
- The Impact of Cryptocurrency on Gaming: The Evolution of Virtual ... - FingerLakes1.com - November 20th, 2023 [November 20th, 2023]
- Three Men Arrested For Complex Bank Fraud And Cryptocurrency ... - Department of Justice - November 20th, 2023 [November 20th, 2023]
- Crypto Safe: How To Move Cryptocurrency From Crypto Exchange ... - CCN.com - November 20th, 2023 [November 20th, 2023]
- NBC chief cautions youth over cryptocurrency risks - Khmer Times - November 20th, 2023 [November 20th, 2023]
- Cryptocurrency Ponzi Scam Unearthed in Odisha, Head of Yes World Crypto Token Arrested - Gadgets 360 - November 20th, 2023 [November 20th, 2023]
- Revolutionizing global payments: RocketFuel reveals how cryptocurrency is transforming businesses - Yahoo Finance - November 20th, 2023 [November 20th, 2023]
- British man cannot be extradited to US over fake cryptocurrency ... - Reuters UK - November 20th, 2023 [November 20th, 2023]
- READOUT: FinCEN Joins Harvard Kennedy School Event on the ... - FinCEN - November 20th, 2023 [November 20th, 2023]
- Why Asia, not the US, will be key for cryptocurrency in next bull cycle - South China Morning Post - November 20th, 2023 [November 20th, 2023]
- Cryptocurrency, Inflation, and Financial Stability: A New Economic ... - FingerLakes1.com - November 20th, 2023 [November 20th, 2023]
- Singapore to Share Cryptocurrency Tax Information With Other ... - Lexology - November 20th, 2023 [November 20th, 2023]
- Kaspa cryptocurrency hits all-time high amid Binance listing By ... - Investing.com - November 20th, 2023 [November 20th, 2023]
- Online 'pig butchering scam' preys on unsuspecting romantic partners, IRS warns - 9News.com KUSA - November 20th, 2023 [November 20th, 2023]
- r/CryptoCurrency Moons (MOON), High Volatility and Rising Saturday: Is it Time to Cash Out? - InvestorsObserver - November 20th, 2023 [November 20th, 2023]
- McDowell Commissioners to consider cryptocurrency mining ban - McDowell News - November 20th, 2023 [November 20th, 2023]
- Paycorp launches app for users to withdraw crypto as cash - Techpoint Africa - November 20th, 2023 [November 20th, 2023]
- Top 11 cryptocurrency trends to look out for in 2023-24 - Investing.com India - November 20th, 2023 [November 20th, 2023]
- Robinhood to launch crypto trading in EU even as cryptocurrency revenue slides almost 26% from last quarter - Fortune - November 7th, 2023 [November 7th, 2023]
- Expect new IRS crypto surveillance to come with a surge in confiscation - Cointelegraph - November 7th, 2023 [November 7th, 2023]
- The role of cryptocurrency in financing terrorism - PBS NewsHour - November 7th, 2023 [November 7th, 2023]
- Cryptocurrency Kinship: Bitcoin's Ties with Major Digital Assets - FingerLakes1.com - November 7th, 2023 [November 7th, 2023]
- Blockchain and Cryptocurrency - Business Insider India - November 7th, 2023 [November 7th, 2023]
- The Role of AES in Cryptocurrency: From Cipher Blocks to Bitcoin - FingerLakes1.com - November 7th, 2023 [November 7th, 2023]
- Coinbase blocked in Kazakhstan amid tighter cryptocurrency ... - Investing.com - November 7th, 2023 [November 7th, 2023]
- Learning cryptocurrency trading with Tedi Ticic - KGET 17 - November 7th, 2023 [November 7th, 2023]
- TRON and Pundi X Collaborate to Boost Cryptocurrency Adoption with XPOS Integration - Yahoo Finance - November 7th, 2023 [November 7th, 2023]
- Fraudulent Ledger Live App in Microsoft Store Linked to $768K ... - Blockchain.News - November 7th, 2023 [November 7th, 2023]
- Cryptocurrency scam worth 2,500 crore uncovered in Indian ... - Investing.com - November 7th, 2023 [November 7th, 2023]
- Why have cryptocurrency values rebounded recently and can they get back to previous peaks? - ABC News - November 7th, 2023 [November 7th, 2023]
- The Alameda gap and crypto liquidity crisis explained - Cointelegraph - November 7th, 2023 [November 7th, 2023]
- SEC Faces Scrutiny Over XRP Lawsuit and Cryptocurrency Regulation, While Bitcoin Remains Resilient - Coinpedia Fintech News - November 7th, 2023 [November 7th, 2023]
- Vietnam loses top ranking in cryptocurrency adoption index - VnExpress International - November 7th, 2023 [November 7th, 2023]
- 3 Growth Stocks With More Potential Than Any Cryptocurrency - The Motley Fool - November 7th, 2023 [November 7th, 2023]
- Bitcoin, Ethereum and XRP lead in surging cryptocurrency market - Investing.com India - November 7th, 2023 [November 7th, 2023]
- Bitcoin has more than doubled this year in resurgence - IndiaTimes - November 7th, 2023 [November 7th, 2023]
- Bitrace Research Exposes Risks of Anonymous Online Markets with Cryptocurrency - CryptoPotato - November 7th, 2023 [November 7th, 2023]
- Does GTRIs cryptocurrency-based suggestions for WTO strike the right cord for global e-commerce space - The Financial Express - November 7th, 2023 [November 7th, 2023]
- 'The Simpsons' Episode Features NFTs, Inspired Collections Soar In Value: Springfield's History With Cryp - Benzinga - November 7th, 2023 [November 7th, 2023]
- Law Enforcement Gears Up: I4C Conducts Cryptocurrency and ... - The420.in - November 7th, 2023 [November 7th, 2023]
- Sam Bankman-Fried guilty of defrauding FTX crypto customers out of billions of dollars - Sky News - November 3rd, 2023 [November 3rd, 2023]
- Sam Bankman-Fried Is Found Guilty of 7 Counts of Fraud and Conspiracy - The New York Times - November 3rd, 2023 [November 3rd, 2023]
- NYC jury finds Sam Bankman-Fried guilty on all charges in cryptocurrency fraud trial - New York Daily News - November 3rd, 2023 [November 3rd, 2023]
- Breakingviews - Breakingviews: SBF's guilty verdict will help crypto break free - Reuters - November 3rd, 2023 [November 3rd, 2023]
- What Is Bitcoin 'Halving' and Does it Push Up the Cryptocurrency's Price? - Bloomberg - November 3rd, 2023 [November 3rd, 2023]
- Founders of SafeMoon cryptocurrency touted by Dave Portnoy accused of fraud - New York Post - November 3rd, 2023 [November 3rd, 2023]
- RocketFuel CEO reveals surprising data on cryptocurrency usage: why stablecoins are the future - Yahoo Finance - November 3rd, 2023 [November 3rd, 2023]
- Cryptocurrency market faces massive $137 million futures ... - Investing.com - November 3rd, 2023 [November 3rd, 2023]
- Blockchain & Cryptocurrency Regulation 2024 - Cleary Gottlieb - November 3rd, 2023 [November 3rd, 2023]
- Going nuclear: how the future of cryptocurrency mining is playing out ... - The National - November 3rd, 2023 [November 3rd, 2023]
- Blockchain and Cryptocurrency Edited Web story for testing - Business Insider India - November 3rd, 2023 [November 3rd, 2023]
- Bukit Aman: Cops arrest 40, bust cryptocurrency scam involving over RM50m losses - Malay Mail - November 3rd, 2023 [November 3rd, 2023]
- Doctor cheated of more than Rs 1.3 cr in cryptocurrency fraud in Navi Mumbai; four booked - The Financial Express - November 3rd, 2023 [November 3rd, 2023]
- QTUM, SUI, Render (RNDR) cryptocurrencies on the rise: here's why - Invezz - November 3rd, 2023 [November 3rd, 2023]
- Cops nab 40 people, busts cryptocurrency scam with over RM50m ... - Malaysiakini - November 3rd, 2023 [November 3rd, 2023]
- Cryptocurrency's popularity in the U.S. tied to conservative moral foundations - PsyPost - October 24th, 2023 [October 24th, 2023]
- Fund tracking inverse of bitcoin futures hits all-time low as cryptocurrency rallies - Reuters - October 24th, 2023 [October 24th, 2023]
- Cryptocurrency Rally: Bitcoin and More Soar on New Hopes for ETF - The Motley Fool - October 24th, 2023 [October 24th, 2023]
- Dollar higher as US business activity ticks up in October - Reuters - October 24th, 2023 [October 24th, 2023]
- Bitcoin Is Surging. Here's Why the Cryptocurrency Is Back - Entrepreneur - October 24th, 2023 [October 24th, 2023]
- Cryptocurrency Market Capitalization Sets Years High - Action Forex - October 24th, 2023 [October 24th, 2023]