An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.
Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.
That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.
In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.
The firm suggested that programming errors in the software generating these keys has made them easy to brute force.
It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”
It’s even possible that users were allowed to choose their own keys, it’s claimed.
“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.
ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.