There has been some major hype surrounding two security vulnerabilities called ‘Meltdown’ and ‘Spectre’, but what do we really know about them? Cyber security threats are a very serious issue in the cryptocurrency ecosystem. Both investors and firms (exchanges, wallet providers, miners, blockchain technology providers, etc.) alike are concerned about hacks and other attacks that might drain their crypto storage systems, or at least freeze them.
Lately, these concerns intensified after the exposure of Meltdown and Spectre. While there is no evidence of anyone taking advantage of these vulnerabilities yet, under some circumstances, they might become industry’s nightmare. Finance Magnates sat down with Alex Heid, white hat hacker and chief research officer at SecurityScorecard – a leading cybersecurity rating and monitoring platform – to better understand this new threat.
What are Meltdown and Spectre, how do they work, and what harm can they do to crypto traders?
As the time of writing. the Meltdown and Spectre vulnerabilities have not been observed as being exploited in the wild by malicious actors. The recent hype surrounding the disclosure of these vulnerabilities resulted from a published whitepaper and proof of concept tools released by ethical white hat researchers, who sought to prove that the legacy architectures of modern CPUs are vulnerable to a specific methods of attack that they discovered and promptly reported.
These methods of attack were nicknamed Meltdown, and a similar attack was nicknamed Spectre. To emphasize an important point – these two vulnerabilities have not yet been reported as being used by attackers in the wild at the time of writing.
Does it really mean that our storage codes are vulnerable now?
No, Meltdown and Spectre have no impact on cryptocurrency private keys that are properly stashed away in cold storage. Of course, improperly stored cold wallets will always be at risk regardless of the latest emerging technical threat.
The cold storage method is still the best way to store cryptocurrency for long periods of time. Redundant copies of GPG encrypted wallets stored on multiple formats of media in multiple locations is recommended (such USB sticks, physical paper, and/or external SSD hard drives). The use of multiple formats of encrypted media protects the user from accidental data loss due to theft, unforeseen technology changes, and other unpleasant surprises. The Bitcoin Wiki has great information on secure methods for cold storage of cryptocurrency.
So, are cold storage wallets and paper wallets safe?
Cold storage wallets and paper wallets are only as safe as the physical location they are stored in, and as safe as the hardware they are stored on.
While cold storage wallets will protect you from an online theft, it is important to make sure the wallet is encrypted even in cold storage with several copies on various media formats. If someone physically steals the USB or hard drive with an unencrypted wallet, then the attacker can make use of the coins quite easily.
However, if the attacker steals a GPG encrypted wallet file that has been secured with a complex passphrase then the data will remain safe. Multiple copies and formats create a condition of redundancy whereby if copies vanish due to theft, damage, or hardware failure.
Paper wallets are safe as long as they do not physically fall into the possession of a thief or get damaged. While paper wallets are immune from the issues of digital attacks, technology format changes and hardware failure, they are still vulnerable to physical theft, loss, and/or physical damage.
Beyond the danger to private traders, what are the perils for servers and other aggregators of crypto users?
Perhaps the biggest threat to cryptocurrency users is the misplaced trust that is placed in hosted third party wallet services, centralized exchange platforms, and ‘lightweight’ alternative third party wallets that are popular among entry level users (both software and hardware).
Many new users are averse to using the “Core” or “Node” versions of wallets, such as Bitcoin Core, because these implementations require the download of the full blockchain database, which is hundreds of gigabytes and growing. Instead, an observed trend has been for users to make use of third party software and hardware wallet solutions with erroneous assumption that security was baked in to the design of the solution. Unfortunately, many come to this incorrect conclusion based solely on word of mouth, combined with the marketing efforts of the solution provider.
For example, the Electrum wallet software series was recently reported to have had a vulnerability that gave attackers the ability to steal coins through web browser attacks and by connecting into exposed ports on IP addresses in the public internet.
It is reported this week that all Electrum users were open to attack in this way for over two years and it was not fixed until this month.
That discovery and disclosure of the Electrum wallet vulnerability has a significantly bigger impact to the security of the cryptocurrency community than the disclosures of the Meltdown and Spectre vectors, as private keys were used with Electrum are to be considered compromised and potentially already stolen. As per the instructions of the Electrum development team, users should take steps to move their coins into a new wallet if they were on any version released before this month.
Even hardware wallets that promise to store cryptocurrency in secure cold storage have been proven to be vulnerable to attack. Specifically, the Trezor wallet was reported to have a memory dumping vulnerability that would reveal private keys to attackers who had physical access.
Another available solution is the Ledger, which is advertised to be a more secure alternative to the competing Trezor hardware wallet. On the Ledger official website, they recently published a blog assuring the public that their product is not vulnerable to Meltdown or Spectre. However, it appears that Ledger has a ‘feature’ whereby the hardware communicates to an external Ledger API in order to authenticate and unlock access to the coins on the device – and the user interface comes in the form of a Google Chrome plugin.
So what does it mean if Ledger company’s API goes offline for whatever reason? Will users not be able to access their data on the Ledger? If the API endpoint gets DDoSed, would that too prevent users from being able to access their coins? What happens if users are tricked into downloading a backdoored Ledger app from an unofficial extensions/app store?
While the hardware implementations of these wallets is likely highly secure as per vendor specifications, the protocols for use that end users are forced to engage with are where the biggest vectors of risk come into play.
It is an unfortunate reality in the cryptocurrency space whereby many of the available third party solutions end up creating vectors of risk that did not previously exist for products that are not really needed, and don’t solve anything that couldn’t be figured out from reading the Bitcoin wiki or any other crypto community wiki.
Users would never need to expose themselves to these vectors if they took the effort to fully understand the concepts behind cryptocurrency and what makes them revolutionary – encryption, p2p networks, and decentralized databases (aka – the blockchain)
When users give up control of their cryptocurrency to be managed by a centralized third party or a convenient commercial solution, not only is it antithetical to the original idea behind Bitcoin, and the user opens themselves up to the possibility of data loss resulting from any number of common risk vectors that would never be an issue on a proper implementation of a node wallet and GPG encrypted cold storage: application attack vectors, email:password combo attacks, phishing attempts, disgruntled insiders, government raids and seizures, service outages, and the list goes on.
What can one do to protect oneself from those vulnerabilities, in terms of both PC and money storage?
Vendor supplied patches for the vulnerabilities related to Meltdown and Spectre have been made available and are continuing to be released as disclosure rolls forward. Users are advised to implement updates for their chipsets and firmware as soon as possible, as eliminating any vector of risk where possible is always considered best practice.
While these two vulnerabilities have not been implemented in the wild yet, it is only a matter of time before the method is adopted by an attacking group and those who implemented updates will be spared that wave of attack.
Regarding the security of cryptocurrencies stored on a workstation or personal device, the biggest risk to the user has always been a successful malware infection that will obtain the wallet file or private keys (via file searching or memory dumping), as well as the decryption password (via keylogging or memory dumping).
As discussed earlier, the hardware solutions that claim to mitigate this risk introduce other risks – so there is no perfect solution. If a user has a dedicated machine that is used for cryptocurrency and has decent endpoint protection, then the risk of becoming a victim is reduced significantly.
Are there any long-term institutional solutions that are being developed now?
At the time of writing, it appears the best solutions and information available for the secure use and storage of cryptocurrency come from the open source community – which is not surprising considering the open source community is what gave the world cryptocurrency to begin with.
For the average user’s cold storage needs, I encourage becoming familiar with basic open source encryption technologies such as GPG. These days there are dozens of free tools are available for Windows and Mac that make managing GPG files as easy as dealing with ZIP files. Acquiring a basic understanding of GPG files format will go a long way to securing the offline storage of cryptocurrency assets.
Regarding the average user’s wallet needs, I continue to promote the use of official ‘core’/’node’ versions of wallets despite the heavy lifting required for the initial blockchain synch. The use of official node wallets is the most authentic and error free way to use the cryptocurrency protocol – and users are contributing to the overall uptime, redundancy, and speed of network as all node wallets process transaction confirmations while running.
I caution about relying on currently available third party software or hardware that claim to solve existing wallet security problems when the trade-off ends up forfeiting user control of data confidentiality, availability, or integrity. The current lack of available commercial solutions is likely temporary, as the cryptocurrency industry is still in its infancy and the needs of everyone have not yet fully been realized.
Many of the existing third party cryptocurrency hardware/software solutions are designed around ‘ease of use’ principles targeting non-technical audiences. As the marketplace matures along with the personas of the buyer and the vendors it is likely that truly innovative technologies will eventually emerge to address these needs.