Most people use either an app, an online platform, or a small hardware device as a wallet to store their cryptocurrency safely. The exchanges through which cryptocurrency changes hands, though, and other high stakes operations need something more like a massive digital bank vault. At the Black Hat security conference on Thursday, researchers detailed potential weaknesses in these specially secured wallet schemes, including some that affected real exchanges that have now been fixed.
The attacks aren’t the digital equivalent of jackhammering a weak point on a safe or blowing up a lock. They’re more like opening an old-timey bank vault with six keys that all have to turn at the same time. Breaking cryptocurrency private keys into smaller chunks similarly means an attacker has to cobble them together first to steal funds. But unlike distributing physical keys, the cryptographic mechanisms that underly multiparty key management are complex and difficult to implement correctly. Mistakes could be costly.
“These organizations are managing a lot of money, so they have quite high privacy and security requirements,” says Jean-Philippe Aumasson, cofounder of the cryptocurrency exchange technology firm Taurus Group and vice president at Kudelski Security. “They need a way to split the cryptocurrency private keys into different components, different shares, so no party ever knows the full key and there isn’t a single point of failure. But we found some flaws in how these schemes are set up that are not just theoretical. They could really have been carried out by a malicious party.”
For the work, Aumasson, a cryptographer, validated and refined vulnerability discoveries made by Omer Shlomovits, cofounder of the mobile wallet maker ZenGo. The findings break down into three categories of attacks.
The first would require an insider at a cryptocurrency exchange or other financial institution exploiting a vulnerability in an open-source library produced by a prominent cryptocurrency exchange that the researchers declined to name. The attack takes advantage of a flaw in the library’s mechanism for refreshing, or rotating, keys. In distributed key schemes, you don’t want the secret key or its components to stay the same forever, because over time an attacker could slowly compromise each part and eventually reassemble it. But in the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn’t merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.
Most distributed key schemes are set up so only a predetermined majority of the chunks of a key need to be present to authorize transactions. That way the key isn’t lost entirely if one portion is accidentally eliminated or destroyed. The researchers point out that an attacker…