Another week, another security upset in the blockchain space. Now it pertains to a supposed “blockchain bandit” who has been guessing private keys and stealing investors’ Ether. An independent security firm out of the United States established that there were approximately 700 weak private keys that were in use. The bandit is able to gain access to these funds by “ethercombing”, a new term to describe how this bandit continues to “find” private keys and siphon off the funds almost instantly.
Private keys for most of the major blockchains are represented by 256-bit numbers. There are certain sub-regions that may be generated by the algorithm that are easier to attack with brute force. If one were to try this in a larger “region”, it would be statistically improbable they would actually gain access to any Ether.
Weakness of the Wallets
Keys in this subregion are considered faulty, and probably shouldn’t have been generated in the first place. This is especially dangerous when your private key is basically your username and password at the same time. Just knowing a key exists in a certain region is a security risk.
So picture this: if multiple people are using a the key equivalent of “password” or “123456”, then they would all technically have the same bank account. All their funds would be co-mingled, and there would be a major issue. When researchers at Independent Security Evaluators (ISE) were able to discover 732 different keys that had this significant overlap and should never have been generated in the first place, they knew there was a problem.
Then they noticed something:
“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to. We found 735 private keys, he happened to take money from 12 of those keys we also had access to.”
Basically, someone had figured out how to swipe funds from all the addresses with weak keys. As a result, these funds were being siphoned off in a matter of seconds. This is essentially the fault of the wallet creators for allowing such weak private keys to be created. The hackers have come up with an ingenious way to steal 45,000 ETH (approximately $7.5 million at current ETH prices), but these keys should never have been generated. This is yet another reason to make sure you use a reputable Ether wallet for storing your cryptocurrency.
Additionally, 152,000 Electrum Bitcoin wallets have been infected by a Denial-of-Service attack on their servers. This hack is still being investigated, but it seems like the hackers have been able to replace the Electrum servers with their own, initiated a “software update”, and co-opted funds.
Private Blockchain Risks
These are the risks to public blockchains, but private blockchains have their own problems as well. Moody’s Corporation has released a report detailing how private blockchains have significant fraud risk because of their centralized nature.
Much of the reason blockchains are so powerful is because they are decentralized and there are minimal governance risks. The opposite is true of these private blockchains, and that’s where they may be buying into the hype too much.
With many global entities looking for ways to capitalize on the emergence of blockchain technology, it seems like they might actually be regressing by implementing this technology. They may have the goal of hooking specific market sectors who are looking for a blockchain solution they can trust, but this does come with risks to the providers.