Research on private key generation reveals theft of ETH funds from accounts with discoverable keys
Researchers at Independent Security Evaluators (ISE) have discovered 732 actively used private keys on the Ethereum blockchain.
In their new study titled Ethercombing, ISE found that poorly implemented private key generation is also facilitating the theft of cryptocurrency.
Example flow of deriving an Ethereum address from a private key
The researchers identified 13,319 Ether (ETH) which was transferred to both invalid destination addresses and forever lost, as well as to wallets derived from weak private keys which were targeted for theft. The value of the combined total loss would have been $18,899,969 at the peak of the Ethereum market in mid-January 2018.
“The chances of duplicating or guessing the same randomly-generated private key already used on the Ethereum blockchain is approximately 1 in 115 quattuorvigintillion (2^256), so brute forcing someone’s private key should be practically impossible,” says ISE researcher Adrian Bednarek. In light of these odds, the number of ETH tokens, number of transactions, total USD value of lost ETH, and number of actively used private keys found by ISE’s researchers was significant.
ISE’s ability to find these actively used private keys was presumably made possible due to programming errors in the software which generated them. For example, the team hypothesized that in various Ethereum wallet software implementations, a 256-bit, sufficiently random private key might be created, but the full value of the key becomes truncated on output due to coding mistakes.
Likewise, error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors could also result in weak keys. These private keys are not sufficiently random which makes it trivial for a computer to brute force and eventually guess.
To find these keys, the researchers enumerated every possible private key in targeted sub-sections of the 256-bit key space where truncated or weak keys seemed likely to occur. To their surprise, the private keys discovered corresponded with 49,060 transactions on the Ethereum blockchain.
In the process, ISE discovered an individual or group they dubbed the “Blockchainbandit” pilfering ETH funds from some of the wallets associated with the discovered weak private keys. They observed that the bandit was sending that ETH to a destination wallet that was collecting the loot. On January 13, 2018, Blockchainbandit’s wallet held a balance of 37,926 ETH valued at $54,343,407, now worth far less by today’s valuation of ETH.
Even to this day, the bandit seems to be operating an ongoing campaign to loot cryptocurrencies from wallets derived from weak private keys. ISE researchers intentionally placed one U.S. dollar worth of ETH in a weak private key derived wallet and witnessed that within seconds, the ETH was transferred out and into the bandit’s wallet.
“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” says ISE Executive Partner Ted Harrington.
Duplicating or guessing just one randomly-generated private key already in use on the Ethereum blockchain would be a statistically significant event, yet ISE was able to uncover 732 of them, alluding to issues in key generation. These underlying problems likely extend to other cryptocurrency platforms and to any software which generates cryptographic keys. As a result, ISE offers a number of recommendations for developers and institutions that rely on cryptographically secure random values.
Recommendations for developers
- Use well known libraries or platform specific modules for random number generation
- Use a cryptographically secure pseudo-random number generator instead of just any pseudo-random number generator
- Audit source code and resulting compiled code to verify randomly generated keys are not truncated or become malformed by faulty workflows that interact with them
- Use multiple sources of entropy
- Leverage NIST compatible hardware random number generation instructions provided by AMD/Intel (RDRAND/RDSEED)
- Review NIST/FIPS guidelines on cryptographic random number generation
- Review and use the NIST Statistical Test Suite (NIST SP 800-22).
Tips for uses of cryptographically secure wallets
- Do not use untrusted software that may be harvesting private crypto currency keys
- A cryptocurrency private key should be completely random, so use well trusted software and hardware wallets to generate private keys
- Do not generate private keys based from passphrases, a.k.a. brain wallets – as people tend to commonly use similar or easily guessable passphrases.