BeatCoin: Leaking Private Keys from Air-Gapped Cryptocurrency Wallets

Cryptocurrency wallets store the wallet's private key(s), and hence, are a lucrative target for attackers. With possession of the private key, an attacker virtually owns all of the currency in the compromised wallet. Managing cryptocurrency wallets offline, in isolated (‘air-gapped’) computers, has been suggested in order to secure the private keys from theft. Such air-gapped wallets are often referred to as ‘cold wallets.’ In this paper we show how private keys can be exfiltrated from air-gapped wallets. In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code. The malware can be preinstalled or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet's computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade (e.g., [1], [2], [3], [4], [5], [6], [7], [8], [9], [10]). Having obtained a foothold in the wallet, an attacker can utilize various air-gap covert channel techniques (bridgeware [11]) to jump the airgap and exfiltrate the wallet's private keys. We evaluate various exfiltration techniques, including physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal techniques. This research shows that although cold wallets provide a high degree of isolation, it's not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., Bitcoin's private keys) can be exfiltrated from an offline, air-gapped wallet of a fictional character named Satoshi within a matter of seconds.

[1]  Guillermo Navarro-Arribas,et al.  QR steganography: A threat to new generation electronic voting systems , 2014, 2014 11th International Conference on Security and Cryptography (SECRYPT).

[2]  Luke Deshotels,et al.  Inaudible Sound as a Covert Channel in Mobile Devices , 2014, WOOT.

[3]  Mark Galeotti,et al.  The cyber menace , 2012 .

[4]  Mordechai Guri,et al.  Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise ('DiskFiltration') , 2017, ESORICS.

[5]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  Mordechai Guri,et al.  MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication , 2018, 2018 IEEE Conference on Dependable and Secure Computing (DSC).

[7]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[8]  Marc Pilkington,et al.  Blockchain Technology: Principles and Applications , 2015 .

[9]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[10]  Mordechai Guri,et al.  aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR) , 2017, Comput. Secur..

[11]  Richard J. Enbody,et al.  Malvertising – exploiting web advertising , 2011 .

[12]  Mordechai Guri,et al.  Bridgeware , 2018, Commun. ACM.

[13]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[14]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[15]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[16]  Mordechai Guri,et al.  xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs , 2017, ArXiv.

[17]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[18]  Andrew Lippman,et al.  MedRec: Using Blockchain for Medical Data Access and Permission Management , 2016, 2016 2nd International Conference on Open and Big Data (OBD).

[19]  Mordechai Guri,et al.  Bridging the Air Gap between Isolated Networks and Mobile Phones in a Practical Cyber-Attack , 2017, ACM Trans. Intell. Syst. Technol..

[20]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[21]  Mordechai Guri,et al.  Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers , 2016, ArXiv.

[22]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[23]  Richard D. Arnold,et al.  Supply chain risk mitigation for IT electronics , 2010, 2010 IEEE International Conference on Technologies for Homeland Security (HST).

[24]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[25]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[26]  James Gross,et al.  In VANETs we trust?: characterizing RF jamming in vehicular networks , 2012, VANET@MOBICOM.

[27]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[28]  Mordechai Guri,et al.  An optical covert-channel to leak data through an air-gap , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[29]  Mordechai Guri,et al.  ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields , 2018, IEEE Transactions on Information Forensics and Security.

[30]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[31]  Mordechai Guri,et al.  PowerHammer: Exfiltrating Data From Air-Gapped Computers Through Power Lines , 2018, IEEE Transactions on Information Forensics and Security.

[32]  Stefan Katzenbeisser,et al.  Covert channels using mobile device's magnetic field sensors , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[33]  Diego F. Aranha,et al.  Platform-agnostic Low-intrusion Optical Data Exfiltration , 2017, ICISSP.

[34]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[35]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[36]  Angelos Stavrou,et al.  Malicious PDF detection using metadata and structural features , 2012, ACSAC '12.

[37]  Mordechai Guri,et al.  LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED , 2017, DIMVA.