Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
On April 23, the security consulting firm Independent Security Evaluators (ISE) published a document concerning a number of unsound public and private key pairs tied to the Ethereum blockchain. The probability of chance needed to crack 256-bit encryption would take years for hackers to access random private keys. However, ISE recently queried 49,060 ETH transactions which found 732 âweakâ public keys, essentially revealing the corresponding private keys.
Also read: Bitcoin Cash Markets and Network Gather Strong Momentum in Q1
732 Private Keys and Discovering the Blockchain Bandit
An independent security consulting firm headquartered in Baltimore, Maryland has recently released a new study concerning âweak keysâ found on the Ethereum blockchain. The researchers ISE detail that this trend could be detected on any blockchain implementation that uses public key signing based on ECDSA encryption. According to ISE they devised a scheme that can discover private keys that were generated by using either faulty code or defective random number generators (RNG), and a combination of both.
âWe discovered that funds from these weak-key addresses are being pilfered and sent to a destination address belonging to an individual or group that is running active campaigns to compromise/gather private keys and obtain these funds,â the ISE report reveals.
While studying the matter, ISE found an individual or group they dubbed âBlockchain Banditâ who has been pilfering these weak key addresses. ISE claims Blockchain Bandit managed to steal 37,926 ETH valued at $54.3 million by January 13, 2018.
âEven when faced with this statistical improbability, ISE discovered 732 private keys as well as their corresponding public keys that committed 49,060 transactions to the Ethereum blockchain,â explains the study. âAdditionally, we identified 13,319 Ethereum that was transferred to either invalid destination addresses, or wallets derived from weak keys that at the height of the Ethereum market had a combined total value of $18,899,969.â
The number of all the Ethereum private/public keypairs the researchers have access to according to the study.
Highly Successful Hacking Campaigns
In addition to the 732 key pairs found, there were 60,286,012 ERC20 based tokens held within these keys. ISE says with 50 million public Ethereum addresses thereâs likely to be some weak keys found or a general lack of randomness. One of the biggest would be key truncation which is when the key length of the symmetric 256-bit encryption is generated but only a small subset is used due to errors. All kinds of errors can exist like type confusion, random device or RNG errors, seed re-use, memory reference errors, memory corruption, code logic errors and entropy errors. While querying another region of key space on the chain, the researchers discovered more vulnerable key pairs.
âScanning this region of the key space yielded 8,920 transactions through 464 private keys,â the ISE paper details. âThe total value of transactions using these weak private keys was 28.9456 Ethereum â While transactions are common in this range, there is currently a balance of 0 ETH.â
The 8,920 ETH queried transactions that show 464 private keys.
The ISE paper underscores that the use of weak private key pairs is not a âwidespread problemâ and it took the researchers 1024 hours total to complete the task. But the researchers note that any similar cryptographic algorithms can be examined for key generation errors which would include networks like BTC, ZEC, XRP, XMR and others. Because these cryptocurrencies are so popular, ISE can envision âhighly successful hacking campaigns ongoing to steal these virtual currencies.â If the cryptocurrency network effect continues to grow, ISE stresses that software developers who build infrastructure need to incorporate every defense mechanism available to keep private keys safe. Innovative measures need to be taken to counter successful attackers like Blockchain Bandit and future hacking attempts.
What do you think about the private keys found by ISE due to errors and weak key pairs? Let us know what you think about this subject in the comments section below.
Image credits: Shutterstock, Independent Security Evaluators (ISE), and Pixabay.
Have you tried the open source, noncustodial Bitcoin.com Wallet? Try it today over 3.9 million wallets created so far!
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.