Blogpost no.5: update technical information

This commit is contained in:
Christian Reitter 2024-02-01 14:51:50 +01:00
parent 2abfff2f92
commit 0332877048
1 changed files with 3 additions and 3 deletions

View File

@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
## Vulnerability TL;DR ## Vulnerability TL;DR
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023. Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 31-bit initial state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team. If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
@ -34,7 +34,7 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? | | vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? |
| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? | | vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? |
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability. Each weak PRNGs variant creates different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
## Early Results ## Early Results
@ -44,7 +44,7 @@ srand((unsigned)time(NULL));
``` ```
`time(NULL)` returns the _seconds_ since 1970-01-01 00:00:00, representing the "random" base for `srand()` to pick the first PRNG state setting. Developers may know this time format as [Unix time](https://en.wikipedia.org/wiki/Unix_time). `time(NULL)` returns the _seconds_ since 1970-01-01 00:00:00, representing the "random" base for `srand()` to pick the first PRNG state setting. Developers may know this time format as [Unix time](https://en.wikipedia.org/wiki/Unix_time).
For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 32-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work. For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 31-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work.
### Over 6500 Weak Wallets 🔥 ### Over 6500 Weak Wallets 🔥
Within the wallet ranges with 12 mnemonic words (128 bits), we found the following: Within the wallet ranges with 12 mnemonic words (128 bits), we found the following: