Article no.5: update with new data, improve descriptions

This commit is contained in:
Christian Reitter 2024-01-25 13:19:39 +01:00
parent 3884af4aca
commit ed7622eee9
1 changed files with 25 additions and 21 deletions

View File

@ -28,11 +28,11 @@ Credits for this discovery go to `p0n1` and `outoflegend` from SECBIT Labs. We w
The newly disclosed vulnerability comes in two forms. Together with the previously known `Trust Wallet` vulnerability, things are getting confusing, so here's a short overview: The newly disclosed vulnerability comes in two forms. Together with the previously known `Trust Wallet` vulnerability, things are getting confusing, so here's a short overview:
| Issue | When | Characteristics | Research | | Issue | When | Characteristics | Research | ID |
| -- | -- | -- | -- | -- | -- | -- | | -- | -- | -- | -- | -- | -- | -- | -- |
| vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) | | vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) | - |
| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | | vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article | CVE-2024-23660 ? |
| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | | vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0`<br/> + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article | CVE-2024-23660 ? |
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability. Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
@ -46,18 +46,18 @@ srand((unsigned)time(NULL));
For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 32-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work. For our initial experiments, we assume that the devices running the code had reasonably correct date and clock settings at the time they generated new wallets. The PRNG has a 32-bit state, but we used the known `srand()` behavior to focus our initial search onto a smaller subset of wallets which correspond to certain creation dates. This optimization speeds up the initial work.
### Over 3400 Weak Wallets 🔥 ### Over 6500 Weak Wallets 🔥
Within the wallet ranges with 12 mnemonic words (128 bits), we found the following: Within the wallet ranges with 12 mnemonic words (128 bits), we found the following:
| Range | Variant A | Variant A | Variant A | Variant B | | Range | Variant A | Variant B |
| creation timestamp in srand() | 2010-01-01 to <br/>2025-01-01 | 2015-01-01 to<br/> 2024-01-01 | 2018-01-01 to<br/> 2019-01-01 | 2018-01-01 to<br/> 2020-01-01 | | creation timestamp in srand() | 2010-01-01 to <br/>2025-01-01 | 2010-01-01 to <br/>2025-01-01 |
| -- | -- | -- | -- | -- | -- | -- |
| Bitcoin P2PKH, compressed pubkey | 21 | 21 | 12 | 39 |
| Bitcoin P2SH-P2WPKH | 8 | 8 | 8 | 14 |
| Bitcoin P2WPKH | 452 | 448 | 421 | 215 |
| Ethereum | 2423 | 2376 | 1846 | 506 |
| -- | -- | -- | -- | -- | | -- | -- | -- | -- | -- |
| total unique wallet private keys | 2729 | 2677 | 2170 | 711 | | Bitcoin P2PKH, compressed pubkey | 21 | 40 |
| Bitcoin P2SH-P2WPKH | 8 | 14 |
| Bitcoin P2WPKH | 452 | 216 |
| Ethereum | 4261 | 2054 |
| -- | -- | -- | -- | -- |
| total unique wallet private keys | 4455 | 2117 |
<details markdown=1> <details markdown=1>
<summary><b>Data details</b> (click to unfold)</summary> <summary><b>Data details</b> (click to unfold)</summary>
@ -68,7 +68,7 @@ Within the wallet ranges with 12 mnemonic words (128 bits), we found the followi
* Bitcoin wallet detection is based on a bloom filter data set from 2024-01-15. * Bitcoin wallet detection is based on a bloom filter data set from 2024-01-15.
</details><br/> </details><br/>
Based on the current preliminary (incomplete!) data, we're counting at least **3440** unique wallet mnemonics. Based on the current preliminary (incomplete!) data, we're counting at least **6572** unique wallet mnemonics, and we still expect to find more.
### Wallet Creation Date Pattern ### Wallet Creation Date Pattern
@ -77,7 +77,7 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
alt: "Histogram of PRNG creation index for discovered wallets<br/>Trust Wallet iOS variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers" alt: "Histogram of PRNG creation index for discovered wallets<br/>Trust Wallet iOS variant A & B - 128 bit wallets<br/>Yearly X-Axis timestamp markers, graph based on incomplete data"
target_width: 1100px target_width: 1100px
{% endresponsive_image_block %} {% endresponsive_image_block %}
@ -88,6 +88,8 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
* 2020-01-01: **1,578 x 10⁹** timestamp * 2020-01-01: **1,578 x 10⁹** timestamp
* Total range shown: 2010-01-01 to 2025-01-01 * Total range shown: 2010-01-01 to 2025-01-01
* Y-Axis capped for readability, data is not stacked * Y-Axis capped for readability, data is not stacked
* Variant B data only covers 2018-01-01 to 2020-01-01
* ETH data is outdated
</details><br/> </details><br/>
Two main observations: Two main observations:
@ -102,7 +104,7 @@ Since the situation in 2018-2019 is very busy, here is a zoomed-in and annotated
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS<br/>variant A & B, 2018-05 to 2020-01, data is not stacked" alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS<br/>variant A & B, 2018-05 to 2020-01, data is not stacked, graph based on incomplete data"
target_width: 1100px target_width: 1100px
{% endresponsive_image_block %} {% endresponsive_image_block %}
@ -114,14 +116,16 @@ A possible interpretation of the graph history:
4. A patched version get released 4. A patched version get released
* -> New wallets in variant B get more rare * -> New wallets in variant B get more rare
5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?) 5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?)
6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get or install the patched app versions yet 6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because they did not get or install the patched app versions yet
It is unclear to us if `Trust Wallet` on iOS had full support for Bitcoin wallets at the time, which may would be a relevant factor in the interpretation, and a clue towards the involvement of other wallet software.
### Bitcoin On-Chain Movements ### Bitcoin On-Chain Movements
Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data: Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data:
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2a_bip39_128bit_only_monthly_volume_btc_2018_2023_graph1.png path: assets/images/graphs/trustwallet2a_bip39_128bit_only_monthly_volume_btc_2018_2023_graph1.png
alt: "Historic aggregated usage of known 128 bit Trust Wallet Bitcoin wallets - <b>variant A</b>" alt: "Historic aggregated usage of known wallets in 128 bit Trust Wallet Bitcoin range - <b>variant A</b>"
target_width: 950px target_width: 950px
{% endresponsive_image_block %} {% endresponsive_image_block %}
@ -130,7 +134,7 @@ Notably, there is a visible peak in the graph of outgoing transfers of the month
{% responsive_image_block %} {% responsive_image_block %}
figure: true figure: true
path: assets/images/graphs/trustwallet2b_bip39_128bit_only_monthly_volume_btc_2018_2023_data2018_2019_graph1.png path: assets/images/graphs/trustwallet2b_bip39_128bit_only_monthly_volume_btc_2018_2023_data2018_2019_graph1.png
alt: "Historic aggregated usage of known 128 bit Trust Wallet Bitcoin wallets - <b>variant B</b>" alt: "Historic aggregated usage of known wallets in 128 bit Trust Wallet Bitcoin range - <b>variant B</b>"
target_width: 950px target_width: 950px
{% endresponsive_image_block %} {% endresponsive_image_block %}
@ -163,6 +167,6 @@ At the time of publication, less than $100 USD in total remain on the known BTC
In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage. In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blog post with some new information as it becomes available. This is an exciting new piece of the overall Milk Sad puzzle, and we'll continue to update this blog post with new information as it becomes available.
<br/> <br/>