Bitcoin Forum

Unless it's an inside job, how could a remote hacker get access to a cold wallet?

"7170 BTC got stolen from our cold wallet in this transaction:

https://blockchain.info/tx/f5b0363f03e1ed8bb812c135361ea93590c831ce9f13a3750be1b93575baccc6"

(quoting from Bter.com)

Please don't comment unless you know what you're talking about.

It depends on what exactly they call a "cold wallet"
If it was in any way connected to a network, it was just a "normal" hack

a cold wallet, by definition, is not connected to the internet.

Therefore, a cold wallet can not be hacked, no matter what.

If it was hacked, it wasnt a cold wallet.

It was not a true cold wallet but rather an wallet which is kept offline most of the time. When the hot wallet needs to be refilled it is brought online and that moment was used by the attacker.

Hacking a properly created cold wallet is impossible however it may not have been a properly created cold wallet
a) the wallet may have been created using compromised software (given how long the wallet has existed this is unlikely)
b) the randomly generated keys in the wallet may have had poor entropy (also unlikely)
c) the wallet was compromised due to poor signing with repeat k values (unlikely but can be verified from transaction history)
d) despite the company calling it a 'cold wallet' is wasn't a cold wallet* at all and was compromised just as any other hot wallet would be
e) someone (most likely an employee) with physical access to the cold wallet data file stole the coins

* A 'cold wallet' would be a private key or keys created by an offline machine and the private keys are never used on a machine that is or has been connected to the internet.  Signing of transactions should be done offline as well.  If you create a 'cold wallet' and then move it to a computer which is connected to the internet then it is no longer a cold wallet. 

What dunno , still newbie , but bter use cold wallets to fill there hots, apparently 7000btc on 1 cold wallet is not done , gess bit lazzy and made redraws from cold wallet with same key multi times , is it then possible to "catch" the key and use it urself?

my 2bit :

It likely was simply an inside job.

Any centralized bitcoin exchange that doesn't store a majority of their clients bitcoins in multiple multisig cold wallets with good physical security is acting wildly irresponsible at this point in the game.

Indeed if these exchanges will not start to use multiSig I think a lot of people will start to keep their coin in own wallets. Remember : an exchange is not a bank.

For example why aren't they using greenAddress for their cold wallet ?

they are either from the future and computed the corresponding private key to the cold wallet using an array of quantum computers, or it was an inside job.

i dont get how its finally possible to control your own funds such as with bitcoin, and people go and relinquish that control to someone else. 

It shouldn't be too difficult to figure out who did this. If it has multi sig or multiple factor authentication enabled on a cold wallet, it would be almost impossible to pull off that stunt.

a==b) was the case with the blockchain hack, wasn't it? Just that it was a white hat hacker at the time.

Yes, 1000 btc sent back to blockchain.info. Here the thread : https://bitcointalk.org/index.php?topic=581411.0

How does the creator of a cold wallet will know that his generated keys are not of poor entropy ?

...so they are from the future? :o

thanks for that explanation, I was wondering what could happen

Hot wallets are refiled without bringing cold wallet online. You sign the refill transaction on the cold wallet machine, copy it to the USB drive without ever bringing it online, and then broadcast signed transaction from any other computer which is connected to the internet. Cold wallet by definition cannot be "hacked" in the strict sense, unless you call hacking gaining physical access to the offline computer and copying private key from it on some media, or changing it's software to use weak random number generator.

We spent months thinking about vectors of attack at Ethereum regarding the ether sale funds. Generally speaking, if the funds are in a cold wallet then either social engineering or inside theft are the two viable attacks. this said, it is possible if the cold wallet is stored in a digital format on a computer not connected to the internet that one could perform a stuxnet style attack piggybacking on a flash drive to introduce an APT. But no, someone internal stole the funds most likely. 

Their Cold wallet was really messed up , obviously being using to transfer funds to hot wallet's at time's
For that they should have kept two cold wallet's , one with small amount and other main cold wallet

A. It's not a really cold wallet.
B. It's a inside job.
Must one of them.

Most likely one of these but I'm more inclined to believe an inside job.

They are saying it happened when they were transferring funds. So
a) the hacker knew about it and was waiting for sometime for the opportunity
b) it was not a cold wallet.

But they should know to use an air gap / safe computer for that. Not much point keeping your funds offline if you're just going to put the wallet on an unsecure comp. Exchanges should be overly paranoid when dealing with their funds as should any other bitcoiner really.

As everyone of us told : a cold wallet supposed to be "disconnected" or better never be connected to Internet. Their definition of cold wallet is wrong.

They even kept all the 7k BTC together. I think there is a chance that they stole the money.

Ok forget who did it but cant we capture the funds by getting all exchanges a tool that will detect if the deposits are from that bad transaction? (i have the tool to do it)

It is a decentralized coin, you can detect whatever you want but no one can stop a transaction (only the various miners can refuse to accept a tx from a determinate bitcoin address but they will lost the fees).

You won't be able to get all the exchanges, gambling sites, mixers and merchants accepting Bitcoins to agree. There will always be places which will allow laundering of the stolen funds.

So, did I get this right?
They had a computer, that was usually switched off and when they had to transfer funds, they switched it on, made the transaction and switched it off again. And they called THIS a cold wallet?

Yo simply cannot hack a cold wallet, therefore:

a) it wasn't a cold wallet
b) somebody who had physical access to the wallet stole the coins.

There are other options (wallet created with compromised software; RNG/entropy problem) but those are extremely unlikely. You can put all your money on either a) or b).

A cold wallet should never be connected on internet, I think their "definition" of cold wallet is a little bit wrong. Let see if they will reimburse all the customers (at least a % of each personal fund).

It seems very unlikely to me that this could be anything other than an inside job.

You'd think an exchange holding 7K BTC would actually have bothered to work out how to properly secure them (and should know what a "cold wallet" is).

Strictly speaking flash drive management is part of the cold wallet, one can not use just about any flash drive to transfer signed transaction, flash drive must be as secured as cold wallet machine and not used for anything else, without bootloader, possible hidden executable in flash drive driver etc. Someone with 7000 BTC of other people's money in his hands should have a professional handling the security.

Calling the cold wallet "hacked" is just pushing away responsibility for negligence, and playing dumb.

So do we agree their cold wallet wasn't a real "cold wallet"? Definition :

Cold storage in the context of Bitcoin refers to keeping a reserve of Bitcoins offline.

For example, a Bitcoin exchange typically offers an instant withdrawal feature, and might be a steward over hundreds of thousands of Bitcoins. To minimize the possibility that an intruder could steal the entire reserve in a security breach, the operator of the website follows a best practice by keeping the majority of the reserve in cold storage, or in other words, not present on the web server or any other computer.

The only amount kept on the server is the amount needed to cover anticipated withdrawals.

Source : https://en.bitcoin.it/wiki/Cold_storage

Something similar. Amateurish to the extreme especially when they have been hacked earlier.

At the moment of the hack, it was a hot wallet. They brought their cold wallet online, to refill another hot wallet, so both were hot wallets at the time. The hacker was patiently waiting for them to do this, because he had already compromised their system, and just waiting for BTER to bring their cold wallet online for funding the hot wallet.

Not a cold wallet than.
Could somebody make a "What is a cold wallet?"-YouTube-Video and send it to these exchanges?

Yeah, it is not a COLD wallet once it touches the internet. Looks like they may have been incorrectly using their "COLD" wallet.

Now would be a good time for users of other services to question exactly that their exchange or wallet operate means when they say 'cold wallet'.  Cold wallet is just words.  Security is in the details.  I would not be surprised if there are other exchanges operating right now which believe bringing a wallet online for spending is still a 'cold' wallet.

Cold Wallet to Bter meant that the computer was located in a room air conditioned to 60F

I agree with that, their definition of cold wallet "was wrong". If they was connected on internet (also for 5 minutes) it wasn't more a cold wallet .

Possibly but this would just be another form of gross incompetence.  A cold wallet is only as secure as its txn data but in this case the cold wallet is only used to fill a hot wallet which makes hardening it against attacks very simple compared to other business models.

The cold wallet can contain the public key of the hot wallet.  The easiest way would be to use a single address for loading the hot wallet but HD wallets make it easier to preserve privacy without a loss of security.  If the hot wallet is using an HD wallet then the ExtendedPublicKey of the hot wallet is kept on the cold wallet machine and it only signs transactions sending an amount to the hot wallet and change back to itself.  This moves all the critical transaction information to the secure offline machine and makes a compromise of the online machine ineffective*.  This only applies in a situation where the cold wallet can be restricted to only send funds to a set of secure addresses.  A general use cold wallet may not have that luxury but an exchange does and everything should be done to harden the company wallet.

Example
For brevity the example uses a single key scenario but this can be done the same way using HD wallet extendedkeys and funds can be sent to ScriptHash (multisig address) instead of PubKeyHash (single key 'normal' address).

Cold Wallet Machine contains:
* Encrypted cold wallet private key
* Hot Wallet Public Key

Online Full node contains:
* Blockchain
* Bitcoind w/ connectivity to bitcoin network peers
* Cold wallet Public Key
* Hot wallet Public Key

STEP 1) Online Machine - use bitcoind and cold wallet public key to locate unspent outputs.  Create unsigned transaction sending funds from Cold Wallet to Hot Wallet with change back to cold wallet.
STEP 2) Online Machine -> Cold Wallet Machine - Transfer unsigned transaction* using offline method
STEP 3) Cold Wallet Machine - Independently verify the txn meets business rules (send acceptable value to hot wallet PubKeyHash and change back to Cold Wallet)
STEP 4) Cold Wallet Machine - Unlock private key and sign transaction.
STEP 5) Cold Wallet Machine -> Online Machine - Transfer signed transaction* using offline method
STEP 6) Online Machine - broadcast transaction to bitcoin network using bitcoind.

*There is another attack vector but it is difficult to exploit and complicates the explanation so it didn't cover it in the example but anyone designing a cold wallet should be aware of it.  A transaction input doesn't specify its value so an attacker could infect a user's online computer to provide false input information to the cold wallet.  The cold wallet may sign a txn thinking the inputs are worth 100 BTC when in reality they are worth 7,000 BTC.  Now if the cold wallet is only sending funds to known secure addresses this doesn't allow the attacker to send funds to any arbitrary address but they could cause the cold wallet to send the difference as a huge fee to miners.  If the attacker then prevented the broadcast of this transaction and mined it into a block he could steal funds this way.  To prevent this today requires giving the cold wallet not just the transaction but also the prior outputs it is spending so it can independently verify their value.   This is secure but greatly increases the complexity and the amount of data to be transferred.  If the txn format was updated so that the value of an input was specified this wouldn't be needed.  To change that however would require a soft fork or hard fork depending on how it was done.

really 7000btc? atleast we can try

Now is the time to switch to dex.. something like bitshares or innovate

As every of us told : bitcoin is decentralized, and every one has the choice to agree or not agree. It will be impossible to convince all the miners, various exchange , sites, etc...
 

Literally : it is gone.

Like I said its 7000btc.. only a handful of sites

Depends on whether or not the cold wallet was prepared properly. For example, perhaps they used a compromised hardware wallet, or a weak random number generator.

That said- it reminds me of how when the transaction malleability attack was discovered/described suddenly gox claimed that they had been hacked via this method. Just recently it was discovered that it would be possible to hack cold wallets provided the wallets were generated with weak random numbers or some sort of 'compromised' random number. That way the attacker could empty any wallets generated by the cold wallet generation process. Perhaps they thought this would be a convenient excuse to skip town on.

Yes, I tend to agree with Rabbit. If I had to place a bet, I would say - internal job or bad entropy.  :-[

Blockchain.info hack threads describe how private keys, created with bad software, can be hacked from the outside without ever touching the wallet. This is a likely scenario and would work for any wallet, even paper wallets, all that is required is two transactions.

From the looks of it Bter wallet was used lots of times, not really cold storage, so hacker has the two transactions needed.

http://www.coindesk.com/good-samaritan-blockchain-hacker-returned-255-btc-speaks/

My bet, this or the internal job. Will be interesting to watch how this develops, first "real" attack on a so-called cold wallet, pretty scary IMHO.