Software Development
Cryptocurrency / Cybersecurity

ISE research spotlights cryptocurrency vulnerabilities, and theft

Baltimore-based Independent Security Evaluators believes a "blockchainbandit" is exploiting private keys to steal currency on the Ethereum platform. The research was featured in Wired.

Independent Security Evaluators' North Baltimore office. (Photo courtesy of ISE/Sam Levin)

Baltimore-based Independent Security Evaluators (ISE) has new research out Tuesday that shows a vulnerability in the private keys used for transactions on the Ethereum blockchain platform, and theft that occurred as a result.

Ethereum is among a number of decentralized platforms that allow for public ledgers of transactions. Users create wallets, which are protected by a user’s private key that is 78 numbers long and often randomly generated.

Despite long statistical odds of being able to guess a private key, ISE researchers were able to identify more than 700 private keys on the Ethereum blockchain.

They also found that there is a “Blockchainbandit” that appears to be benefitting from an ability to access the wallets, and stealing Ether, which is the cryptocurrency associated with the Ethereum platform.

The research was detailed in a paper that the company released this morning called Ethercombing: Finding Secrets in Popular Places, and Wired featured the discovery.

It’s the latest piece of newsworthy research to come from the North Baltimore-based cybersecurity company. As we reported earlier this month, the company’s ethical hackers frequently produces research that details vulnerabilities so they can be fixed.

In its report, Wired details how ISE’s Adrian Bednarek and team members started researching the issue while working for a cryptocurrency client. They found the number that make up the keys were not random enough to prevent someone using a computer to guess, even though the odds are very, very long.

They believe the errors could be a result of programming errors in the software that generated the keys.

As for blockchainbandit, they were able to steal ethereum by exploiting these issues and going beyond what the team did for research purposes. At one point, the bandit’s wallet had 38,000 ether, which was in January 2018 valued at $54 million (today, it’s worth far less following price drops). The researchers say this scheme could be ongoing, as they placed a small amount in a wallet with a weak private key, and found it was gone seconds later.

For developers working in blockchain and cryptocurrency, ISE said the research shows the importance of auditing source code and using cryptographically secure tools to generate numbers.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” ISE Executive Partner Ted Harrington said in a statement.

Engagement

Join the conversation!

Find news, events, jobs and people who share your interests on Technical.ly's open community Slack

Trending

How venture capital is changing, and why it matters

What company leaders need to know about the CTA and required reporting

Why the DOJ chose New Jersey for the Apple antitrust lawsuit

A veteran ship's officer describes how captains work with harbor pilots to avoid deadly collisions

Technically Media