Article no.5: rename iOS, improve graphs, clarify descriptions

_posts/2024-01-23-research-update-5.md

@@ -5,7 +5,7 @@ author: ["Christian Reitter"]
 date: 2024-01-23 17:00:00 +0000
 ---
 
-Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the IOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/>
+Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the iOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/>
 Using the newly available information, we managed to reproduce some of their findings, and can give a first look at additional data we collected.
 
 <div id="toc-container" markdown="1">
@@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
 
 ## Vulnerability TL;DR
 
-Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for IOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
+Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
 
 If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
 
@@ -31,8 +31,8 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
 | Issue | When | Characteristics | Research |
 | -- | -- | -- | -- | -- | -- | -- |
 | vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) |
-| vulnerable Trust Wallet IOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
-| vulnerable Trust Wallet IOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
+| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
+| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
 
 Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
 
@@ -64,8 +64,8 @@ Within the wallet ranges with 12 mnemonic words (128 bits), we found the followi
 * Wallet generation: variant A entropy -> BIP39 -> BIP32.
 * Wallet generation: variant B entropy -> BIP39 -> BIP32.
 * The 18 word and 24 word ranges in Variant A seem to be mostly unused, we focused on 12 word.
-* Ethereum wallet detection is based on a known incomplete bloom filter dataset from mid-2023.
-* Bitcoin wallet detection is based on a bloom filter dataset from 2024-01-15.
+* Ethereum wallet detection is based on a known incomplete bloom filter data set from mid-2023.
+* Bitcoin wallet detection is based on a bloom filter data set from 2024-01-15.
 </details><br/>
 
 Based on the current preliminary (incomplete!) data, we're counting at least **3440** unique wallet mnemonics.
@@ -77,7 +77,7 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
 {% responsive_image_block %}
   figure: true
   path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
-  alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers"
+  alt: "Histogram of PRNG creation index for discovered wallets<br/>Trust Wallet iOS variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers"
   target_width: 1100px
 {% endresponsive_image_block %}
 
@@ -87,31 +87,34 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
 * 2019-01-01: **1,546 x 10⁹** timestamp
 * 2020-01-01: **1,578 x 10⁹** timestamp
 * Total range shown: 2010-01-01 to 2025-01-01
-* Y-Axis capped for readability
+* Y-Axis capped for readability, data is not stacked
 </details><br/>
 
 Two main observations:
 1. The majority of Bitcoin and Ethereum wallets have a PRNG seed that corresponds to wallet creation timestamps from 2018 and 2019.
 2. There is a smaller number of wallets with a more "random" pattern.
 
-Point 1) generally fits to the publicly known timeline of the `Trust Wallet IOS` development and vulnerability (but is not a hard confirmation).
+Point 1) generally fits to the publicly known timeline of the `Trust Wallet iOS` development and vulnerability (but is not a hard confirmation).
 Point 2) indicates that there is some other source of weak wallets in this range that is less time based. Alternatively, it's possible that a subset of app devices had bad clocks for some reasons when creating the wallets.
 
-Since the situation in 2018-2019 is very busy, here is a zoomed in version:
+Since the situation in 2018-2019 is very busy, here is a zoomed-in and annotated version:
 
 {% responsive_image_block %}
   figure: true
   path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
-  alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B, 2018-05 to 2020-01"
+  alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS<br/>variant A & B, 2018-05 to 2020-01, data is not stacked"
   target_width: 1100px
 {% endresponsive_image_block %}
 
 A possible interpretation of the graph history:
-* Weak wallets of variant A appear with the first weak software version
-* Weak wallets of variant B appear once a differently vulnerable software version gets released, new wallets of variant A get more rare
-* A patched version get released
-* Historically high BTC prices makes users with existing weak wallets create Bitcoin accounts (?)
-* Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get the patched app versions yet
+1. Parameter space "before" the vulnerable `Trust Wallet` versions
+2. Weak wallets of variant A appear with the first weak software version
+3. Weak wallets of variant B appear once a differently vulnerable software version gets released
+  * -> New wallets in variant A get more rare
+4. A patched version get released
+  * -> New wallets in variant B get more rare
+5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?)
+6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get or install the patched app versions yet
 
 ### Bitcoin On-Chain Movements
 Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data:
@@ -141,7 +144,7 @@ Note: this describes funds moved over the weak wallets that have been at risk at
 ### Involvement in the 2023-07-12 Theft
 Here are the three biggest outgoing theft transactions from the newly disclosed range of weak wallets on 2023-07-12:
 
-| Transaction | Volume variant A<br/> (`Trust Wallet IOS`) | Volume variant B<br/> (`Trust Wallet IOS`) | Transaction total volume | Date |
+| Transaction | Volume variant A<br/> (`Trust Wallet iOS`) | Volume variant B<br/> (`Trust Wallet iOS`) | Transaction total volume | Date |
 | - | - | - | - |
 | {{ "81cfe97cc16a49398d6986032ec8f6970ea80df5aa0990dcf0164de87136f5bf" | BtcLinkTxUrlSliced }} |		-4,829 BTC | -3,481 BTC |  -9,744 BTC | 2023-07-12 12:41 |
 | {{ "cdd9a2aff7cd0707e31023513cc78aceff7ea7e754e3a9bde9c0482b70a9716c" | BtcLinkTxUrlSliced }} |		-8,161 BTC | none | -8,161 BTC _(incl. fee)_ | 2023-07-12 12:41 |
@@ -158,8 +161,8 @@ At the time of publication, less than $100 USD in total remain on the known BTC
 
 ## Summary & Outlook
 
-In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on IOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
+In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
 
-This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blogpost with some new information as it becomes available.
+This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blog post with some new information as it becomes available.
 
 <br/>