ISE research spotlights cryptocurrency vulnerabilities, and theft

Baltimore-based Independent Security Evaluators (ISE) has new research out Tuesday that shows a vulnerability in the private keys used for transactions on the Ethereum blockchain platform, and theft that occurred as a result.

Ethereum is among a number of decentralized platforms that allow for public ledgers of transactions. Users create wallets, which are protected by a user’s private key that is 78 numbers long and often randomly generated.

Despite long statistical odds of being able to guess a private key, ISE researchers were able to identify more than 700 private keys on the Ethereum blockchain.

They also found that there is a “Blockchainbandit” that appears to be benefitting from an ability to access the wallets, and stealing Ether, which is the cryptocurrency associated with the Ethereum platform.

The research was detailed in a paper that the company released this morning called Ethercombing: Finding Secrets in Popular Places, and Wired featured the discovery.

It’s the latest piece of newsworthy research to come from the North Baltimore-based cybersecurity company. As we reported earlier this month, the company’s ethical hackers frequently produces research that details vulnerabilities so they can be fixed.

In its report, Wired details how ISE’s Adrian Bednarek and team members started researching the issue while working for a cryptocurrency client. They found the number that make up the keys were not random enough to prevent someone using a computer to guess, even though the odds are very, very long.

There's a "blockchain bandit" among us. To understand how it works, it helps to understand how hard guessing an Ethereum private key is. With 78 digits, the odds of guessing a randomly generated Ethereum private key is 1 in 115 quattuorvigintillion. https://t.co/ZpG0UGKmoL

— WIRED (@WIRED) April 23, 2019

They believe the errors could be a result of programming errors in the software that generated the keys.

As for blockchainbandit, they were able to steal ethereum by exploiting these issues and going beyond what the team did for research purposes. At one point, the bandit’s wallet had 38,000 ether, which was in January 2018 valued at $54 million (today, it’s worth far less following price drops). The researchers say this scheme could be ongoing, as they placed a small amount in a wallet with a weak private key, and found it was gone seconds later.

For developers working in blockchain and cryptocurrency, ISE said the research shows the importance of auditing source code and using cryptographically secure tools to generate numbers.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” ISE Executive Partner Ted Harrington said in a statement.