Article no.5: rename iOS, improve graphs, clarify descriptions
This commit is contained in:
parent
8c22c74b88
commit
e559611104
|
@ -5,7 +5,7 @@ author: ["Christian Reitter"]
|
|||
date: 2024-01-23 17:00:00 +0000
|
||||
---
|
||||
|
||||
Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the IOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/>
|
||||
Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the iOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.<br/>
|
||||
Using the newly available information, we managed to reproduce some of their findings, and can give a first look at additional data we collected.
|
||||
|
||||
<div id="toc-container" markdown="1">
|
||||
|
@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
|
|||
|
||||
## Vulnerability TL;DR
|
||||
|
||||
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for IOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
|
||||
Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
|
||||
|
||||
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
|
||||
|
||||
|
@ -31,8 +31,8 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
|
|||
| Issue | When | Characteristics | Research |
|
||||
| -- | -- | -- | -- | -- | -- | -- |
|
||||
| vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) |
|
||||
| vulnerable Trust Wallet IOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
|
||||
| vulnerable Trust Wallet IOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
|
||||
| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
|
||||
| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
|
||||
|
||||
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
|
||||
|
||||
|
@ -77,7 +77,7 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
|
|||
{% responsive_image_block %}
|
||||
figure: true
|
||||
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
|
||||
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers"
|
||||
alt: "Histogram of PRNG creation index for discovered wallets<br/>Trust Wallet iOS variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers"
|
||||
target_width: 1100px
|
||||
{% endresponsive_image_block %}
|
||||
|
||||
|
@ -87,31 +87,34 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
|
|||
* 2019-01-01: **1,546 x 10⁹** timestamp
|
||||
* 2020-01-01: **1,578 x 10⁹** timestamp
|
||||
* Total range shown: 2010-01-01 to 2025-01-01
|
||||
* Y-Axis capped for readability
|
||||
* Y-Axis capped for readability, data is not stacked
|
||||
</details><br/>
|
||||
|
||||
Two main observations:
|
||||
1. The majority of Bitcoin and Ethereum wallets have a PRNG seed that corresponds to wallet creation timestamps from 2018 and 2019.
|
||||
2. There is a smaller number of wallets with a more "random" pattern.
|
||||
|
||||
Point 1) generally fits to the publicly known timeline of the `Trust Wallet IOS` development and vulnerability (but is not a hard confirmation).
|
||||
Point 1) generally fits to the publicly known timeline of the `Trust Wallet iOS` development and vulnerability (but is not a hard confirmation).
|
||||
Point 2) indicates that there is some other source of weak wallets in this range that is less time based. Alternatively, it's possible that a subset of app devices had bad clocks for some reasons when creating the wallets.
|
||||
|
||||
Since the situation in 2018-2019 is very busy, here is a zoomed in version:
|
||||
Since the situation in 2018-2019 is very busy, here is a zoomed-in and annotated version:
|
||||
|
||||
{% responsive_image_block %}
|
||||
figure: true
|
||||
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
|
||||
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS<br/>variant A & B, 2018-05 to 2020-01"
|
||||
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS<br/>variant A & B, 2018-05 to 2020-01, data is not stacked"
|
||||
target_width: 1100px
|
||||
{% endresponsive_image_block %}
|
||||
|
||||
A possible interpretation of the graph history:
|
||||
* Weak wallets of variant A appear with the first weak software version
|
||||
* Weak wallets of variant B appear once a differently vulnerable software version gets released, new wallets of variant A get more rare
|
||||
* A patched version get released
|
||||
* Historically high BTC prices makes users with existing weak wallets create Bitcoin accounts (?)
|
||||
* Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get the patched app versions yet
|
||||
1. Parameter space "before" the vulnerable `Trust Wallet` versions
|
||||
2. Weak wallets of variant A appear with the first weak software version
|
||||
3. Weak wallets of variant B appear once a differently vulnerable software version gets released
|
||||
* -> New wallets in variant A get more rare
|
||||
4. A patched version get released
|
||||
* -> New wallets in variant B get more rare
|
||||
5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?)
|
||||
6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get or install the patched app versions yet
|
||||
|
||||
### Bitcoin On-Chain Movements
|
||||
Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data:
|
||||
|
@ -141,7 +144,7 @@ Note: this describes funds moved over the weak wallets that have been at risk at
|
|||
### Involvement in the 2023-07-12 Theft
|
||||
Here are the three biggest outgoing theft transactions from the newly disclosed range of weak wallets on 2023-07-12:
|
||||
|
||||
| Transaction | Volume variant A<br/> (`Trust Wallet IOS`) | Volume variant B<br/> (`Trust Wallet IOS`) | Transaction total volume | Date |
|
||||
| Transaction | Volume variant A<br/> (`Trust Wallet iOS`) | Volume variant B<br/> (`Trust Wallet iOS`) | Transaction total volume | Date |
|
||||
| - | - | - | - |
|
||||
| {{ "81cfe97cc16a49398d6986032ec8f6970ea80df5aa0990dcf0164de87136f5bf" | BtcLinkTxUrlSliced }} | -4,829 BTC | -3,481 BTC | -9,744 BTC | 2023-07-12 12:41 |
|
||||
| {{ "cdd9a2aff7cd0707e31023513cc78aceff7ea7e754e3a9bde9c0482b70a9716c" | BtcLinkTxUrlSliced }} | -8,161 BTC | none | -8,161 BTC _(incl. fee)_ | 2023-07-12 12:41 |
|
||||
|
@ -158,7 +161,7 @@ At the time of publication, less than $100 USD in total remain on the known BTC
|
|||
|
||||
## Summary & Outlook
|
||||
|
||||
In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on IOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
|
||||
In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
|
||||
|
||||
This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blog post with some new information as it becomes available.
|
||||
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 277 KiB After Width: | Height: | Size: 276 KiB |
Binary file not shown.
Before Width: | Height: | Size: 324 KiB After Width: | Height: | Size: 345 KiB |
Loading…
Reference in New Issue