Show Posts
1. We discovered that the Nano's web backend had an issue where the login username and password were not verified. Malicious trojans in the local network could exploit this vulnerability to submit mining pool configuration information through a POST command to http://<yourIP>/get_home.cgi without logging in, thus stealing hash power. We have started developing the necessary firmware and expect to fix this vulnerability and release the new firmware by July 19.
2. The Nano's design purpose is relatively simple. It runs on a real-time operating system (FreeRTOS), which is not a complex professional network device and is only suitable for secure home intranets. We recommend enabling the router's firewall and not mapping the Nano host to a public IP address to prevent external hackers from directly accessing the Nano. It is also necessary to regularly check for malicious programs in the home network environment. In safe network environments without trojans, such as non-hotel or library public networks, the Nano is secure.
3. In the design of Nano, we respect users' privacy and will never set any backdoor programs. Canaan's products and services are always subject to local and international regulations regarding cybersecurity and data privacy. Canaan remains transparent by disclosing our source codes and encourages industry monitoring of potential vulnerabilities. We are committed to continually improving our products and services.
4. Starting in December, we will gradually open-source the relevant programs and release open-source firmware to ensure that all programs have better security and are compilable.
5. We appreciate every customer's understanding and support. The sales of Nano 3 have far exceeded our expectations, which is due to our customers' high expectations and recognition of us. We are very sorry for the issues that have arisen. Therefore, we will launch a compensation plan together with the release of the new firmware.
Please join our official telegram group https://t.me/Canaanio
There is probably a backdoor in the firmware. An attacker can change the custom root password (no, it's not root in my case, it's a complex one) or there is a manufacturer password. Stay behind your firewall and do not open any ports to the outside.
Furthermore, the current firmware file 2024032701_110811(Download at Canaan offical) https://www.canaan.io/tmp/file/heaternano3slaverk2102024032701110811-61ee.zip does not make any visible changes and worse, does not change the firmware version in the API or the web backend.
http://<yourIP>/get_home.cgi
API data can be accessed without a password. For example, the Wifi SSID, the mining address, firmware, temperature, pool and so on.
My pool address changed several times. Always directed to https://web.public-pool.io/#/ with changing receiving addresses, but with my own worker name (after the .)
Be careful.
However, one thing is quite funny: the hacker or bot relies on solo mining. Not a good source of income.
Furthermore, the current firmware file 2024032701_110811(Download at Canaan offical) https://www.canaan.io/tmp/file/heaternano3slaverk2102024032701110811-61ee.zip does not make any visible changes and worse, does not change the firmware version in the API or the web backend.
http://<yourIP>/get_home.cgi
API data can be accessed without a password. For example, the Wifi SSID, the mining address, firmware, temperature, pool and so on.
My pool address changed several times. Always directed to https://web.public-pool.io/#/ with changing receiving addresses, but with my own worker name (after the .)
Be careful.
However, one thing is quite funny: the hacker or bot relies on solo mining. Not a good source of income.
