Article no.5: rename iOS, improve graphs, clarify descriptions

This commit is contained in:
Christian Reitter 2024-01-23 21:58:15 +01:00
parent 8c22c74b88
commit e559611104
3 changed files with 22 additions and 19 deletions

View File

@ -5,7 +5,7 @@ author: ["Christian Reitter"]
date: 2024-01-23 17:00:00 +0000 date: 2024-01-23 17:00:00 +0000
--- ---
Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the IOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/> Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the iOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/>
Using the newly available information, we managed to reproduce some of their findings, and can give a first look at additional data we collected. Using the newly available information, we managed to reproduce some of their findings, and can give a first look at additional data we collected.
<div id="toc-container" markdown="1"> <div id="toc-container" markdown="1">
@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
## Vulnerability TL;DR ## Vulnerability TL;DR
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for IOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023. Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team. If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
@ -31,8 +31,8 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
| Issue | When | Characteristics | Research | | Issue | When | Characteristics | Research |
| -- | -- | -- | -- | -- | -- | -- | | -- | -- | -- | -- | -- | -- | -- |
| vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) | | vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) |
| vulnerable Trust Wallet IOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | | vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
| vulnerable Trust Wallet IOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | | vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability. Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
@ -64,8 +64,8 @@ Within the wallet ranges with 12 mnemonic words (128 bits), we found the followi
* Wallet generation: variant A entropy -> BIP39 -> BIP32. * Wallet generation: variant A entropy -> BIP39 -> BIP32.
* Wallet generation: variant B entropy -> BIP39 -> BIP32. * Wallet generation: variant B entropy -> BIP39 -> BIP32.
* The 18 word and 24 word ranges in Variant A seem to be mostly unused, we focused on 12 word. * The 18 word and 24 word ranges in Variant A seem to be mostly unused, we focused on 12 word.
* Ethereum wallet detection is based on a known incomplete bloom filter dataset from mid-2023. * Ethereum wallet detection is based on a known incomplete bloom filter data set from mid-2023.
* Bitcoin wallet detection is based on a bloom filter dataset from 2024-01-15. * Bitcoin wallet detection is based on a bloom filter data set from 2024-01-15.
</details><br/> </details><br/>
Based on the current preliminary (incomplete!) data, we're counting at least **3440** unique wallet mnemonics. Based on the current preliminary (incomplete!) data, we're counting at least **3440** unique wallet mnemonics.
@ -77,7 +77,7 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers" alt: "Histogram of PRNG creation index for discovered wallets<br/>Trust Wallet iOS variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers"
target_width: 1100px target_width: 1100px
{% endresponsive_image_block %} {% endresponsive_image_block %}
@ -87,31 +87,34 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
* 2019-01-01: **1,546 x 10⁹** timestamp * 2019-01-01: **1,546 x 10⁹** timestamp
* 2020-01-01: **1,578 x 10⁹** timestamp * 2020-01-01: **1,578 x 10⁹** timestamp
* Total range shown: 2010-01-01 to 2025-01-01 * Total range shown: 2010-01-01 to 2025-01-01
* Y-Axis capped for readability * Y-Axis capped for readability, data is not stacked
</details><br/> </details><br/>
Two main observations: Two main observations:
1. The majority of Bitcoin and Ethereum wallets have a PRNG seed that corresponds to wallet creation timestamps from 2018 and 2019. 1. The majority of Bitcoin and Ethereum wallets have a PRNG seed that corresponds to wallet creation timestamps from 2018 and 2019.
2. There is a smaller number of wallets with a more "random" pattern. 2. There is a smaller number of wallets with a more "random" pattern.
Point 1) generally fits to the publicly known timeline of the `Trust Wallet IOS` development and vulnerability (but is not a hard confirmation). Point 1) generally fits to the publicly known timeline of the `Trust Wallet iOS` development and vulnerability (but is not a hard confirmation).
Point 2) indicates that there is some other source of weak wallets in this range that is less time based. Alternatively, it's possible that a subset of app devices had bad clocks for some reasons when creating the wallets. Point 2) indicates that there is some other source of weak wallets in this range that is less time based. Alternatively, it's possible that a subset of app devices had bad clocks for some reasons when creating the wallets.
Since the situation in 2018-2019 is very busy, here is a zoomed in version: Since the situation in 2018-2019 is very busy, here is a zoomed-in and annotated version:
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B, 2018-05 to 2020-01" alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS<br/>variant A & B, 2018-05 to 2020-01, data is not stacked"
target_width: 1100px target_width: 1100px
{% endresponsive_image_block %} {% endresponsive_image_block %}
A possible interpretation of the graph history: A possible interpretation of the graph history:
* Weak wallets of variant A appear with the first weak software version 1. Parameter space "before" the vulnerable `Trust Wallet` versions
* Weak wallets of variant B appear once a differently vulnerable software version gets released, new wallets of variant A get more rare 2. Weak wallets of variant A appear with the first weak software version
* A patched version get released 3. Weak wallets of variant B appear once a differently vulnerable software version gets released
* Historically high BTC prices makes users with existing weak wallets create Bitcoin accounts (?) * -> New wallets in variant A get more rare
* Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get the patched app versions yet 4. A patched version get released
* -> New wallets in variant B get more rare
5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?)
6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get or install the patched app versions yet
### Bitcoin On-Chain Movements ### Bitcoin On-Chain Movements
Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data: Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data:
@ -141,7 +144,7 @@ Note: this describes funds moved over the weak wallets that have been at risk at
### Involvement in the 2023-07-12 Theft ### Involvement in the 2023-07-12 Theft
Here are the three biggest outgoing theft transactions from the newly disclosed range of weak wallets on 2023-07-12: Here are the three biggest outgoing theft transactions from the newly disclosed range of weak wallets on 2023-07-12:
| Transaction | Volume variant A<br/> (`Trust Wallet IOS`) | Volume variant B<br/> (`Trust Wallet IOS`) | Transaction total volume | Date | | Transaction | Volume variant A<br/> (`Trust Wallet iOS`) | Volume variant B<br/> (`Trust Wallet iOS`) | Transaction total volume | Date |
| - | - | - | - | | - | - | - | - |
| {{ "81cfe97cc16a49398d6986032ec8f6970ea80df5aa0990dcf0164de87136f5bf" | BtcLinkTxUrlSliced }} | -4,829 BTC | -3,481 BTC | -9,744 BTC | 2023-07-12 12:41 | | {{ "81cfe97cc16a49398d6986032ec8f6970ea80df5aa0990dcf0164de87136f5bf" | BtcLinkTxUrlSliced }} | -4,829 BTC | -3,481 BTC | -9,744 BTC | 2023-07-12 12:41 |
| {{ "cdd9a2aff7cd0707e31023513cc78aceff7ea7e754e3a9bde9c0482b70a9716c" | BtcLinkTxUrlSliced }} | -8,161 BTC | none | -8,161 BTC _(incl. fee)_ | 2023-07-12 12:41 | | {{ "cdd9a2aff7cd0707e31023513cc78aceff7ea7e754e3a9bde9c0482b70a9716c" | BtcLinkTxUrlSliced }} | -8,161 BTC | none | -8,161 BTC _(incl. fee)_ | 2023-07-12 12:41 |
@ -158,8 +161,8 @@ At the time of publication, less than $100 USD in total remain on the known BTC
## Summary & Outlook ## Summary & Outlook
In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on IOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage. In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blogpost with some new information as it becomes available. This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blog post with some new information as it becomes available.
<br/> <br/>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 277 KiB

After

Width:  |  Height:  |  Size: 276 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 324 KiB

After

Width:  |  Height:  |  Size: 345 KiB