Published a method to steal the seed phrase of hardware wallets through malicious firmware: the details.
A “new” attack called Dark Skippy jeopardizes the security of Bitcoin hardware wallets. Discovered by Robin Linus, Lloyd Fournier, and Nick Farrow, this method allows a hacker to steal the seed phrase of a hardware wallet by hiding it within the signatures of Bitcoin transactions.
How the attack works
The attack is based on the use of malicious firmware that alters the standard process of signing Bitcoin transactions.
- The hacker installs malicious firmware on the victim’s hardware wallet.
- When the user makes a transaction, the firmware hides the first part of the seed phrase in the transaction signature.
- With just two transactions, the entire seed phrase can be reconstructed by the attacker.
- The hacker can thus gain complete control of the wallet and steal the funds.
Although the attack does not represent a new vulnerability, Dark Skippy exploits this weakness more efficiently: only two transactions are needed to completely compromise the victim’s wallet. In the past, it was thought that many more transactions were necessary.
The attack exploits a technical element called “nonce” used in transaction signatures. Hardware wallets insert these random values every time they sign Bitcoin transactions.
Through the malicious firmware, Dark Skippy makes the nonce predictable, allowing secret information to be hidden in the transaction signature. The attacker can then monitor the blockchain to find transactions with a specific watermark that reveals the presence of embedded data.
Using algorithms such as Pollard’s Kangaroo, the attacker can retrieve the predictable nonces from public signature data, subsequently reconstructing the seed and gaining control over the wallet. Pollard’s Kangaroo algorithm is a useful tool in cryptography for solving problems related to discrete logarithms, but it can also be used in attack contexts to compromise the security of cryptographic systems.
As stated in the official disclosure, Dark Skippy does not affect hardware wallets that use a multi-sig setup.
Possible countermeasures
To defend against this type of attack, hardware wallet users should:
- Use only official and updated firmware.
- Purchase hardware wallets only from reliable vendors.
- Consider using multi-sig wallets for increased security.
Regarding hardware wallet manufacturers, possible mitigations include implementing anti-exfil protocols, which can help prevent unauthorized leakage of secret data from the hardware device. To date, BitBox and Blockstream Jade are the only two hardware wallets that have implemented anti-exfil.
Community reactions
Among the various reactions to the news, some Bitcoin developers immediately allayed concerns, stating that this type of attack has been known for some time.
Stadicus from BitBox commented:
The developer Matt Corallo stated:
