This presentation covers the basics of what cryptocurrencies are, some major hacks, and a walk through of vulnerabilities emerging from cryptocurrency ecosystems.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
1. A Look Into Emerging Security
Issues Within Cryptocurrency
Ecosystems
Beau Bullock
Mike Felch
2. Overview
• Brief background on what
cryptocurrencies are
• Various elements of the
cryptocurrency ecosystem
• A history of some major hacks
• Some general vulnerabilities
• Some blockchain-specific
vulnerabilities
3. About Us
• Mike Felch - @ustayready
• Pentest / Red team at BHIS
• Involved w/ OWASP Orlando and BSides
Orlando
• Beau Bullock - @dafthack
• Pentest / Red team at BHIS
• Podcaster, blogger, and guitarist
• Tradecraft Security Weekly hosts
• CoinSec Podcast hosts
4. What Are Cryptocurrencies?
• Digital currencies that typically utilize a
blockchain to regulate the generation
of the currency, and verify the transfer
of funds, usually in a decentralized
manner.
• There are over 1500 coins/tokens
listed on coinmarketcap.com
• Some of these have unique
blockchains
• Others are tokens built on top of
blockchains using smart contracts.
6. Ecosystem: Blockchain
• A digitized, decentralized, public ledger of
all transactions
• A combination of:
• Private key cryptography
• Peer-To-Peer (P2P) Network
• Protocol governing incentivization
• Records cannot be retroactively altered
• Every node has a copy of the blockchain
8. Ecosystem: Nodes & Miners
• Full Nodes
• Download every block and transaction
and check them against the protocol’s
consensus rules
• Maintain the decentralized “backup”
• Miners
• Verify transactions into a block
• Solve a Proof-of-Work problem
• Add block to the blockchain
• Get rewarded
9. Ecosystem: Wallets
• Wallets hold your private keys
• Anyone that has your private keys can
control your wallet
• If you lose your private keys your coins
are gone
• Web/Mobile Wallets
• Third-party hosted wallet using a web-
based application for a user interface
• Might be convenient but you don’t
control your private keys
10. Ecosystem: Wallets
• Desktop Wallets
• Wallets are local to your computer
• Full nodes require the full blockchain to be
downloaded
• At risk of hackers compromising your system
• Hardware Wallets
• Private keys are encrypted on a hardware
device usually protected by a PIN
• The software for interacting with the device
can be prone to MiTM attacks
• Paper Wallets
• Private keys are printed and never stored
digitally
• If destroyed coins are lost
11. Ecosystem: Exchanges
• Websites that facilitate the ability to
exchange fiat currency for
cryptocurrency
• $, €, £, ¥, etc. BTC, ETH, LTC, etc.
• …or cryptocurrency for other
cryptocurrency
• BTC, ETH, LTC, etc. BTC, ETH, LTC, etc.
• Extremely high targets for attackers
12. Ecosystem: Smart Contracts
• Code that sits on the blockchain
• Can be self-executing and self-enforcing
• Exchange of currency, data, shares, etc
• Polls/elections (commit-reveal)
• Removes the third-party from deals
• Anyone can see (and execute) unless secured
• Can’t be reversed
• Not for EVERYTHING!
13. Ecosystem: ICOs
• Initial Coin Offering (ICO)
• A fundraising mechanism in which projects
sell their underlying tokens
• Ethereum raised $19 million in 2014
• The DAO raised over $150 million in 2016
• Most of the ICO world is ridden with scams
• Some Ponzi schemes, some have no working
platform, some take the money then disappear
• Participants are highly targeted by phishers
15. Ecosystem: Malware
• Ransomware
• Generally requests payment in Bitcoin to
decrypt files held ransom
• WannaCry – Estimated to have infected
more than 200,000 systems
• Mining Malware
• Coinhive – A JavaScript-based miner
embedded in websites
• WannaMine – Similar to WannaCry –
Uses EternalBlue to infect, then mines
17. Some Major Events
• Mt. Gox - Feb. 2014 - 850,000 bitcoins
went “missing” ($450 million at the time)
• The DAO Hack - June 2016 - 3.6 million
Ethereum stolen ($50 million at the time)
• Parity Hack - Nov 2017 - $155 million of
Ethereum “locked” forever
• Coincheck - 2 weeks ago - $533 million of
NEM stolen from a hot wallet
• …Oh and $1.5 million is stolen from ICO’s
every month
19. General AppSec Vulns
• Overstock.com Payment Vulnerability
• They accept Bitcoin for payments but
users could pay with Bitcoin Cash instead
(which is valued way lower)
• Buy a $78 item for $12
• Refunds were in Bitcoin
• EtherDelta Cross-Site Scripting
• XSS injected into custom contract
• Tricked user into adding the malicious
token
• Stole private keys
Image source: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
20. Weak or No Encryption
• BitPay/Copay apps wrote new wallet’s
private keys to disk prior to encryption
• Jaxx wallet – 12 word backup phrase
stored with hardcoded encryption key
• Coinomi wallet – Sent data in plaintext
to Electrum servers leaking addresses
• Blockfolio app – Unauthenticated and
unencrypted retrieval of crypto
holdings
21. DNS Hijacking
• DNS Hijacking – An attacker
compromises a site’s DNS server and
redirects user traffic to a malicious site
• Blackwallet Hack
• Hijacked DNS and injected code to drain
accounts with more than 20 Lumens
• $400,000 worth of Stellar Lumens stolen
• EtherDelta Hack
• $250,000 worth of Ether stolen
Image Source: http://resources.infosecinstitute.com/attacks-over-dns
22. Insecure JSON-RPC
• Electrum Wallet
• For over 2 years the JSON-RPC interface
could be communicated with via
JavaScript
• Simply having the wallet open and surfing
the web could allow for private keys to be
stolen
• Even with a password it still allows for
potential brute force attacks
• Reported on Github Nov. 2017, then
again by Tavis Ormandy in Jan 2018
24. A Majority Attack
• Also known as the 51% attack
• Potentially allows the attacker to
“double-spend” their own coins
• Can prevent some transactions from
gaining confirmations
• Can prevent some or all of other
miners from mining any valid blocks
25. Implementation Vulns
• Short Addresses
• In Lisk, addresses are 64-bit numbers, such as: 3040783849904107057L
• Derived deterministically from a passphrase
• SEED = SHA-256(passphrase) ED25519 KEYPAIR = SHA-512(seed) & scalar
multiplication ADDRESS = Last 8 bytes of SHA-256(public key)
• Preimage can be derived in approximately 264 evaluations
• No Address-Key Binding
• In Lisk, addresses aren’t bound to a keypair until it has sent tokens to
another address
• Attacker can derive preimage and hijack the account
Source: https://research.kudelskisecurity.com/2018/01/16/blockchains-how-to-steal-millions-in-264-operations/
27. EVM: Virtual Machine
• Run-time environment for smart contracts
• Minimal instruction set (256 bit words)
• Arithmetic, bit, logical, comparisons
• Stack machine (not a register machine)
• Contracts have storage, memory and stack
• Isolated sandbox from network/fs/procs
• Reusable code using delegate calls
• Contracts can be made to self-destruct
• Language, compilers and bytecode *oh my*
31. Securing Smart Contracts
• Truffle: Develop, test, audit and deploy
• Solium: Do code reviews
• Mythril: Vulnerability scan contracts
• OpenZeppelin: Use security libraries
• Manticore: Fuzz, Crash and Taint analysis
• Ethernaut: Hack contracts CTF style
• Ropsten: Deploy to Ethereum test networks
-Pentest all the things-
32. Conclusion
• Don’t let the negative stigma around “blockchain” stifle your
involvement
• “Blockchain” has become a buzzword but some extremely innovative
technologies have already, and will continue to be developed
• Many companies are looking to integrate blockchain blindly
• Vulnerabilities are surfacing in all aspects of the ecosystem including
the wallets, exchanges, smart contracts, even blockchains themselves
• New attack surfaces are forming
• There’s much more research to be done around securing the
cryptocurrency ecosystem
33. Resources
• NIST – Guidance on Blockchain -
https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nisti
r8202-draft.pdf
• DEF CON 25 – Hacking Smart Contracts by Konstantinos Karagiannis -
https://www.youtube.com/watch?v=WIEessi3ntk
• OpenZeppelin – https://openzeppelin.org/
• Ethernaut - https://ethernaut.zeppelin.solutions/
• Trail of Bits Blog - https://blog.trailofbits.com/
• Solidity - http://solidity.readthedocs.io/en/develop/
• Whitepaper on attacks https://eprint.iacr.org/2016/1007.pdf
34. Questions?
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• Beau - @dafthack
• Mike - @ustayready
• CoinSec Podcast - @coinsecpodcast
• https://www.coinsecpodcast.com