Hardware hacker Joe Grand is back with another hacking video:
I hacked time to recover $3 million from a Bitcoin software walletThis time, he managed to hack a software wallet that had been inaccessible since 2013. His client created a password using the password generator
RoboForm (closed-source). It was a 20-character pass with (what the client believed were) upper and lower-case letters, numbers, and special characters.
He used the generated password as a passphrase for his wallet and also saved it in an encrypted partition using TrueCrypt on his computer. This partition later got corrupted, so he couldn't access the data.
The value of the
43.6 BTC at the time was a couple of thousand euros. With the current price, that's around $3 million.
With the help of a software hacker named Bruno, the pair decided to reverse-engineer RoboForm instead of trying to bruteforce a 20-character password.
The following is a quick summary of the video with spoilers. Don't read it if you want to watch the video first!The experiment proved that RoboForm
wasn't generating random passwords in the past (maybe it still isn't).
By going through the changelog of the software, they discovered that RoboForm developers increased the randomness of generated passwords in 2015. That was a hint that previous releases weren't random enough.
Joe and Bruno's target became the part of the code responsible for password generation. They discovered that the password generated in the GUI is stored in memory. With the help of Ghidra, they disassembled the code to find where the password generation happens.
While looking through the code, they noticed a reference to system time. The function was used in combination with the random number generator to generate passwords. They figured out that by changing the time, RoboForm would generate predictable passwords.
Using a debugger, they found out that by changing the time value in the code, they could trick the software into generating passwords from the past.
They created a piece of code to change the system time and save each generated password. The client gave them a timeframe when he believed he had created his password, and they started retrieving old passwords. It ended up being millions of passwords.
After some additional work and tweaking, they discovered the correct password and recovered the lost bitcoin.
Link to the video:
I hacked time to recover $3 million from a Bitcoin software wallet