Summary: Dark Skippy, a newly discovered attack vector, poses a significant threat to Bitcoin hardware wallets by enabling the exfiltration of master seed phrases using malicious firmware. This firmware uses deterministic nonces in transaction signatures, allowing attackers to reconstruct seed phrases from just two transactions. The attack can be executed via compromised devices, distributed through supply chains or by installing malicious firmware, making it difficult to detect and prevent.
How malicious hardware wallet firmware can leak your Bitcoin seed phrase
Malicious firmware enables extraction of Bitcoin seed phrase using deterministic nonces in transaction signatures.
The attack hinges on using malicious firmware that alters the standard signing process. Typically, signing operations use a randomly generated nonce as part of the Schnorr signature process. However, in a device compromised by Dark Skippy, the firmware instead uses deterministic, low-entropy nonces derived from the master seed. Specifically, the first half of the seed is used for one transaction and the second half for another, allowing an attacker to piece together the entire seed if they can observe both transactions.
This attack requires that the signing device be corrupted, which can occur through various means: malicious firmware could be installed by an attacker or inadvertently by a user; alternatively, attackers might distribute pre-compromised devices through supply chains. Once in place, the compromised firmware embeds secret data within public transaction signatures, effectively using the blockchain as a covert channel to leak sensitive information.
The attacker monitors the blockchain for transactions with a specific watermark that reveals the presence of the embedded data. Utilizing algorithms such as Pollard’s Kangaroo, the attacker can retrieve the low-entropy nonces from the public signature data, subsequently reconstructing the seed and gaining control over the victim’s wallet.
Although this attack vector does not represent a new fundamental vulnerability—nonce covert channels have been known and mitigated to some extent—Dark Skippy refines and exploits these vulnerabilities more efficiently than previous methods. The subtlety and efficiency of this technique make it particularly dangerous, as it can be executed without the user’s knowledge and is challenging to detect after the fact.
Robin Linus is credited with Discovering the attack and bringing attention to its potential during a Twitter discussion last year. Further investigation during a security workshop confirmed the feasibility of extracting an entire 12-word seed using minimal computational resources, demonstrating the attack’s effectiveness and the ease with which it could be executed using even a modestly equipped system.
Mitigations for such attacks include implementing ‘anti-exfil’ protocols in signing devices, which can help prevent the unauthorized leaking of secret data. However, these defenses require rigorous implementation and continuous development to stay ahead of evolving threats.
The cryptographic community and device manufacturers are urged to address these vulnerabilities promptly to safeguard users against potential exploits facilitated by Dark Skippy and similar methods. Users should remain vigilant, ensuring their devices run genuine firmware and are sourced from reputable vendors to minimize the risk of compromise. Further, multi-sig setups can create additional defenses against the attack vector.
Link: The post “How malicious hardware wallet firmware can leak your Bitcoin seed phrase” first appeared on CryptoSlate.