From 033287704866d955b3615c71ef1e93dbc1ed9da4 Mon Sep 17 00:00:00 2001 From: Christian Reitter Date: Thu, 1 Feb 2024 14:51:50 +0100 Subject: [PATCH] Blogpost no.5: update technical information --- _posts/2024-01-23-research-update-5.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_posts/2024-01-23-research-update-5.md b/_posts/2024-01-23-research-update-5.md index 66acf1e..5ad9a6f 100644 --- a/_posts/2024-01-23-research-update-5.md +++ b/_posts/2024-01-23-research-update-5.md @@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin ## Vulnerability TL;DR -Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023. +Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 31-bit initial state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023. If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team. @@ -34,7 +34,7 @@ The newly disclosed vulnerability comes in two forms. Together with the previous | vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`
+ `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? | | vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`
+ `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? | -Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability. +Each weak PRNGs variant creates different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability. ## Early Results @@ -44,7 +44,7 @@ srand((unsigned)time(NULL)); ``` `time(NULL)` returns the _seconds_ since 1970-01-01 00:00:00, representing the "random" base for `srand()` to pick the first PRNG state setting. Developers may know this time format as [Unix time](https://en.wikipedia.org/wiki/Unix_time). -For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 32-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work. +For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 31-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work. ### Over 6500 Weak Wallets 🔥 Within the wallet ranges with 12 mnemonic words (128 bits), we found the following: