Could attackers make your web browser mine for bitcoins? How about your TV? Security flaws in some systems might make it possible, say experts.
German researchers have discovered a flaw in Hybrid Broadcast Broadband TV (HbbTV) television sets that could allow an attacker to run malicious code, including bitcoin miners, says one report.
These devices are among a growing number of Smart TVs, always connected to the Internet and accessing online services in addition to digital TV, to improve the viewing experience. The research was carried out by Marco Ghiglieri, Florian Oswald and Erik Tews of the Technical University of Darmstadt. Martin Herfurt from Germany consultancy Nruns also explored the Samsung TVs in question. They were found to have flaws that would allow attackers to inject their own content.
This has happened before with other Samsung TVs. Some believe that it is possible to run bitcoin miners on hacked devices such as these.
“It is completely possible, and some Smart TVs have been hacked remotely,” said cryptography and security expert Sergio Lerner, CEO of Argentinian company Certimix, who is involved in testing security flaws in the Bitcoin protocol.
SC Magazine’s report argues that a browser-based JavaScript miner, such as Bitcoin Plus, could be used to manipulate smart TV browsers into mining for coins. This software uses a link to a remote JavaScript file, contained in code that can be embedded into any web page (there’s also a WordPress plugin). Computers visiting a page with the code will be persuaded to start mining the coins, sending them to the page owner’s address.
We have seen others using the idea of embedded JavaScript to ‘steal’ CPU power from visiting computers. One savvy team of programmers has created Smidge, a technology that divides problems between lots of computers visiting a single web site. They’re using it to solve chess problems now, but a web-based distributed bitcoin miner surely can’t be far away, says one.
Using lots of computers to do your bidding without consent is known as botherding – and a network of these zombie machines is called a botnet. Perhaps we should call the same technique for mining bitcoins bitherding. And such a network would be a bitnet.
“I assume you can use pretty much any system and any hardware to mine bitcoins, it’s just a matter of efficiency,” says Claudio Guarnieri, a researcher at security firm Rapid7, who has explored bitnets such as Skynet in the past. These generally involve malware placed on a machine, whereas these ‘attacks’ use JavaScript not to install any malware, but simply to have the victim do some free computation.
The problem with bitherding using CPU power is that you just need so much of it, points out Guarnieri, disagreeing with Nadolny. “Both the cases that you specified are interesting hacks, but they will never be a profitable way to mine Bitcoins: using JavaScript would just be too slow.”
Skynet had between 150,000 and 200,000 hosts, and that was relatively successful, he said. Lerner agrees. “A Smart TV would be a very slow Bitcoin miner and you will need a thousands TVs to earn something meaningful. Not a good source of income,” he asserts.
It would be very slow. An Intel Core2 Duo will deliver around 2.5Megahashes/sec, meaning that you’d need to have 240 of those users visit your site to equal the hash rate of an AMD 7970.
That said, it isn’t outside the realm of possibility to control a GPU with a web page, upping the computing power. WebGL, the web-based graphics language designed for high-performance online graphics, has been used to create hardware-accelerated examples.
You might have more of a chance making this work with a Scrypt-based currency, which is CPU and GPU friendly, and many of which have a lower hash rate. Feathercoin’s current normal hash rate is around 660 Megahashes/sec, making those 240 CPUs far more tractable.
That assumes that these unwitting visitors are not doing anything else with their computer, and stay on your web site. But then, how do you get people to stay on the page? You’d need sustained, constant hit rates, with people keeping the page open, to make the mining work. That’s fine if you’re enlisting a bunch of volunteers (in which case, it isn’t a bitnet, it’s a community). Less so if you’re trying to deceive people into browser-based mining.
You’d need to embed this on a very popular site, and if you’re the type of person to bitherd anyway, you’d probably just infect visitors’ computers with a drive-by download, so that you could have them mine unwittingly even when they’re off the site.
The most appropriate way to mount a bitherding attack would be to compromise a machine directly and have it use its GPU, agrees Guarnieri. “There are tons of botnets dropping bitcoin miners, in most cases they actually just embed a legitimate mining client like the Ufasoft one,” he says.
Alternatively, you’d target gaming-optimised systems that would be more likely to have the kinds of graphics-friendly software well known for high hash rates. This is exactly what the E-Sports Entertainment Association (EASA) did, when it embedded bitcoin mining software inside its client software – allegedly as an April fool’s prank – and irritated its users. The client was designed to stop other players cheating while you were playing online games, but the firm included the bitcoin mining code as a covert extra, before pulling the patch some weeks later in response to user complaints.
In short, then, hacking TVs to mine bitcoins, or maliciously deceiving computers into mining them simply by visiting a web site, is a specious proposition. There are far easier ways to covertly strongarm people into mining your coins for you. But if you wanted to marshall a team of non-technical volunteers into knowingly mining Scrypt-based currencies for a good cause, that idea may just have legs.