Bitcoin Forum
November 16, 2024, 12:37:56 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [2018-01-04] Two New Hardware Bugs Affect Most Devices, Private Keys Vulnerable  (Read 74 times)
cybersofts (OP)
Copper Member
Sr. Member
****
Offline Offline

Activity: 658
Merit: 284



View Profile
January 04, 2018, 11:40:34 PM
 #1

Two New Hardware Bugs Affect Most Devices, Private Keys Vulnerable



Researchers have published a report on two hardware bugs that allow programs to steal sensitive data on affected devices, which is “most” devices worldwide.

For crypto users, these bugs are a direct threat to the security of their private keys, making the need for secure hardware storage of crypto funds even more pressing.


How do the bugs work?


The two bugs, known as Meltdown and Spectre, exploit security vulnerabilities in Intel, AMD, and ARM processors in any device, including PCs, laptops, tablets, and smartphones.

Meltdown affects all devices with Intel chips, which are estimated to be in 90% of all computers (desktop and laptop combined), the BBC reported.

Spectre potentially has an even wider reach, affecting Intel, ARM, and AMD chips in any kind of device. Meltdown and Spectre also work in the cloud.

The BBC also reported that the tech industry kept the threat a secret for up to six months via non-disclosure agreements, but now fears are mounting that public awareness could lead to real-life exploits.


Protecting your funds


Bitcoin core developer Jonas Schnelli referred to the newly reported security flaws in terms of how they affect Bitcoin users, laying out three steps to secure cryptocurrency holdings:

    The current privileged memory side channel attacks just confirms what many Bitcoin users already "know" (feel):

    * Don't trust your PC.
    * Don't think applications (and private keys) are shielded
    * Use a hardware wallet

    Background:https://t.co/0avUWC44oyhttps://t.co/pw0cLDWyZe
    — Jonas Schnelli (@_jonasschnelli_) January 4, 2018

Pavol Rusnak, the CTO of TREZOR manufacturer SatoshiLabs, tweeted Jan. 4 to confirm that its devices are unaffected by Meltdown and Spectre, noting:

    “Using a (hardware) wallet is now more important than ever.”

    As more people are asking: @TREZOR is not vulnerable to recent Meltdown and Spectre hardware attacks, because it has processor not affected by these. Also our firmware is always signed, so the device never runs untrusted code. Using a hw wallet is now more important than ever!
    — Pavol Rusnak (@pavolrusnak) January 4, 2018

In October 2017, the Ledger Nano S hardware wallet was number eight in the list of top ten best selling items on Amazon’s Computers and Accessories section. Today, Jan.4, the Ledger Nano S is number one.


Source: https://cointelegraph.com/news/two-new-hardware-bugs-affect-most-devices-private-keys-vulnerable
hatshepsut93
Legendary
*
Offline Offline

Activity: 3038
Merit: 2161


View Profile
January 05, 2018, 12:43:35 AM
 #2

Now people have more reasons to buy hardware wallets or setup their own cold storage, as I'm sure hackers will be quick to use those exploits to steal private keys from infected users. So far the most common method of getting your coins stolen is by installing fake wallet or visiting fake exchange site, but more sophisticated attacks are also happening, so if you are reading this and thinking that you are safe because you wasn't hacked so far, it doesn't mean that your coins won't get stolen in the future if you are handling your private keys on an online machine, and the risk is even higher if it's Windows or you are using cracked or unverified software.
darkangel11
Legendary
*
Offline Offline

Activity: 2478
Merit: 1360

Don't let others control your BTC -> self custody


View Profile
January 05, 2018, 05:45:54 PM
 #3

Quote
Don't trust your PC.
Don't think applications (and private keys) are shielded
Use a hardware wallet

Is this some kind of a hardware wallet ad? Let's scare people with a new virus and then offer a solution that involves spending money on something they might not need.
Hardware wallets don't resolve this situation as you will be forced to use hardware with a CPU anyway. The only solution is to be responsible and don't download and install tons of stuff, especially software downloaded via torrents. I've never heard of anyone who had installed a software wallet on a clean PC and had it compromised.
hatshepsut93
Legendary
*
Offline Offline

Activity: 3038
Merit: 2161


View Profile
January 05, 2018, 05:58:35 PM
 #4

Quote
Don't trust your PC.
Don't think applications (and private keys) are shielded
Use a hardware wallet

Is this some kind of a hardware wallet ad? Let's scare people with a new virus and then offer a solution that involves spending money on something they might not need.
Hardware wallets don't resolve this situation as you will be forced to use hardware with a CPU anyway. The only solution is to be responsible and don't download and install tons of stuff, especially software downloaded via torrents. I've never heard of anyone who had installed a software wallet on a clean PC and had it compromised.

Hardware wallets do resolve this issue because their chips seem to be unaffected by this bug. And this is not just some virus, it's a very serious hardware bug, and it can even be executed in your browser via Javascript, so technically some sites might steal sensitive data of their visitors, like passwords and private keys.

Not downloading unverified programs is a good advice, but it can be very-very hard to follow on practice, and in the end it doesn't guarantee that you won't get hacked, because there's so many potential attacks, and as cryptocurrencies are becoming more popular, hackers will focus more attention on stealing private keys. Keeping and using cryptocurrency wallets on an online machine is an unnecessary risk that can be mitigated by using hardware wallet or airgapped machine, and it would be unwise to not do so for people who are dealing with sufficiently large sums.
BigTeeths
Full Member
***
Offline Offline

Activity: 504
Merit: 100


View Profile
January 08, 2018, 07:49:57 AM
 #5

Quote
Don't trust your PC.
Don't think applications (and private keys) are shielded
Use a hardware wallet

Is this some kind of a hardware wallet ad? Let's scare people with a new virus and then offer a solution that involves spending money on something they might not need.
Hardware wallets don't resolve this situation as you will be forced to use hardware with a CPU anyway. The only solution is to be responsible and don't download and install tons of stuff, especially software downloaded via torrents. I've never heard of anyone who had installed a software wallet on a clean PC and had it compromised.

A really good marketing strategy I must say. I guess this is the one that I've heard that it can hack electrum only if you don't upgrade and don't have a password.
DooMAD
Legendary
*
Offline Offline

Activity: 3948
Merit: 3191


Leave no FUD unchallenged


View Profile
January 08, 2018, 10:37:31 AM
 #6

and it can even be executed in your browser via Javascript, so technically some sites might steal sensitive data of their visitors, like passwords and private keys.

It's still baffling that most people don't realise this and browse the web with JavaScript completely unrestricted.  Whether you're into cryptocurrencies or not, it's a security threat in general.  If you make use of traditional online banking, or doing anything even remotely financially sensitive, there's no way in hell you should be allowing JavaScript carte-blanche across the internet.  Just grab a reputable browser extension which allows you to select which of the websites you visit are permitted to run scripts and everything else will be blocked by default.  Even if you think the website itself can be trusted, many sites have scripts from other sources running in the background.  These can be perfectly legitimate and are commonly used for displaying multimedia content.  But they can also be malicious and infect your device.  Why take the risk?

▄▄▄███████▄▄▄
▄█████████████████▄▄
▄██
█████████▀██▀████████
████████▀
░░░░▀░░██████████
███████████▌░░▄▄▄░░░▀████████
███████
█████░░░███▌░░░█████████
███
████████░░░░░░░░░░▄█████████
█████████▀░░░▄████░░░░█████████
███
████▄▄░░░░▀▀▀░░░░▄████████
█████
███▌▄█░░▄▄▄▄█████████
▀████
██████▄██
██████████▀
▀▀█████████████████▀▀
▀▀▀███████▀▀
.
.BitcoinCleanUp.com.


















































.
.     Debunking Bitcoin's Energy Use     .
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████▀█████████▀▀▀▀█▀████████
███████▌░▀▀████▀░░░░░░░▄███████
███████▀░░░░░░░░░░░░░░▐████████
████████▄░░░░░░░░░░░░░█████████
████████▄░░░░░░░░░░░▄██████████
███████▀▀▀░░░░░░░▄▄████████████
█████████▄▄▄▄▄▄████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
...#EndTheFUD...
Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6152


Crypto Swap Exchange🈺


View Profile WWW
January 08, 2018, 10:49:40 AM
 #7

This is a serious case as regards safety on almost all devices manufactured in last 20 years and how much I read about this problem it can not be solved quickly and overnight.Actually the only correct way would be to replace all affected hardware,and this is mission impossible.

For all users of cryptocurrency this problem represents an even greater threat and give hackers even greater ability to steal our private keys in ways that are until recently were unimaginable.So only way to be safe is to move coins to paper wallets or to rely on hardware wallets which are currently safe from these vulnerabilities.There is no doubt that this will increase their sales,but I do not think they are behind this.

I do not know how effective software updates can be regarding this problem,but Windows released updates fix for Meltdown and Spectre,for Windows 10 it is automatic via Windows Update and for 7&8 for now it can be done only manually.Also update your browsers to latest version.

Read more here : https://www.windowslatest.com/2018/01/06/patch-meltdown-spectre-vulnerabilities-windows-10-8-1-7/

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
J. Cooper
Full Member
***
Offline Offline

Activity: 294
Merit: 125


Alea iacta est


View Profile
January 08, 2018, 04:27:21 PM
 #8

Quote
Don't trust your PC.
Don't think applications (and private keys) are shielded
Use a hardware wallet

Is this some kind of a hardware wallet ad? Let's scare people with a new virus and then offer a solution that involves spending money on something they might not need.
Hardware wallets don't resolve this situation as you will be forced to use hardware with a CPU anyway. The only solution is to be responsible and don't download and install tons of stuff, especially software downloaded via torrents. I've never heard of anyone who had installed a software wallet on a clean PC and had it compromised.

I dont' think it is but they're definitely using this situation to their advantage to the point where I'm tempted to order one (and I dislike hardware wallets run by 3rd party companies). I'm probably going to look into creating an airgapped paperwallet to ensure there's no chance I'm gritting anything stolen.
hatshepsut93
Legendary
*
Offline Offline

Activity: 3038
Merit: 2161


View Profile
January 08, 2018, 05:00:46 PM
 #9


It's still baffling that most people don't realise this and browse the web with JavaScript completely unrestricted.  Whether you're into cryptocurrencies or not, it's a security threat in general.  If you make use of traditional online banking, or doing anything even remotely financially sensitive, there's no way in hell you should be allowing JavaScript carte-blanche across the internet.  Just grab a reputable browser extension which allows you to select which of the websites you visit are permitted to run scripts and everything else will be blocked by default.  Even if you think the website itself can be trusted, many sites have scripts from other sources running in the background.  These can be perfectly legitimate and are commonly used for displaying multimedia content.  But they can also be malicious and infect your device.  Why take the risk?

NoScript is a very important security tool, but it doesn't prevent all the possible attacks, because users frequently turn on scripts, since most sites rely on it to display their content.
I'm not a security expert, but I think isolation is the strongest security practice - people who are dealing with very critical information (like Bitcoin private keys) should do so on separate, dedicated and when possible - airgapped machines that are used only for those sensitive operations and nothing else. $200-300 is a very reasonable price for protecting dozens or hundreds of dollars worth of value, but sadly some people, like the user that posted here earlier, think that it's enough to just run an antivirus and not download suspicious software.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!