Refreshing Memories: #cryptosec recap of 35c3

This years Chaos Communication Congress has ended and here is the full list of blockchain and cryptocurrency security related lectures and content.

The Chaos Communication Congress is an annual conference organized by the Chaos Computer Club. The congress features a variety of lectures and workshops on technical and political issues related to security, cryptography, privacy and online freedom of speech.

wallet.fail

Hacking the most popular cryptocurrency hardware wallets

In this presentation we will take a look at how to break the most popular cryptocurrency hardware wallets. We will uncover architectural, physical, hardware, software and firmware vulnerabilities we found including issues that could allow a malicious attacker to gain access to the funds of the wallet.

Lecture: https://media.ccc.de/v/35c3-9563-wallet_fail

Website: https://wallet.fail

Related content: https://twitter.com/LiveOverflow/status/1078775867348840449

Wallet Security

How (not) to protect private keys

There are multiple different ways to store cryptocurrency secret keys. This talk will investigate advantages and disadvantages of different methods with regards to cryptographic backdoors known as kleptograms.

Lecture: https://media.ccc.de/v/35c3-9492-wallet_security

A Blockchain Picture Book

Blockchain origins and related buzzwords, described in pictures.

Where is the blockchain, how long is it, and what does it have to do with cryptography? And is it really something completely new? I spent a lot of time in pubs explaining to people what this blockchain hype is all about. It turns out that the best way to do that is to use images – literally.

The idea behind this talk is to give you a rough understanding of the scientific background behind the Blockchain tech

Lecture: https://media.ccc.de/v/35c3-9573-a_blockchain_picture_book


Over 200 BTC Stolen in Phishing Attack Against Electrum Users

An ongoing phishing attack has been reported against users of popular bitcoin wallet, Electrum. This has been confirmed in a tweet by the Electrum group where they remind users to be vigilant and not download wallets from unofficial sources. 

Malicious servers have been deployed that broadcast a crafted error message when it receives a BTC transaction. These messages claim a security update is needed and attempt to get the user to download and install malware subsequently having their accounts compromised and BTC stolen.

The error message allows for crafted rich text which enabling the use of hyperlinks and other rich media. 

It appears the attacker is using the following BTC wallet addresses to move and consolidate funds.

According to the Electrum team there has been a minor fix applied in version 3.3.2 which changes the rich text to plain text. not completely mitigating the attack, but it will make it easier to spot a bad actor.

broadcast_transaction_malware2

As always whenever downloading software make sure you’re downloading it from the official website.

Ethereum Auto-looter: Scrooge McEtherface

Github: https://github.com/b-mueller/scrooge-mcetherface

Scrooge McEtherface is a Ethereum Smart Contract auto-looter based on Mythril Classic. It attempts to exploit Unprotected Ether Withdrawal (SWC-105) and Unprotected SELFDESTRUCT Instruction (SWC-106)

Disclaimer: This is not a tool to be taken lightly, it can do some damage, for research purposes only! 

The installation is straightforward and does not depend on much outside of a standard linux install, Python 3, and a node to send transactions; ganache-cli does a great job for this task. 

Once the repo is cloned, you’ve installed the required libraries, and verified scrooge runs, you’ll need to setup your network node. For our testing purposes we’ll be utilizing zeppelinOS as our development platform and ganache-cli as our blockchain provider. 

For testing you’ll need two terminal windows, one to run ganache-cli and the other to push to the chain and run testing tools.  

$ ~ ganache-cli 
Ganache CLI v6.2.3 (ganache-core: 2.3.1)


Available Accounts
==================
(0) 0x84f0d3ff8d68a801104b82bf101a7b3f80f2bd41 (~100 ETH)

[...]

Listening on 0.0.0.0:8545
$ ~ zos push -u local

Compiling contracts
Compiling ./contracts/C.sol…

Validating contract C
Uploading C contract as C
Deploying logic contract for C
Created zos.dev-1544137874089.json

Check the output created from zos push for the deployed contract address and use that as your input for scrooge. 

$ ~ head zos.dev-1544137874089.json
{
"contracts": {
"C": {
"address": "0xccdeb362312f6d9d3e6ce2e829b42208ca4c2210",
"constructorCode": "60806040526000805534801561001457600080fd5b50610147806100246000396000f300",
[...]

With this setup you’ll be able to push contracts to your testnet and attack them with scrooge.  

From the example above you can see I’m using a docker image. The project repository does not currently offer a Dockerfile nor is there one up on dockerhub. 

Stay tuned for a release of both in the near future!

EVM Packages: On-chain, Immutable, Upgradeable, Package management.

For bad actors with a target, the easiest way in is usually through a trusted third-party. You’ve seen it time and time again in pop-culture and movies. When the protagonist needs to infiltrate a building, they disguise themselves as a pizza delivery and are usually let in after a little bit of scrutiny.

C’mon buddy! I gotta delivery to make!

As seen by the recent security incident with the npm package “event-stream” it does not take much for an attacker to launch a highly directed attack with huge impact.

Here are the highlights:

  • Heavily utilized library with small development team (1 consistent author).
  • Developer changed hands with minimal noise about it to the community upon simple request with no vetting.
  • Source code on github does not have to match the source code deployed to npm libraries.

For the individual developer, it’s near impossible to check every dependency used in a project for signs of compromise – and even more difficult to remain aware of security incidents related to upstream packages!

With that we have an interesting new approach to libraries from the OpenZeppelin team: EVM Packages. 

EVM Packages are immutable, on-chain, and upgradeable smart contracts that can be readily imported and used in your projects.

From the README of openzeppelin-eth.

OpenZeppelin is a library for secure smart contract development. It provides implementations of standards like ERC20 and ERC721 which you can deploy as-is or extend to suit your needs, as well as Solidity components to build custom contracts and more complex decentralized systems.


This fork of OpenZeppelin is set up as a reusable EVM Package. It is deployed to the kovan, rinkeby, and ropsten test networks, as well as to the main Ethereum network.

https://github.com/OpenZeppelin/

Some immediate benefits of libraries living on-chain are:

  • Decreased deployment gas costs.
  • Contracts are considered “known good” by the community. 
  • These contracts are upgradeable with no action needed on the part of the dev(s).

The advantages of using on-chain contracts include immediate impact unto the deployment process, opening the door for more robust development, and streamlining of the security update process. The team is also releasing a token (currently in closed beta) to test various ideas around crypto-economic incentives. Maybe we’ll see a platform where developers get paid when their library is used, incentivizing project development and maintenance. Or a consolidation of services from across the web like bug bounties threat/intel databases, and identity management.

Whatever comes next from the team at OpenZeppelin, I expect we’ll see more libraries and commonly used smart contracts moving towards this model as the space continues to grow and mature.