Blogpost no.5: update technical information
This commit is contained in:
parent
2abfff2f92
commit
0332877048
|
@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
|
||||||
|
|
||||||
## Vulnerability TL;DR
|
## Vulnerability TL;DR
|
||||||
|
|
||||||
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
|
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 31-bit initial state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
|
||||||
|
|
||||||
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
|
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
|
||||||
| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? |
|
| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? |
|
||||||
| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? |
|
| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? |
|
||||||
|
|
||||||
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
|
Each weak PRNGs variant creates different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
|
||||||
|
|
||||||
## Early Results
|
## Early Results
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ srand((unsigned)time(NULL));
|
||||||
```
|
```
|
||||||
`time(NULL)` returns the _seconds_ since 1970-01-01 00:00:00, representing the "random" base for `srand()` to pick the first PRNG state setting. Developers may know this time format as [Unix time](https://en.wikipedia.org/wiki/Unix_time).
|
`time(NULL)` returns the _seconds_ since 1970-01-01 00:00:00, representing the "random" base for `srand()` to pick the first PRNG state setting. Developers may know this time format as [Unix time](https://en.wikipedia.org/wiki/Unix_time).
|
||||||
|
|
||||||
For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 32-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work.
|
For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 31-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work.
|
||||||
|
|
||||||
### Over 6500 Weak Wallets 🔥
|
### Over 6500 Weak Wallets 🔥
|
||||||
Within the wallet ranges with 12 mnemonic words (128 bits), we found the following:
|
Within the wallet ranges with 12 mnemonic words (128 bits), we found the following:
|
||||||
|
|
Loading…
Reference in New Issue