Adrian Bednarek is a CISO/Security Researcher at Overflow Labs, Inc. He specializes in application security, reverse engineering proprietary software, and communications protocols. He has been an invited speaker to DEF CON 25 and RSA Conference 2018/2020 where he shared his previous experiences and custom tools in exploiting virtual economies and popular password managers. At Overflow Labs, Bednarek is working with a dream team of engineers to create a platform for managing next generation virtual economies.View the profile
About the talk
Adrian Bednarek, CISO, Overflow Labs, Inc. - Top Rated Speaker The uniqueness of a private key is all that protects assets on a blockchain. With hundreds of millions of Bitcoin/Ethereum accounts it is likely that mistakes were made in generating private keys. In this session we will go over how to generate a Bitcoin/Ethereum key and how we scanned 34 billion keys, which resulted in the discovery of 732 private keys.
Hello, everybody. Stays talk is on blockchain security, guarantees that next points from what I understand. There's a live Q&A session going right now as the stock is being streamed. So I'll be happy to take any questions as this fox going on. My name is Adrian Grenier. I am the sea, so a Dover for lab. I am into reverse engineering, weird stuff, anything from proprietary code, digital assets, anything's blocked rainy, and virtual economies. I have a pretty long history and playing virtual economy.
And what that basically means is reverse engineering alien technology behind them Works. Founded clients to server communication works and how that could be manipulated to create functionality into a system that was beyond in Phantom of the developers. And I participated in a virtual Kalamazoo MMORPGs massively multiplayer online role-playing game World of Warcraft, which is pretty similar to which allow people to go bankrupt online, WildStar Elder Scrolls online and a couple dozen more. Today's agenda
will be watching and any box chain that uses electrical power of cryptography. We will take a fun refund quick question graphic primitive. Crash course. It's a very math intensive filled. It takes years before a cryptographic mechanism is valid. There is a peer review. And once that is why they are the peers and its beliefs of the Publix. There is a sink-or-swim public education. Is it easy to use by developers not resource-intensive on Computing? Devices is easy to use.
Are there a lot of flu shots that developers can make mistakes on Loughborough tracking systems fail, and succeed. And then we also talked about explain the weakness specifically on the ethereum blockchain. But again, this could apply to any watching that uses BCC. Why the stock right now watching? It's not going away. And even when using the right choice, mistakes will be made but we will still blame. It's also at stage old way of thinking, it's never my fault. It's always
at Old fault. We will examine the importance of Randomness and cryptographic private keys. And then for the things we want, and how we stumbled into somebody, we dubbed the blockchain Bandit that possesses over $119 worth of stolen. So the stock is based on some research. I did at my previous job at Icy in Pennsylvania, Valley, Raiders. And the timeline is this in August 2018. I started this project call Dietrich home and was basically you how to find private vs public
watching. We will go to the details of that, throughout the stock in January of 2019, a white paper crafting and I found out how fun it is to create white paper drafts and go over menu menu, ordering some Phillips. Massage that you something that looks and feels like a white paper. That's why I was in February of 2019. We were faced with a question. Do we publish this? Anytime you're doing research, especially resource. I can relay it to the security field on the stereo system. By publishing it, you always have to ask yourself. Will you give bad,
guys, ammo? Will they take this research and use it to cause harm? Tell your mother on college for a little bit and then we did some tests. And through our testing, we found that this was being exploited actively in the wild. So by publishing it, you know where you were raised awareness, and helps protect people. So in April, 2019, we went and published a white paper. And I got picked up by a king choir.com and then got picked up by a dozen or so other news outlets. In early of
2021. I started a new company with some friends called overflow and we did a Refresh on the riddle research and that's what really got me. So let's get over with the boring and Fun Stuff depending on your perspective on cryptography and watching Brothers. Also, Concepts will go through these very quickly. Asymmetric encryption. The key Concepts here is that you have a private and public that secret. Public beta sign with a public key. A function, a function takes a variable sized input and generates a random fixed-length value. The most, common one right now is
sha-256 before that will show 120, which Google ask Collision on 128 is considered. The result value. Sha-256 is still going good and strong. Entropy, one of the key concepts of the stock entropy is the measurement of Randomness. If you have some random data, the random Davis distribution should be uniform, amongst all the possible values here. We see a green line in the grass. That's completely that's completely fine for uniform distribution. And the free sample, the rain man in there that generated you can
see there's very little variation. There's a lot of statistical tests to mathematically proven that something is random or not. But, you know visually going to take a glimpse and say hey this is pretty random close. It matches the continuous uniform lion. Again, if you have something that's low, entropy the deviation between the sample, Brandon data, and expects, its continuous uniform. Random data is going to be obvious, just going to be obvious deviations. And if you were to map just random data to a 3-dimensional cube completely random
playlist should appear to be like foggy and Metric fog. Like if you had a cube of just like list or or fog, if there is a low metric system generate a random number entropy will be obvious. He can strike gold dark markings here which indicates that, you know, things aren't random as they should be. And this is a huge Rabbit Hole of signature algorithm Foundation of specifically at 3 a.m. In Bitcoin, use a specific her primitive called a sec p56 play one, nearly all other blockchains, use this or some
other variation of it. It just here is that you create a private key to creates a point on the curve. And that point on the curve is used to calculate the different points on the curve. That second point. You cannot do any math, or you cannot drive that first points o second point on the curve. Not be used to work backwards and find the first point on the curb which was derived from your private key. So, with all these Concepts, we have the blockchain. Hello.
The transactions are secured by hashing and signing. The critical inputs to do a blockchain stems from a user-generated privacy and it's highlighted and right here cuz we are about to dive in. What happens if there are mistakes made. Blockchain addresses and private key. This is a lot of data, but we'll walk through from top to bottom. So, on the top, sure. You have a randomly-generated persky. How to get a Public Authority Madras dispensary, three steps. One you have the Privacy, then you use a elliptical exercise, p2463 One Direction to get your public
key. Then you perform a hash function h x, 256, to Hash the public key to a value with this here than the Lord. 20 bites of this value is your ethereum address and this is the address that the public that you give to your friend and be like, hey, please play me some ethereum to address. This is the address and ready here that you give to them. So let's go through it again. Step by step. Step2. You derive the elliptical curve public key from your private key. So you do the secp K2 to get a public key
and then you get a 64 white Valley back. Then you think the 64-bit value and then you perform a half on it through catch X 256 and then you get 32 bites back. The lower one is your Authority. Imagine. It's pretty straightforward this, you extracted away like that. The math behind this is very complex than would take dozens of years to study PrivacyStar supposed to be random. We know are Stampy made. I'm from here on caution here. Exclaimer. This isn't the disc is falling moments. So to the spider-verse from
here on the focus is on the ethereum blockchain, but the same Concepts apply to other ecdsa blockchain such as big Corey. Neo stash, Neo, xrp, and the dozen or so others. The journey here that we're about to take over the next dozen-or-so. Slides will show that we were able to discover week by Matisse and I'll just doesn't mean that the blockchain ethereum is broken or any other box. Watch my base tan ecdsa is broken. It's just to highlight the importance of truly random private keys and verifying that price Keys, Arjun, Reddy randomly.
So, now what? We know how to create a private key. We know how to transform that private key to a public in using the ecdsa curve and then we know how to drive an address from that. So let's play the hackers favorite game, was it typically when it's hacking the system. That's the first thing I do is I learn how the system works, and then I go. What if we do this, we do that when you test out and see if you get unexpected Behavior, So is this knowledge? Let's play weather. What if we have
errors engineering remke's errors and codes are pretty,? Typically when you bring some clothes and again, they are you getting the error code? What happens if you use the Sarah Coda as your privacy does happen if you just by some chance rate a private key of one? Now, this is a valid private key, which is interesting enough. But it's also highly unlikely. So let's think of the private key of one and do all the proper transformation, since I'm against the public key,
that starts in 75 and ends in PDF. And if we go to a blockchain Explorer, 330mm in this example, again, we can see if any transactions occurred on this public key. So far, apart with your one. We can see that through 635 transaxle. So this is the aha moment or gets interesting. Somebody use the privacy of 1 and 635. Transactions, working. So well, if you look at, you know, the party's over to 345 and so on remember to arrive at the key space is 256 Pence. That's roughly the amount of atoms in the universe.
We can't possibly enumerate every single sea and that's a space cuz there isn't enough energy in the universe to do that. So what we did in this research is we broke the 500 202, 8 32-bit chunks. Nolo straight when I mean by that. So here are the first four trucks that we scan. So first, we stand 32-bit this, very first part of this key, its called a 32-bit scalded, the Oregon computer lingo. So we can the first award then we can decide the order start the award for Fjord and
going forward, 50 or 60 or 70, or tasty Ward and just to make it crystal clear. So each highlighters range is 32 bits and that's roughly 4.2 billion possible Prime East meet range. So, to make this more concrete that the first group, the Rangers going to be from 1 to f f f f, f f f f. F f...... Is hexadecimal for 4.2 billion and I forgot the rest of your point to 9 billion. So we do the same thing in the group E. Are we just absolutely everything to the next, the word and the key space and someone in group C? Metal group, b, e f, Angie
about this cuz to scan 3 to blinkie's. It's pretty resource-intensive task. I'm for a single-core on a computer. You can scan about well-optimized way. I was wanting to know Jas. I was kidding about 30,000 keys for a second. So I why did was I spend this up in the cloud and Google is nice enough to give you called credits for new accounts. So they gave me $300 worth of credits and I'll text you I'll use this is Kansas a place to find week. He's basically what I did is turned a $300 worth of credits into finding
empty blockchain wallet. show the results in group a From the privacy of 1 to 4.2 billion week and every single one, we found a few hundred private East each. Represents a match. Or a key that was used to conduct a transaction on the public watching. I so, for example, right here on the line. You see the private key of wanted was juice and there's a very interesting obvious pattern around here. And this is around the f, f r a x that's small and that's the upper bound of an 8-bit 8-bit hexadecimal might
someone interesting because after you go past that point and gets pretty sparse. I'm not sure why that is, it's just something interesting to know. The center groups a b c d, e. F g. We found only four keys. I'm here. They are probably that the respective opposites. There's a big red arrow pointing to this key. This is a very interesting key that I'll get to in a couple of side stronger. Don't remember the big red arrow pointing that guy, and this guy will reference that guy in the sky over and over again. I'm so Group, H, the very last group in the to 5650 space.
We did the same things, Canyon 4.2 billion keys in that space. And we found a couple hundred Marquis, the most of them seem to be clustered know. I'm very close to the upper bound of that the award. If we were to reverse, this craft would probably be the same case as in the first group, or most of the keys were within that first bite on their probably some little. And then that's going around where things get shuffled around based on how the keys are generated like that. That's so that's another Rabbit Hole to dive down as to why these keys are grouped
in certain ways. So the full results we found to 732 privacy these keys were involved in 50,000 transaction. And this is also needed to have tokens associated with them. And there are 60 million tokens that were actually active. Like you could have gone and then transfer without nobody really bothered to interact these and originally when we conducted This research. We thought we would find some ethereum with his presents an interesting legal and ethical
problem. When you interact with blocks and gun rights, private key, the key spaces, knowing your private key is going to be some value between one and the upper bound of a 256-bit number. What if you by chance come across a privacy that somebody else use. Technically it's you know, it's found property off of Public Finance. Keepers losers, weepers supplies in the box chain, but there's some interesting legal implications on what to do. If, you know, On the off-chance. He generates or a crunchy crunchy walls. And then you happen to see that shower. While it's the wallet at his house was brand-new
has a balance. Lets you create a Bitcoin wallet and it has 10,000 McQueen on it because your privacy collided with somebody else privacy. What are the ethics of, you know, dealing with that situation? I think it's pretty interesting. But anyway, we found someone a 32-piece while transactions and a zero balance. And this is the totality of our findings and this cold little heart. So anyway, that's awkward moments when you bump into a real bad thing. Remember the stain that guy. so, That represents and offsets
and the key space of Group G. We know the private key. The public he is this. So guess what we're looking at here is a transaction from somebody to somebody with a pretty small value about $7. The from is a private keys that we know because we happens to collide with it. Somebody transferred money of that known privacy to somewhere else. To this address, this address that starts in 9 5, 7 and ends for 6 will be righteous. And who is that guy? So we went on the
blockchain Explorer and we punched and that address. And then we found out. That that person that interacted with a privacy that we also found lose Soundgarden Secretary of from it. That guy has a balance of 44000 which today is worth a hundred, five million dollars. Digging around tomorrow, we found that this person that was basically vacuuming up recycling, or losing stealing, as a strong word. Basically, finding collisions in the Privacy space was taking little bits of a 3-mm here and there, in an automated fashion. What we did, one day is a
test, to see how active this person is. So weak. Raised in your wallet with in a key space that exists and a part of the key space. That is known to have an interview. So anyways, we created a wallet with a bad private key and we sent the dollar to it and instantly, this guy took that dollar out of it, you know, half a second. So this person is looking over monitoring for week private keys and long may the passion and he's very excited. And that's all we know. We can't the identity of this person is not knowing
and he still acting. As of last night. I was checking and he was still active. So it could be stealing or bleeding. Of these private Keys is amassing hundreds of millions of Irish without knowledge. So well, we know, we know, Murray the most private Keys. We found transactions that were committed on them. We found the bad guy that was like, losing all of these Keys, Verizon $1 in his wallet. So what else can we look at? We know that the address is derived from
a catch, a Q56 hash of the public. The public key is, no, which happens a lot programme land you. And this one is a variable and you forget to us at the value. They have an open public key and then you get a valve looking at that starts in d, c, c and ends on 470. We look this up and we saw that there was for you to do things actions performed on the on an address that was derived from a normal public. And this address has a balance of Italian cooking either, which is about 1.4 million dollars. And this is money lost forever cuz I'm not sure how we'd find the public
or private key. That would provide. What's an address to ride from in all public? Key. That's another interesting Rabbit Hole today down into and to this address that was derived from the public and also pretty big transactions. I redacted the name here cuz it was on the major exchange that's based here in the US and then they know a fraction of that's about a million are supposed to be either that will ever lost by accident by a major Exchange. So like I said, this is based on Research that was conducted in 2019. And here we are in 2021 what changed back then we
discovered 732 East. Now we discovered the 859 backs and there were $49,000 as actions. Now. We have almost 57 * 57000 * actions back side of e-file 323 Now we found a 228 for the Syrian. Meaning that if back in 2019 recap star software running in them. I found all these private keys on the way Mom for transactions going into the private. We could have booted close to four hundred thousand plus dollars, but somebody else is doing that. so, The gist of the story is that private keys are high-value assets. One way people go about
protecting their private pieces, to generate paper wallet. Typically the way you do this is you download some open source software and you put it on a USB stick. Then you walk over into an offline computer. To drown the rates, the privacy and the public key. And then you get like a piece of paper. You can print out for jot down or whatever that will have your privacy. Never touched an internet connection computer, which is really important and then you can, like cut this off. I'm sure the public address cuz if you want to receive funds you can share
this with your friends on the internet, Banger, blog, whatever, say, hey send me some history on the key Concepts here is at the private key exists on and off on computer that never touched the internet. You think that's pretty safe, right? So we saw two instances where paper walls were compromised. The first one which is pretty interesting Bitcoin paper wallet.com that developer Injected malicious code into the source code. That was very obvious Caden. The hard to audit. And when people eventually
figured out what the southeast gate code was doing, was basically the generating random seeds for rent in private piece and a deterministic way. I was known only to the attacker. So even though you ran the software, unlock my computer, a computer that never touch the internet, the way it was, part of the keys were generated were known to his algorithm. Therefore, he was able to reproduce the same thing on his end to find key Collision. And this has been discovered to be active since 2018 over $16 US dollars for so long. And as of right
now, I believe this is an ongoing investigation. The other interesting cases Iota seed, dial Iola, I think was or is another cryptocurrency. Again, it's an open source projects with which I think is pretty funny. Cuz people usually think open source is more secure cuz there's more ice on it. Right? But if everybody says the exact same thing and then nobody's looking at it. So it was an exploit that was implanted into source code people. So it was open sore. So they're like this must be legit cuz you know, there's a lot of eyes
on this but turns out people that really wants to dive into what this app, you scan. The code was doing cuz it looks pretty innocent. Again, that the same result was there is that this office cave, covid-19, train Grand, key Terminal C, equate. That were only known for the attacker. So the attacker could reproduce the random key generation on his computer to create some people in person stole over ten million dollars. And I do believe he was arrested by Interpol. I do believe he was in terminal. He's having a car problem right now.
Other interesting threats against off when key generation missions on several familiar with expect her. And all these Hardware bugs that allow processes to Snoop turn on purpose, processes and how they're processing and read memory from privileged privileged, areas of the system. But here's a completely different way of attacking things and that's using electromagnetic emissions from what's a, your DVI cable or maybe your HDMI cable HDMI. Might be old, but we're
definitely VGA DVI cables like that, that you connect your monitor people are able to use off the shelves or to spy on this radio emissions from a distance, as much as like ninety to a hundred feet and they use the software that was created by this guy in this office call Tempest Str. Switch off Hardware, use the software holds Tempest that you are and you are able to recreate with somebody else. He's on a monitor from up to a hundred feet away. Samsung this example,
this monitor on the left is displaying an example of a password and on the right you can see the Tempest SDR software using off-the-shelf hard to recreate what the other monitor is displaying. That's not very clear, but it's clear enough. And if you had better Hardware, find Candace Hospital them, or you could get a pretty accurate representation of what's on the screen. So if you are dealing with High Valley assets that are predicted by privacy passwords, Any piece of data that
can give you access to this High Valley assets, may you always have to consider is the equipment. I'm using able to transmit. Visible. Dana Perino outside, my building outside my room, things like that. I have to understand all the possible threat vectors. I thought this one was pretty interesting, especially since they were able to stop the Shelf equipments to Snoop or spy on screens for Monday away. So, what now? It's also interesting that blockchains have built-in bug bounties.
and what I mean by that is watching salt valuable data, and so they're, they're being attacked constantly. If you find an exploits in a box chain, and your weakness can be monetized within minutes or instantly, there's a really good article called. It's every game is a dark force that kind of illustrates this example. Where there are basically essentially Bots that are running, automated fuzzing on transactions, smart contracts, and other watching specific Technologies to automatically discover exploits and then
siphoning funds out. I'm trying. For that services. That anything that handles valuable data is a target, specially, when you're talking about, you know, a 256-bit, see that protects a lot of assets. So what's next? How could you apply? What we talked about here in this talk? The main thing is to ours and verify use well-known cryptographic libraries to bring those adult singing group. There was no, don't roll your own crypto, and that's true for a reason cuz it's very easy to make
mistakes. I'm out at number to the range. This is an interesting one. But, you know, you only want to use cryptographically secure, a random number generator message, and that's true for blockchains. And let's say, if you're building some software that serves web data or manager sessions. You don't want your sessions to quiet. You don't want somebody logging in and getting a sexually based on a bad random number that will collide in somebody else's Social. Cuz I've seen this in the past for customer. I will log in and they will see customer Beast. Ada, get into some interesting
issues that law paperwork one way to avoid this is to use multiple multiple sources of entropy. The other thing you can do is, you know, performed by your sciatic analysis on source code and do wrong time by Hamilton houses, on the binary code. Entering. I'm kastelic and wiser. So pretty good. It's like, picking up doggies things, but doing the dynamic analysis on what side you generated, and testing and benchmarking, the functionality to make sure it's within the spec that the developers design. It's
really important to verify that at run time also. And you also want to bake security into notes. G, i c e Pickett. High Point. Do you static analysis. And when Distributing high value? Builds, our bills are used by large number of people, you know, to use deterministic builds to verify that. That the Cold Supply pipeline wasn't compromised, at some point by a malicious Insider. Yes. This thing was built and all of our bills match and are therefore verified in for we can ship it
using, don't mostly juice. Doing for st. Commits. Are we saying, right? In the case, where a developer's compromised and their workstation was used to commit code to your GitHub repo? Which was then later distribute out to the public, some pretty good arm and some pretty good. How about there? Do review code Burgess and pull requests. I've seen several cases where people just merge request and without you know, it's thoroughly reviewing the code and malicious code gets introduced into the system, a couple things.
So it's really important to do a thorough, especially when you're dealing with a ditz be after this from an open-source projects were a community project. Do hard work stations, especially in today's no homo office environment. Like the first point. You've seen the workstation being compromised, that was used to commit code to get her braids pulled out, then use to distribute code in the widespread. Widespread way. When dealing with cryptographic systems to review than this cryptographic style
and everything. I think I have one here. That's a really long PDF. It's good reading material. You want to fall asleep at the total amount of the phases of Really good guidance on how to use cryptographic systems, what to look for and things like that. Do follow this recommended test Suites? Whenever you're building something, you want to test individual components that are your blinkers off. Strickman test. We will help you with that will help guide you through the whole process.
But in the end that were in the Suzuki outside-the-box thinking is crucial, check the box, compliance a secondary. And what I mean by that says, I've seen a lot of systems were Dodgers past everything. All the boxes for track, you know, if that's all the requirements. But then doing a Hands-On assessment for sending it off, Moon assessment company, and it comes back with really cool. Issues in the system. So check the compliance. Compliance is nice for its own purposes. But you always have to test the verify the assistant that, you know, it can't be
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.