Bitcoin cold storage - HACKED easily

[mayax]

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf  

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT !    

[Madness]

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

[Blazr]

Old news. This attack (bugged ECDSA implementation) has been known about for a long long time, before Bitcoin even existed.

The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection', which was first described in a 1997 paper by Adam Young and Moti Yung.

One of the weaknesses of cold storage is if your cold storage machine is compromised, you're fucked and there is almost nothing you can do to prevent that. There are many many ways an attacker can exfiltrate the private keys from a compromised cold storage machine, including as used in this case a bugged ECDSA implementation.

[mayax]

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too)   haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me"  EVEN so there are many hacking reports daily.

[qwk]

TL;DR of the news:
if you're able to install software on someone else's computer or modify the code he compiles, you can steal his coins.
Duh.


You should read the news before you post something like:

Your funds are not safe neither in "cold storage". Read:

[Kazimir]

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

Complete nonsense. This requires a backdoor being built into the software you're using to sign your transactions. I.e. using a compromised wallet.

Well duh, if I'm using compromised wallet software, then obviously my coins aren't safe to begin with.

FUD.

[ChuckBuck]

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

[Madness]

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too)   haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me"  EVEN so there are many hacking reports daily.

Rofl I don't wanna bet because I just said the same thing to my self to be honest . I never got hacked in my life and planning to stay that way  but Everything have a first 

[Puppet]

Yeah, title is nonsensical and sensationalist. If you created the cold wallet on a compromised PC, of course its not going to be secure and there are 100x easier ways to steal the coins from such wallet.

[mayax]

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.

[ChuckBuck]

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.

Only reports of hacks are of the online, hot wallet variety.

Cold storage is perfectly safe if you take the proper precautions.  From the article:

Conventional wisdom has it that coins in cold storage are safe from attacks because the private keys never come in contact with the Internet or any other network.

In general, this is true. Even if the cold storage device could be compromised by malware, stolen private keys would fail to be transmitted to a thief because it isn't connected to the Internet.

[BaselessBitcoin]

Until we see this theorized exploit in action you have no reason to believe cold storage wasn't as safe it was yesterday.

[lucasjkr]

If cold storage is vulnerable, then it would stand to reason that every wallet is vulnerable?

But my reading of the coinbase article leads me to believe that the attacker would need to have installed a compromised version of Bitcoin on the airgapped machine? Or else the upstream version of Bitcoin would need to be compromised? Or Armory, Electrum, etc, whichever wallet software the user is using. Am I wrong?

So, yes, if malicious actors gain commit privileges on the Bitcoin source, then offline wallets are compromisable, as are every other wallet. And if a malicious actor gains access to your airgapped machine in order to replace your binaries, you're also vulnerable. That's my interpretation. Doesn't seem like it's too much a worry, honestly. I mean, if an attacker gains such access, then it's game over regardless of which method of attack they use.

Or am I missing something?

[Meuh6879]

The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection',

are you release what you say ... ?
you ONLY can do that when you install corrupted version of bitcoin core highly modified with this.
even in P2P file sharing client ... this sort of thing don't exist.


or for dumb people : DON'T DOWNLOAD official client from others places than https://bitcoin.org/bin

[Guido]

media do a horrible job on stories so if they get hold of this (when), price will dump

[mayax]

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked.

[R2D221]

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked.

That is true for any open source project, even the Linux kernel.

[RadBrad]

Misleading title this has always been known....cold storage is safe if you take the correct precautions.

[1Referee]

media do a horrible job on stories so if they get hold of this (when), price will dump

Nothing new...

If people read that article, and I mean READ that article, then it's more funny than being informative.

Average joe might think Bitcoin is hacked, broken, exploded, killed, etc. That's the sort of group of people who do believe these articles.

In a nutshell : Nothing is 100% safe.

[RainVein]

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?