Antbleed: A remote shutdown backdoor in antminers

[achow101]

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

Read http://www.antbleed.com/ for more info

The shutdown backdoor has been independently tested by multiple people.

Edit:

I have analyzed the code and I have determined how this is happening and most likely why it was put there.
First, let's start with the how. The firmware will spawn a thread which calls the send_mac function which, as the name implies, sends data about the machine to the AUTH_URL auth.minerlink.com. The device then will attempt to receive data from the server and check if the response is false. If it is, the function returns true which sets the stop_mining global variable to be true.

When that variable is true, in the temperature checking thread, it will set the status_error global variable to true. That will then tell the work update function to not send out jobs so it is no longer mining.


Now for the why.

Bitmain previously was going to launch a service called Minerlink. This service never launched, but it was intended get the "real-time miner status remotely". There is probably a feature that allows you to make sure that the only miners submitting work for you are your miners, hence the need for an auth url. It is also possible that another feature was to allow you to remotely stop a machine from mining if it were misbehaving. This would explain why this code was put there in the first place. However, since minerlink does not exist, this functionality is now a liability and should have been removed long ago.

[1713971580]

1713971580

[gentlemand]

What's more interesting is that anyone can brick them according to this -

https://www.reddit.com/r/Bitcoin/comments/67qwqv/antbleed_exposing_the_malicious_backdoor_on/dgsk6cf/

[Yakamoto]

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

Read http://www.antbleed.com/ for more info

The shutdown backdoor has been independently tested by multiple people.

So we know that the backdoor allows for there to be a false shutdown command sent to miners, is there any idea what other kinds of exploits are possible off of this, beyond some potential shenanigans happening with miner's hardware?

I'm looking through it and I'm not seeing anything that says anything about further potential implications of this bug. I don't believe it would be possible to take remote control of the hardware through this, would it?

[zerosumking]

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

Read http://www.antbleed.com/ for more info

The shutdown backdoor has been independently tested by multiple people.

So we know that the backdoor allows for there to be a false shutdown command sent to miners, is there any idea what other kinds of exploits are possible off of this, beyond some potential shenanigans happening with miner's hardware?

I'm looking through it and I'm not seeing anything that says anything about further potential implications of this bug. I don't believe it would be possible to take remote control of the hardware through this, would it?

I'm reading that they could also do a remote reflash of the firmware and potentially brick the hardware.

[eaLiTy]

The shutdown backdoor has been independently tested by multiple people.

So this means that they can literally shut down any miners at will using their hardware,which is really scary and with the scaling debate going on they could literally shut down any miners and reach a consensus and if that is the case i hope the patch works by upgrading the firmware but even an upgrade could mess things up.This is the fruits of monopoly and nothing can be done against it , which is ridiculous.

[Yakamoto]

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

Read http://www.antbleed.com/ for more info

The shutdown backdoor has been independently tested by multiple people.

So we know that the backdoor allows for there to be a false shutdown command sent to miners, is there any idea what other kinds of exploits are possible off of this, beyond some potential shenanigans happening with miner's hardware?

I'm looking through it and I'm not seeing anything that says anything about further potential implications of this bug. I don't believe it would be possible to take remote control of the hardware through this, would it?

I'm reading that they could also do a remote reflash of the firmware and potentially brick the hardware.

This is something I was wondering about. Considering that they have the potential to shutdown hardware I would be surprised if there wasn't the possibility for them to start bricking hardware as well. I hope that Antminer gets this fixed, but it sure as hell might cause issues for a lot of people using their hardware if this doesn't start to get fixed quickly. Constant shutdowns and restarts aren't something that a miner wants to deal with a lot of the time, and a bricked piece of hardware is definitely not something they want.

[achow101]

This is something I was wondering about. Considering that they have the potential to shutdown hardware I would be surprised if there wasn't the possibility for them to start bricking hardware as well. I hope that Antminer gets this fixed, but it sure as hell might cause issues for a lot of people using their hardware if this doesn't start to get fixed quickly. Constant shutdowns and restarts aren't something that a miner wants to deal with a lot of the time, and a bricked piece of hardware is definitely not something they want.

There seems to be an exploit where you can send it more data than it is expecting and thus write into memory that you shouldn't thus allowing for a remote code execution exploit.

Edit: That is actually not exploitable. However bitmain supposedly has a way to reflash firmware remotely: https://www.reddit.com/r/Bitcoin/comments/67qwqv/antbleed_exposing_the_malicious_backdoor_on/dgsk6cf/

[FiendCoin]

First ol'Jihan says SegWit is good code but he has to oppose it at all costs with no real justifiable reason and then his fucking backdoor comes to light!

This fuckturd is trying to destroy Bitcoin. When will people wake up!

[BillyBobZorton]

So if I understood it correctly, bitmain has a remote kill-switch (effectively, since they can brick the machines with the firmware change) on 70% of hashrate? fanastic. What are we supposed to do now, other than change the PoW algo immediately? Core Devs should be having a meeting with non-Bitmain miners right now proposing a roadmap to change the algo and leave Bitmain isolated. I don't think even the BU camp is stupid enough to keep supporting Jihan and his rigged miners anymore.

Anything but open source mining machines should be totally banned from the network. Ideally we should go back to 1cpu=1miner with a new PoW, but how do we guarantee that we will not end up like this again? at least we'll set a precedent I guess.

Anyway, I hope Core Devs are already on this like I said before. We can't go no longer than a week sitting under explosives.

[gentlemand]

So if I understood it correctly, bitmain has a remote kill-switch (effectively, since they can brick the machines with the firmware change) on 70% of hashrate? fanastic. What are we supposed to do now, other than change the PoW algo immediately?

It looks like it can be blocked with a change of code. And it also looks like it's an old feature named Minerlink that was never put into action but left there to fester. That's giving the benefit of the doubt of course. Regardless, leaving a gaping hole like that isn't doing anyone any favours.

[BillyBobZorton]

So if I understood it correctly, bitmain has a remote kill-switch (effectively, since they can brick the machines with the firmware change) on 70% of hashrate? fanastic. What are we supposed to do now, other than change the PoW algo immediately?

It looks like it can be blocked with a change of code. And it also looks like it's an old feature named Minerlink that was never put into action but left there to fester. That's giving the benefit of the doubt of course. Regardless, leaving a gaping hole like that isn't doing anyone any favours.

Who is naive enough to think this was only a mistake that was left there without fixing? Looks like an obvious kill-switch to me. Why did no one see this yet? Isn't firmware code open source? Im not sure how this works, so im going to need more data. But to me this sounds like a way for Jihan to be able to kill BTC at any given time. How the fuck we managed to not notice this earlier? this is a disaster. Imagine if Jihan got paid by PBOC trillions to brick all the ASICs at once...

[achow101]

Who is naive enough to think this was only a mistake that was left there without fixing?

In order to remain objective, I gave them the benefit of the doubt and assumed no malice (I'm pretty sure gentlemand is quoting me from my responses on reddit).

Looks like an obvious kill-switch to me. Why did no one see this yet? Isn't firmware code open source? Im not sure how this works, so im going to need more data. But to me this sounds like a way for Jihan to be able to kill BTC at any given time. How the fuck we managed to not notice this earlier? this is a disaster. Imagine if Jihan got paid by PBOC trillions to brick all the ASICs at once...

The firmware is fairly difficult to read. The code paths involved here are quite odd and not really intuitive, although once you know what you are looking for, it is fairly obvious. The phone home code was well known beforehand as that is fairly obvious, but that it can cause a remote stopping of mining was unknown.

[Quantus]

Holy shit

So Sergio and Slush both noticed that there's a remote code execution vulnerability in this backdoor. The backdoor has NO authentication, so any MITM attacker or DNS attacker can trigger it.
With remote code execution you can reflash the firmware on those miners, and once you do that you can permanently brick them. In fact, it's almost certain that you could permanently destroy the HW - I used to work as an electronics designer, and I did that by accident w/ bad firmware quite a few times.
So tl;dr: we have a backdoor that could permanently kill ~70% of the Bitcoin hashing power, and it can be triggered by anyone with MITM capability or the ability to change DNS records.

Makes one wonder what else we don't know, what we have overlooked...

Plz vote in my poll. "Is franky1 a shill?" https://bitcointalk.org/index.php?topic=1874675.0

[anonymoustroll420]

This is absolutely fucked. I think there is a real good argument to be made to change the PoW algorithm to something that is harder to build custom hardware for, something like Cuckoo Cycle. This is only the beginning of shit like this, it'll only get worse from here on. For the first time since 2011, I am bearish on the future of Bitcoin. We really need to address the problem of mining centralization, this is our biggest threat right now and it's not an easy one to fight.

[anonymoustroll420]

But to me this sounds like a way for Jihan to be able to kill BTC at any given time. How the fuck we managed to not notice this earlier? this is a disaster. Imagine if Jihan got paid by PBOC trillions to brick all the ASICs at once...

Not even just Jihan. The code doesn't properly authenticate the server. Any random asshole with MITM can switch off ASIC's. The chinese government could turn off all antminers GLOBALLY using the Chinese firewall to MITM the phone home connections. Anyone in the world with access to a BGP router can do it. Anyone who can MITM the connection between the ASIC and bitmain can do it.

[MingLee]

Holy moly dude, why did they have to try and make some kind of interlinking network system for their hardware? Why couldn't they have left it like it was before? Enough people were able to use it that I don't see why they would have to change it for any reason.
Whatever. It's not like I can change anything by posting on a forum. I just hope they fix it up and stop trying to do stuff like this. Otherwise it might get worse when it comes to exploits.

[NotFuzzyWarm]

....
This is very very old 'news' and been mentioned lord how many times in the past.
As mentioned earlier it was for the Minerlink service. The early s7's used to have a page on the Bitmain GUI to set it, was removed after maybe batch-10 or so.

Like ANY remote monitor program/service (Awesome Miner comes to mind) the miners must periodically be polled to see how they are doing. Only difference here is it was a cloud service and ran by Bitmain.

As posted earlier: If ya don't like it just re-direct the query to localhost. 'Problem' solved.

Yes for whatever reason, the code still remains and YES Bitmain should remove it since it serves no purpose and is a needless 'possible feature'.

[ebliever]

1. We should give BitMain the benefit of the doubt, but we should also demand answers to hard questions. Once the original functionality was no longer viable it really should have been eliminated via a firmware upgrade. Why didn't they recognize this vulnerability and act to protect their customers?

2. A sudden change of PoW would be catastrophic and should not be an option. However, a roadmap to a non-ASIC future should be considered, with the shift happening ~1 year out to give current miners time to ROI with current hardware.

[adaseb]

Do these miners really represent 70% of all the global hashrate?

I am sure they are people still mining with Antminer S2 with free power at their dorm or people got some SP30 running in some cheap power areas.

[NotFuzzyWarm]

And antbleed.com needs to modify their statements about what miners have it. I will verify tomorrow but am POSITIVE my few remaining batch-1, 3, and 5 s7's have the MinerLink option in the GUI.