ISE research spotlights cryptocurrency vulnerabilities, and theft - Technical.ly Baltimore

Dev

Apr. 23, 2019 2:06 pm

ISE research spotlights cryptocurrency vulnerabilities, and theft

Baltimore-based Independent Security Evaluators believes a "blockchainbandit" is exploiting private keys to steal currency on the Ethereum platform. The research was featured in Wired.

Independent Security Evaluators' North Baltimore office. (Photo courtesy of ISE/Sam Levin)

Baltimore-based Independent Security Evaluators (ISE) has new research out Tuesday that shows a vulnerability in the private keys used for transactions on the Ethereum blockchain platform, and theft that occurred as a result.

Ethereum is among a number of decentralized platforms that allow for public ledgers of transactions. Users create wallets, which are protected by a user’s private key that is 78 numbers long and often randomly generated.

Despite long statistical odds of being able to guess a private key, ISE researchers were able to identify more than 700 private keys on the Ethereum blockchain.

They also found that there is a “Blockchainbandit” that appears to be benefitting from an ability to access the wallets, and stealing Ether, which is the cryptocurrency associated with the Ethereum platform.

The research was detailed in a paper that the company released this morning called Ethercombing: Finding Secrets in Popular Places, and Wired featured the discovery.

It’s the latest piece of newsworthy research to come from the North Baltimore-based cybersecurity company. As we reported earlier this month, the company’s ethical hackers frequently produces research that details vulnerabilities so they can be fixed.

In its report, Wired details how ISE’s Adrian Bednarek and team members started researching the issue while working for a cryptocurrency client. They found the number that make up the keys were not random enough to prevent someone using a computer to guess, even though the odds are very, very long.

They believe the errors could be a result of programming errors in the software that generated the keys.

As for blockchainbandit, they were able to steal ethereum by exploiting these issues and going beyond what the team did for research purposes. At one point, the bandit’s wallet had 38,000 ether, which was in January 2018 valued at $54 million (today, it’s worth far less following price drops). The researchers say this scheme could be ongoing, as they placed a small amount in a wallet with a weak private key, and found it was gone seconds later.

For developers working in blockchain and cryptocurrency, ISE said the research shows the importance of auditing source code and using cryptographically secure tools to generate numbers.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” ISE Executive Partner Ted Harrington said in a statement.

-30-
JOIN THE COMMUNITY, BECOME A MEMBER
Already a member? Sign in here

Advertisement

Mayor: City of Baltimore will have to rebuild some IT systems to recover from cyber attack

City of Baltimore ransomware attack affects home sales, payments and more

Maryland’s ID Agent acquired by Kaseya

SPONSORED

Baltimore

Building a data acquisition system? Don’t make this mistake

Baltimore, MD 21201

14 West

Junior Database Administrator

Apply Now
Baltimore, MD

Whitebox

Javascript Developer

Apply Now
Baltimore

14 West

Reporting Analyst

Apply Now

Morgan State’s HBCU Blockchain Summit convenes researchers to discuss future of fintech

The City of Baltimore was hit by a ransomware attack

What’s driving Maryland cybersecurity’s economic growth?

SPONSORED

Baltimore

How SmartLogic accelerated these startups’ product growth trajectories

Baltimore

14 West

Project Analyst

Apply Now
Baltimore

14 West

Senior Java Software Engineer

Apply Now
Baltimore

14 West

Project Specialist

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!