BCOS Monero Village - A Rundown of Security Issues in Crypto Wallets

Video thumbnail (Frame 0) Video thumbnail (Frame 1495) Video thumbnail (Frame 10133) Video thumbnail (Frame 15716) Video thumbnail (Frame 27368) Video thumbnail (Frame 29512) Video thumbnail (Frame 30062) Video thumbnail (Frame 33543)
Video in TIB AV-Portal: BCOS Monero Village - A Rundown of Security Issues in Crypto Wallets

Formal Metadata

BCOS Monero Village - A Rundown of Security Issues in Crypto Wallets
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Ocean current Shift operator Software Open set Cryptography Information security Perspective (visual)
Android (robot) Randomization Thread (computing) Length Code Java applet Multiplication sign Orientation (vector space) Source code Execution unit Set (mathematics) Function (mathematics) Mereology Likelihood function Software bug Malware Semiconductor memory Different (Kate Ryan album) Entropie <Informationstheorie> Information security Error message Social class Exception handling Area Theory of relativity Spyware Bit Unit testing Instance (computer science) Public-key cryptography Connected space Hand fan Internet service provider Website Right angle Quicksort Figurate number Writing Resultant Speicheradresse Point (geometry) Functional (mathematics) Implementation Service (economics) Random number generation Computer file Online help Streaming media Product (business) Revision control Goodness of fit Hierarchy Touch typing Computer hardware Software testing Proxy server Address space Computing platform Condition number Dependent and independent variables Standard deviation Key (cryptography) Chemical equation Line (geometry) Cryptography Limit (category theory) Software Personal digital assistant Moment <Mathematik> Video game Backup
Axiom of choice Android (robot) Code INTEGRAL Execution unit Set (mathematics) Client (computing) Information privacy Front and back ends Formal language Web 2.0 Mathematics Web service Bit rate Different (Kate Ryan album) Semiconductor memory Single-precision floating-point format Cuboid Software framework Extension (kinesiology) Information security Error message Scripting language Programming language Block (periodic table) Bit Public-key cryptography Hand fan Type theory Virtuelles privates Netzwerk Process (computing) Telecommunication Internet service provider Buffer solution Website output System identification Remote procedure call Point (geometry) Classical physics Server (computing) Mobile app Service (economics) Virtual machine Web browser Code Force Phishing Bridging (networking) Computer hardware Energy level Theorem Router (computing) Firmware YouTube Address space Authentication Default (computer science) Hazard (2005 film) Physical law Debugger Line (geometry) Cartesian coordinate system Uniform resource locator Personal digital assistant Radio-frequency identification Gravitation Communications protocol Local ring Window
Shift operator State of matter Multiplication sign Real number Bit Client (computing) Cryptography Graphical user interface Goodness of fit Term (mathematics) Computer hardware Arrow of time Musical ensemble Computing platform Row (database) Spacetime
Axiom of choice Wave Structural load Direction (geometry) View (database) Computer hardware Energy level Right angle Drop (liquid) Information privacy Mereology
please welcome mark open kun thanks like hyerin i'm marco i work at shift crypto repetitive switzerland and will producing partner wallets of the beatbox today i want to talk about security issues in crypto suffer wallets and more so more so from the perspective of software deaths that want to write the wallet or maybe you want to integrate with wallets and more so than this then you know i'm we used to perspective her i'm sure you already know how to secure your cryptocurrencies i also i'm gonna mention a couple of issues that are probably obvious to many of you but still i wanna i don't want to talk about the standard stuff like which they did have to be used to represent Satoshi or so and so on I want to talk about stuff that I see in currents after wallets that are not addressed properly I want to kick this up with a small
history lesson so they're couple years back there was an issue in Android wallet and a couple guys posted on Pikmin talked with the same issue they had an address they sent some coins to it and immediately the coins were stolen and very suspicious thing the address has had previous activity before they made it so it's a classic so the guy already suspected correctly suspected correctly that it's about you know that random number generator and it was completely right so I want to go in and dissect the back in detail roughly 245 people have been affected or if I pick one lost by this back alright so this is the function that they used to create the secret key that is used to create the public key that is used to create the receiving address right so fairly standard stuff there's the secure random class from Java they replace the standard provider which are on that spam screws data from / that's the few random and then there's this extra seat that I mix in and here the it looks like it would replace the original seat but it doesn't they made sure to overwrite the function and actually mix the entropy so everything looks good so what is this extra seat we wonder so this is the function that is called to set the extra seat it's called seat from random org and it's a random or generator that implemented and this streams random data from random.org public service to give you random data so you might think that's a little strange too I really trust some sites to give me random data probably not but in the end if you actually properly mix it with soaring then you know everything should be alright you can in the worst case just have the same entropy as before but you know where it doesn't hurt really okay also small rest condition I can spot here there's a thread running to set the extra seat but here the seat is set at some other point in time you know who knows if the seat is actually attached in time click the extra seat so let's look at the code that cast random data from that URL so I want to go through this like code review style like if you were in the company and I reviewer for requests so I start at the top and I see HTTP okay that sounds I'll that a little bit right why isn't it HTTP you know that could be a man-in-the-middle etc etc right so then you know connection is made get requests or find some connection timeouts and then there's this line which says that a random that org would - would respond with a you know redirect response then this should be ignored and we should just get the data from there at the at least I would just questioned the offer if you know there must be reason he put it there maybe but it was secure in some way maybe if you check the result or something but I don't see NF this year and in fact random.org did to redirect to the HTTPS version they start enforcing that and this is their response to take a so because the redirect redirect every was the redirect code was ignored this is what they got and then also suspicious you know in the end you would hope to check for 200 okay response or if not that you would maybe if you get data from a untrusted source you would check that the output is what you think it is for example we have two lengths up there and it's the length here but you don't have to check if the output is the correct length so what happens is in the end bad luck the random data from nano torque it's just those bytes more than 32 but so it comes in going back to the set seed you know you think okay well so that date I didn't help but it also didn't hurt because that seed as I said before is soaring the data so all is cool right what's the worst that can happen well this is the function they used to set provider that like their own implementation to overwrite the standard implementation of secure random and you can see if you know gets the data from your test left a few random others good and it set up here but if the file does not exist then you render me set to null and there is no exception thrown so the implementation pass back to their standard one from Android and that one doesn't sort the data it just overrides it so there you have it so then public key that they generated randomly ended up being a constant from random.org it doesn't help that the random secure provider by Android in some versions also has severe bugs where the entropy is not 128 bits was just 31 because they just zero some bad bits and you know what are they take away from this you know we all get it you're a startup you have you know market products to market and the opportunity cost to write unit tests is high and let's go reduces high and I think it's forgivable if you don't have full coverage unlike in areas where parks are at most an annoyance but if it touches your balance or your crypto keys or crippled in general like if you should have review and functional tests and I think at least one review would have cut at least one of the five fishes before which ever
the preventative outcome if you other takeaway is if you fail fail loudly for example if - deaf - you random is not available you should just a port an exception and not think can rely on something else and the effort and the most difficult part is to test your assumptions like in this part I assumed that we that random source is available on all platforms but it turned out not to be the case and it's a hard part because often times you really don't know what your assumptions are like it for me to have so just take a step back and consciously figure out what am i assuming if I write this code like recently I had to port over some users from a wallet service to our wallet and I assumed the recap limit was Wendy in fact it was unlimited for all versions so you know it's easy to just assume stuff even if you check the code but it's it's good to double check those things next I want to do a quick note on address replacing malware of course we all know them there's mother out there that you know hijacks your clipboard and replaces your receiving addresses or just browser detention sort or proxy still the same and one funny instance of that was when the ransomware Locker distracted their victims to pay the ransom to them via an for proxy and the Tor proxy decided in turn to replace the address so the for proxy was dealing from both the victims and the ransomware offer and they complained about that well it's like I heard and there's a couple of ways you could deal with this and we are not there yet I think in the end we will have a world where people are not copy-pasting addresses of course and there are various avenues to deal with this one I'm interested in personally is you know kind of a standard where Hardware wallets can be plugged in into any service and you can just transmit your keys in a secure way without any copy so one area that also interests me is memory errors I have looked at various wallet implementations and I don't see many actually giving this proper attention that it deserves you know it flips coming from cosmic rays et cetera are way too improbable to actually hit your private key or whatever but you know old memory units that start to fail or degrade in bad ways they can actually make your life better where does this manifest if you generate that public key you know you multiply your product key by the generator then you have a public key if you have a bit flip or an error in the memory dirt and send fans to it last or what if you derive and public key is from an ex top also if you don't double check the results you could actually have a mistake in the hashing that is involved and also get an error I'm also backups of course if you make a backup you should check that it produces the right hierarchies and well this is the current orientation it generates a public key and it immediately checks that publicly it's valid by signing something I think that could probably go a step further and also check it before making use of it yeah if you have any hashing involved like keyword he has first stretching the relations then it doesn't hurt to do it twice in different memory locations just to reduce the likelihood and then most wallet software
also just keeps the data in memory without any checksums or error correcting codes which could be an issue yeah you actually if you store a public key or better after storing the address instead if the only thing we're gonna do is receive money on it except you're in a theorem line where you know checks are for versus next topic is pretty trivial and I'm kind of embarrassed to even speak about it but I feel I have to because I have seen so many local webservers running without any identification and you might be you know a guy that wants to someday try to make a local web service cooks that's Bitcoin or PC or lightning clients whatever you think because you're local it doesn't matter because I'm the only user I connect to it no one else so I don't need any fleet nation but you know most people are not aware that browsers can access localhost and I don't mean like local law so if you type in localhost in the URL I mean every website can do this no small exchange here one guy also like I was in his shoes couple years ago I thought this was ridiculous but and to be honest I'm not sure why process even allowed this anyway case important there was an issue in electrum last year and the electron as you may know is like one of the most used and widely popular wallets and they also enable their Jason RPC over HTTP by default and it had no hazard protection so every websites that you go to could in fact steal your privacy at least and your coins at best not only websites can do this also like if your shared web server or if you have users on your machine or maybe you know you have an local Apache running Anderson a guy that can hack in and escalate privileges to a user WWWF user then they can of course just scan the local ports and access your server even if it's in a different user of course without saying if you have authentication you should also use SSL otherwise people and just sniff your authentication and I'm thinking I have to check but I think I need to file an issue as with electro mean they still don't have SSL there in the scary so fishing phishing is one of the worst problems in the worldwide web because it can be arbitrarily sophisticated like there's no real way to just eliminate a threat of it it's just an rats race you could go to of course you know classics malicious wall demolition swallow go to a malicious web Paulette guy from the Monaro community the hi hawk I'm with a nice instructional floor so this wasn't real bad about showing how you can buy a VPS and some adverse and make a fake URL like with a small unit code oh very subtle so no one will see this to scam people into come to my Manero and giving after private keys and you know there is something you can do that this which is use hardware specially u2f and hardware wallets they go a very very long way in solving the a lot of the problems of course feel safe but how select i google mentioned they hadn't had a single phishing attempt a successful phishing attempt since they introduced or required you drive even more than using u2f and hardware wallets which help you because you know it will tear up your private keys you actually have to confirm manually on your device that you're giving up your your coins the hardware wallets can help you if they implement something like whitelist so this is an excerpt from the pit box firmware like a couple of web wallets are just white listed and if you connect anywhere else it just doesn't work and a couple of our users send us thank-you notes because they went on my for wallets calm or whatever and they couldn't connect and they were happy that's nothing worse happened I'm toying with an idea it's like early stage I don't know like in the web you can eliminate phishing attempts this way because the browser makes sure that the URL is encoded in the YouTuber protocol but what if you download a native app which in many ways is more secure than the web wallet but there you're out of luck and I'm thinking maybe I could use hardware to install or lunch any kind of wallets the after making integrity checks also please like I don't see nearly enough services supporting you to F like this Dropbox and get happy cetera but I'm thinking Bitcoin exchanges mini rate changes like all of them still are stuck with Google Authenticator which is not secure I wanted to a brief note and the choice of the text attack if you want to build a web wallet or a wallet and I don't want to go into you know too many of the hot topics where people debate if this is better or not just want to make a couple points here and one is that if you have a web wallet in the browser even though you might be safer from phishing attacks browser is just the Wild West of security like I mean everything goes especially if you have a malicious browser extension that then subverts you're fishing prevention they can just put in arbitrary data and you know you can I know you can ask the user to move their funds to a secure location because treasure sets over but it's not try so it's just an extension all of those web wallets would be probably better off packaging it just in a native app and of course the most popular one is electrum a lot of F's run an electron I'm not a big fan it has issues because in the front end as well as in the back and there's JavaScript so the bridge to no remote code execution is very small you just have to find a small colony that access to everything and not ten bucks by default and and then but there's other easier ways you can use QT with App Engine or you could use the chromium embedded framework they are more secure and also it just almost just as easy to actually build you know most people use web front-ends because they are easier to build they use less resources you have more talent more access to people you can use it but of course if you have the resources you know skip the web together and do native like when they request it very simple yeah quick note on programming languages as I said before if you used a script in the front and in back end you might have some issues if you see pass to us you have like a lot of memory issues we're really hard to get rid of even if you are very careful and people tend towards gravitate towards those two languages because they run everywhere like JavaScript runs on Android runs on iOS C++ as well and you know practically every wallet is one of those looking which is nowadays and I just want to make the point that since maybe last year and go and rust and other languages are compiled to see or a very viable after and you can use them effectively to make a full application on Android iOS Mac Windows Linux server and you know you don't have any remote execution block no buffer or flaws no smash protection that you have to put in place and privacy it's not only about security
if you leave your privacy you're also not secure I don't wanna go too much into five privacy matters I want to just refer you to this great guideline Greenwald and check out this YouTube video it's amazing today's wallet lik your privacy for example before blockchain that enforce Android wallets if you go to random.org then they know and their provider know center hosting center notice that you're using this Android wallet which is not great and you know if you use electrum servers if you use my money or any web all that treasure if they connect to a server usually contrive a see maybe not to the same level but you are we can educate users about VPN and tour and integrated into the wallets and make it a one-click experience but I think this is still probably not feasible or too hard I wanna you know encourage every wallet offer to be to enable and to enable the user to connect your own full note and our wallet that we just recently released for the bit box that's that from the start like I think it's very important but more so I wanna I'm dream about the world where everyone has a plug-and-play note that they can install next to the router and if everything in a very simple manner and with a bit of luck we can reach that goal like
shift we've been trying a little bit with the idea like in turn made some knocks and we are trying with the idea how how or if this would be I put in a good future we do think this would be amazing so where does this leave us Weidman arrow and you have noticed that my talk has been focused mostly on bickering and stuff like that other kinds in Manero at the current state is
that they are narrow is a little bit behind Bitcoin maybe a couple years in terms of the wallet experience there is one arrow GUI and more narrow end client there is my money row calm and that's basically it has to pass for today and my money arrow makes no like effort to be secure it's by chat by deliberate they have a really nice disclaimer that it's not secure that's okay and the money review is awesome it is a full note it runs everything is good but of course users will want to have light clients eventually because running your node is very difficult as in whenever especially so and so I expect in the next couple of years to see a lot more slack like wallets being implemented for Manero on various platforms and then maybe you can take away some of the notes I made today thank you [Applause] which implications so institutions have different and requirements than end-users mostly and as of today there is no good solutions for institutions to start doing real business on top of crypto but a lot of companies are in this space like trying to make those solutions yeah and if you're gonna have a hard time as an institution if you want to just pull together some of theses and clients and hardware wallets and do something on your own it works most like banks and institutions are doing it today too crazy amounts of money but I wouldn't recommend it and solutions are being rolled out as we speak [Music]
thank you
I haven't thought about it a lot I don't think well intuitively speaking I don't think verifiable remote hardware works it might be wrong and I'll tow it still might be a reasonable solution like there's never you know you're secure or insecure there's levels and if you can have a remote hardware which you can trust in some ways but not fully then that's good and it's a step in the right direction still in the end I think it's best if you can have your own load at home I'm also like your own node if you buy it from a company like us then how do we trust that like the goal is of course also to have an instruction to build it yourself with off-the-shelf very cheap hardware and Alessa I think I get it coming in are talking about Manero is the first choice for what sorry I was asking that this coin is maybe for because of privacy it's kind of first choice for the actors behind like exploit kids they'd drop the crime waves and any crime layer that you know involve crypto - they usually for Manero I didn't still didn't get the part about Manero I think you're asking if about malicious activity of Manero and privacy right so I just want to refer you to this this one over here I urge you to watch it like this mirrors my my view on privacy yeah okay thank you