ISE research spotlights cryptocurrency vulnerabilities, and theft - Technical.ly Baltimore

Dev

Apr. 23, 2019 2:06 pm

ISE research spotlights cryptocurrency vulnerabilities, and theft

Baltimore-based Independent Security Evaluators believes a "blockchainbandit" is exploiting private keys to steal currency on the Ethereum platform. The research was featured in Wired.

Independent Security Evaluators' North Baltimore office. (Photo courtesy of ISE/Sam Levin)

Baltimore-based Independent Security Evaluators (ISE) has new research out Tuesday that shows a vulnerability in the private keys used for transactions on the Ethereum blockchain platform, and theft that occurred as a result.

Ethereum is among a number of decentralized platforms that allow for public ledgers of transactions. Users create wallets, which are protected by a user’s private key that is 78 numbers long and often randomly generated.

Despite long statistical odds of being able to guess a private key, ISE researchers were able to identify more than 700 private keys on the Ethereum blockchain.

They also found that there is a “Blockchainbandit” that appears to be benefitting from an ability to access the wallets, and stealing Ether, which is the cryptocurrency associated with the Ethereum platform.

The research was detailed in a paper that the company released this morning called Ethercombing: Finding Secrets in Popular Places, and Wired featured the discovery.

It’s the latest piece of newsworthy research to come from the North Baltimore-based cybersecurity company. As we reported earlier this month, the company’s ethical hackers frequently produces research that details vulnerabilities so they can be fixed.

In its report, Wired details how ISE’s Adrian Bednarek and team members started researching the issue while working for a cryptocurrency client. They found the number that make up the keys were not random enough to prevent someone using a computer to guess, even though the odds are very, very long.

They believe the errors could be a result of programming errors in the software that generated the keys.

As for blockchainbandit, they were able to steal ethereum by exploiting these issues and going beyond what the team did for research purposes. At one point, the bandit’s wallet had 38,000 ether, which was in January 2018 valued at $54 million (today, it’s worth far less following price drops). The researchers say this scheme could be ongoing, as they placed a small amount in a wallet with a weak private key, and found it was gone seconds later.

For developers working in blockchain and cryptocurrency, ISE said the research shows the importance of auditing source code and using cryptographically secure tools to generate numbers.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” ISE Executive Partner Ted Harrington said in a statement.

-30-
JOIN THE COMMUNITY, BECOME A MEMBER
Already a member? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

Maryland AG joins ‘Operation Cryptosweep’

Power Moves: Leadership changes at CAMI and Maryland Momentum Fund

UMBC and UMB are joining forces to protect and probe medical data

SPONSORED

Baltimore

Verizon is looking for the brightest ideas on how to use its 5G technology

Philadelphia, PA

Bresslergroup

Senior Interaction Designer

Apply Now
Baltimore, MD

Agora Financial

Sr. Frontend Developer

Apply Now
Baltimore, MD 21201

14 West

Junior Database Administrator

Apply Now

Water bills are being issued in Baltimore for the first time since the May ransomware attack

Bowie-based Trinity Cyber, led by NSA and White House alums, raises $23M

DataTribe is hosting its second cyber startup competition

SPONSORED

Baltimore

Escape the August heat with cool AI tech

Baltimore, MD

SmartLogic

Account Executive (Baltimore)

Apply Now
Baltimore, MD

14 West

Product Operations Manager

Apply Now
Philadelphia OR Baltimore

Technically Media

Technical.ly Editorial Intern (Fall 2019)

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!