Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Hijacker Steals $83,000 In Bitcoin

Posted by Unknown on from the rerouting-the-internet-for-fun-and-profit dept.

An anonymous reader writes with news that bogus BGP announcements can be used to hijack work done by cryptocurrency mining pools. Quoting El Reg: Researchers at Dell's SecureWorks Counter Threat Unit (CTU) have identified an exploit that can be used to steal cryptocurrency from mining pools — and they claim that at least one unknown miscreant has already used the technique to pilfer tens of thousands of dollars in digital cash. The heist was achieved by using bogus Border Gateway Protocol (BGP) broadcasts to hijack networks belonging to multiple large hosting companies, including Amazon, Digital Ocean, and OVH, among others. After sending the fake BGP updates miners unknowingly contributed work to the attackers' pools.

19 of 101 comments (clear)

  1. Where is the validation? by jbmartin6 · · Score: 4, Informative

    Apparently he was able to spoof some control messages to the miners since their only validation was IP address. It is an interesting question: since they should have known about this BGP vulnerability which has been used before, why didn't their minerserver communication have stronger validation? The answer would be, I think, that they didn't bother since it happens so rarely. Probably from now on they will start using another layer of validation. Yet another example of how security happens in the real world: it doesn't get used until the pain gets bad enough.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Where is the validation? by fistfullast33l · · Score: 2, Insightful

      Really, this sounds like the miner's fault for not realizing it earlier. My pools have an app that updates me in realtime what they see as my balance and my hash rate. If you've been re-directed to an invalid pool, you'd think your hash rate and earnings would drop to 0 over time and you'd pick up on that and try to correct the issue. I would probably notice within 15 minutes if this happened.

    2. Re:Where is the validation? by Anonymous Coward · · Score: 2, Interesting

      Really, this sounds like the miner's fault for not realizing it earlier. .

      Erm, no.

      When somebody impersonates an authority figure so they can steal things, it's the fault of the robber, for stealing shit, not the fault of the person for not checking their ID.

  2. That's okay.... by Rick+Zeman · · Score: 2, Insightful

    ...Bitcoins are like money in real banks and are insured. No harm to the victim.

    Oh wait....

    1. Re:That's okay.... by tomhath · · Score: 4, Funny

      Still not a problem. We have been told repeatedly that they have no intrinsic value. So the joke is on the hilacker

    2. Re:That's okay.... by cshark · · Score: 2, Informative

      If you stored Bitcoin in a bank, it would be insured, and there wouldn't be an issue. This isn't even about wallets or banks or credit. This time, it's about a bug in the protocol. Every bug discovered makes the system stronger. Sucks that miners are losing money, but the discovery is good news in the long run. Compare this with the banking system. When a bug is discovered, it takes years to get fixed, millions, sometimes billions of dollars are lost. The process is onerous and intrusive, often resulting in less privacy or harder laws that don't actually address the root cause of the problem. A problem surfaces in Bitcoin world, at worst you're going to have to wait a week before the wallets or miners are patched. What was that you were saying about harm again?

      --

      This signature has Super Cow Powers

    3. Re:That's okay.... by ShanghaiBill · · Score: 2

      If there was no FDIC some smart person would start a private insurance agency and sell stickers to the banks that tell customers they are protected.

      Except that, until 1933, there was no FDIC, and your scenario didn't happen. Instead, we had bank runs.

    4. Re:That's okay.... by ultranova · · Score: 4, Insightful

      My tax money

      Tax money is not yours, it's a payment for partaking in civilization which, after all, requires a lot of human effort to upkeep.

      I think this is the problem with most libertarians: you've been surrounded by the invisible support systems of society all your life, so you mistake them for something that occurs naturally, like sunlight. Thus when you're required to pull your weight and help maintain these systems, you see this as an egregious violation of your property rights, completely oblivious to the fact that property is an artificial construct built and maintained by them in the first place. And everyone else, of course, sees a freeloader who's arrogant enough to be insulted by the very idea of having to chip in.

      The world does not owe you unpaid servitude. You will never get things like property rights or a monetary system without having to pay for them. Nor can you pay only for things that directly benefit you, because that leads to a tragedy of the commons where everyone argues why someone else should pay for every single system and the end result is that no one pays for anything, and society collapses.

      I doubt that you'll stop playing a victim because you've been told polish some of the tiles on the streets of gold you walk on every now and then, but this is why you aren't being taken seriously outside the lunatic fringe.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  3. So? by dbIII · · Score: 3, Interesting

    It's a blockchain. It's know what portions were stolen. Send a message out to all people involved in this scheme to not accept them.
    Oh right - that would undermine the illusion of "freedom".

    At least this weeks compulsory Bitcoin story is sort of amusing.

  4. ISP Failure, not Application Failure by Geekenstein · · Score: 4, Insightful

    This trick is as old as it gets. BGP will accept a more specific route as superior to a more general route, and there is no authentication in the exchange. The flaw here is the upstream providers involved did not properly filter the routing announcements allowed from this attacker, and instead let them announce net blocks that were not their own, then intercept the traffic to those net blocks.

    In other words, nothing to see here, move along.

  5. How did people not notice this early? by timrod · · Score: 2

    From what the article says, this hijack went on for months without anyone noticing, and only came to attention because one guy happened to notice that his mining client was connecting to the hijacker's pool server. The first person to notice it did so on March 22nd, when the hack had been running since at least early February. My question is, why didn't people notice their profits vanishing in the month before the first person reported it?

    1. Re:How did people not notice this early? by grnbrg · · Score: 3, Informative

      I got hit April 25th with this. I noticed within an hour, and it took me about an hour to determine that my connection to the pool had been spoofed, and my miners redirected to the attackers pool. I had no idea at the time *how* it was done.

      My mining software was a couple of months old at the time, and the latest version would ignore such redirect requests. I updated and continued on, having lost maybe 2 hours of mining.

      The redirect comes from that fact that the "Stratum" protocol used by many minors to request work from the pools was originally designed as a wallet to blockchain server protocol. Under that use case, it makes sense that the server might suggest to a (wallet) client that they use another server.

  6. Only $83,000? by scuzzlebutt · · Score: 2

    Piker. Should have applied himself.

    --
    In C++, your friends can see your privates.
  7. Sigh by jd · · Score: 3, Insightful

    I've been pointing out the risks of router poisoning for, what, 17 years now.

    Ever since the NSA started demonstrating router poisoning, it was only a matter of time before even the script kiddies figured it out.

    I've been pointing out that the current rash of cryptocurrencies have excessive reliance on trust for the past year.

    This sort of attack was inevitable. Bitcoin can plead semi-innocence because strong authentication is counter to strong anonymity. However, no router on the Internet should accept rogue announcements - even from three letter agencies - or accept unauthorized changes to the running configuration or active router tables.

    MITM attacks are exceptionally dangerous and the hazards can only get worse.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. So really bitcoin is incidental by DarkOx · · Score: 4, Informative

    So what we have here are two problems.

    One lack of authentication for the miners with the pools. Something a few SSL on the servers and wrapping those sockets calls with openSSL would make the route hijacking ineffective for stealing mining resources.

    So there is a lesson in this whatever it is you are doing on the internet if you care AT ALL about it you should be using SSL and checking certs, (Looking at your slashdot) sure there are tons of problems as weaknesses in SSL but until something better comes along its beats the hell out of clear text with no authentication what so ever.

    Two BGP needs to be replaced or updated to support much stronger authentication and the network operators need to just push getting it done, even if it means telling customers we can't / won't peer with you and neither will anyone else unless you get you routers and or software update to do this. If they stick together in it there should be no trouble getting that done.

    Stealing some computer cycles used to generate bit coins is probably among the least real harm someone with access to advertise bogus routes in BGP could do; and lots of people are in a position to do that. We should be thankful its only a little money these guys were making off with. The Internet has gotten to big for the network operators to just relay on everyone playing nice and being good citizens, We need some stronger technical controls put in place and regular auditing beyound well nobody has complained on NANOG.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  9. Bah ... by gstoddart · · Score: 2, Insightful

    You say unknown miscreant.

    On Wall Street they're simply called "staff".

    Frankly, I see little difference between stealing BitCoins from a mining pool and High Frequency Trading. And that's perfectly legal.

    --
    Lost at C:>. Found at C.
    1. Re:Bah ... by disposable60 · · Score: 2

      Tomayto, tomahto.

      The Capitalist applies capital to the highly profitable enterprise of getting legislation bent to his favor and prosecution bent to disfavor his competitors. How SCOTUS doesn't think that's corruption boggles what's left of my mind.

      --
      You're looking for quotes? See my journal.
    2. Re:Bah ... by gstoddart · · Score: 2

      That is called corruption, not capitalism.

      No, it's pretty much inherent.

      The people who make the assumption that people aren't inherently corrupt and won't game the system are either stupid, or lying to you.

      In its modern form, the corruption is built right in.

      --
      Lost at C:>. Found at C.
  10. This is *NOT* hilarious ! by Taco+Cowboy · · Score: 5, Insightful

    The use of bogus BGP to treat networks into believing that it is connecting to a legitimate network instead of having its own network stream being hijacked can be used for much more than mere Bitcoin snatching

    It can also be used to "branch out" legitimate net traffic to some listening posts (something NSA and all other spy agencies like to do) and thus, further compromise the legitimacy of the network itself - and the loss of privacy / data / whatever that the data stream happen to contain

    This is a serious threat !

    --
    Muchas Gracias, Señor Edward Snowden !