A white-hat hacker has released a new tool designed to illustrate the ease with which illicit actors can steal bitcoins from brainwallets, a type of bitcoin wallet iteration where passwords are not stored digitally – but in the memory of the user.
Originally conceived as a way to keep sensitive wallet data offline and make bitcoin addresses easier to remember, the brainwallet was partly undone due to how it interacts with the bitcoin blockchain. A brainwallet uses a single, long password or phrase, converts it to a private key, a public key and finally an address. Using an offline attack, it’s possible to rapidly guess potential passwords to see if they’re correct.
New research by Ryan Castellucci, a security researcher at digital fraud firm White Ops, indicates there is as major flaw in this method. He highlights that the final bitcoin address is recorded in the blockchain as a password hash. When used for website authentication, password hashes help determine whether the word or phrase supplied is correct, meaning this data can be used as a reference to bad actors looking for the password.
Released on 7th August at DEF CON 23, one of the world’s largest annual hacker conventions, Castellucci’s brainwallet cracker, called Brainflayer, is capable of guessing 130,000 passwords a second. Running on more powerful computers, $1 can be used to check 560 million passphrases, according to its creator.
When this firepower is applied to ASCII passwords, ones constructed from US keyboard characters, and XKCD passwords, those comprised of four common words, Castellucci suggested a botnet could check every bitcoin address that has ever received funds in a single day.
In an interview, Castellucci sought to emphasize that, while the tool he released could be used by criminals, he hopes its release will encourage bitcoin users to adopt better security practices.
Castellucci told CoinDesk:
“You can scream from the rooftops that something is weak and vulnerable, but many people will just stay in denial without a working proof of concept. I think that the concept of letting humans choose their own passwords and passphrases for high security applications is fundamentally flawed.”
In this case, however, Castellucci’s presentation didn’t fall on deaf ears.
Following the release, BrainWallet.org, a website that used JavaScript to generate private keys for users, went offline. Though others services remain available, the closure was widely praised by members of the bitcoin security community.
According to Castellucci, the genesis for the project came in mid-2013, when bitcoin users first began reporting issues with brainwallet security.
Around the same time, a vigilante Reddit user known as btcrobinhood began stealing from brainwallets, returning the funds to their rightful owners in an effort to expose the vulnerability of the technology.
Inspired, Castellucci created an original cracker able to issue 10,000 password guesses a second, a far cry from Brainflayer’s capabilities. Still, as he recalls, he was able to feed the program simple word lists and achieve powerful results.
When he returned to his computer, he found the prototype Brainflayer had retrieved 250 BTC, then worth $20,000 from cracked brainwallets.
Castellucci said he was put into a difficult ethical situation as a result. He had two options – take some bitcoins as part of an effort to alert the wallet user that their security is vulnerable, or try to contact them through other means. Ultimately, he said he wasn’t sure what to do.
“For a while I just stopped my research,” he said. “I hoped the problem would go away. After all, many experts were saying that brainwallets were bad.”
When the problem didn’t disappear, he decided to return to the research, arguing that it was his responsibility to disclose the vulnerability so people could take appropriate steps to keep themselves protected.
“The idea is that if someone like me discovers a bug, they make a good faith effort to get the bug fixed before sharing it with the world. I’ve done this in the past, and I think it’s generally the right approach,” he said in a recent blog post.
The issue with brainwallets, however, is also one that affects anything secured by password protection, according to Castellucci.
As such, he suggested that those who are using brainwallets consider WarpWallets, which are currently considered to be improved iterations of the idea. A warpwallet generator available from Keybase, for instance, allows users to never have to save or store their private keys anywhere, provided they pick “a really good password”.
With WarpWallets, Castellucci said, a “salt”, or random data used an input for hashing functions, is integrated into the equation. This means that if a user’s salt was their email address, a potential thief would need to know both the salt and the password to compromise funds.
Still, Castellucci advises those who use such wallets to use diceware to generate passwords, a process by which passwords are created by a pair of dice and a random number generator.
“It seems to be really, really hard to keep people from choosing their dog’s name and their birthday as a password. Scrypt can’t save people who use ‘P@ssw0rd’,” he said. “A lot of people seemed to think that a long passphrase was a secure passphrase, and I think I’ve proven that’s not necessarily true.”
When asked how he plans to continue his work, Castellucci said he’s still in the process of considering follow-up actions.
So far, he’s considered adding support for other brainwallet-like tools to Brainflayer, including a mode that would scan with raw private keys. Still, he laments the stress that achieving any advance in bitcoin wallet security might bring.
“I still dread the possibility of finding another large brainwallet,” he said. “Outside of cryptocurrency, if you found a bunch of money and weren’t sure who it belonged to, you’d turn it into the police and let it be their problem.”
This process doesn’t work yet in the bitcoin ecosystem. As Castellucci noted, online forms of cash have no lost and founds, places where funds could be stored with a reliable third party until they could be claimed by their owner.
Still, while he likes the idea, more questions remain:
“Who would run such a thing? And what the legal implications would be? I am not sure.”
View Castellucci’s full DEF CON presentation here.
Hacker visualization via Shutterstock