

Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins - muneeb
http://www.wired.com/2014/08/isp-bitcoin-theft/

======
mrb
I work in InfoSec and it is mind-boggling to see the sophistication levels of
some of the Bitcoin heists, like this BGP incident. When was the last time you
saw a BGP attack? 99.9% of real-world attacks don't even bother targetting
such a core routing service. Another example: in March 2012, internal Linode
management infrastructure was compromised to steal 47k BTC:
[http://blog.zorinaq.com/?e=67](http://blog.zorinaq.com/?e=67)
[http://www.theregister.co.uk/2012/03/02/linode_bitcoin_heist...](http://www.theregister.co.uk/2012/03/02/linode_bitcoin_heist/)
This means attackers had effectively root access to any Linode's customers'
VM! When was the last time you saw an entire cloud provider environment being
compromised?

I like to see it as ISPs and cloud providers increasing their security and
patching vulnerabilities thanks to Bitcoin's growing adoption :)

~~~
blazespin
It's a fundamental problem with bitcoin in that it hugely incentivizes
computer hacking. The more widespread bitcoin and blockchain becomes, the
greater the incentive. There will be a lot of collateral damage from all this.

~~~
arjunnarayan
The great thing about this is it that it puts a floor on the bounty on all
network bugs. Since we know that lots of national security folks are regularly
exploiting various bugs for their own purposes, this means that the internet
will be significantly improved. I see it as a bonus.

~~~
ritchiea
The unfortunate thing about this is a lot of people are going to lose a lot of
money before either 1. Mainstream web security catches up to the cleverness of
the bitcoin hackers or 2. People lose faith in bitcoin because the internet is
generally not secure enough to support it.

~~~
altoz
Lots of money has been lost in other security breaches, oftentimes with much
worse consequences because the data is centralized. This hasn't stopped people
from shopping at Target for instance.

The nice thing is, security breaches in a decentralized network like bitcoin
serve to make the entire network anti-fragile. There's a huge incentive for
people with bitcoin to secure their own bitcoins against known exploits and
hence make that exploit null while inevitably protecting against similar class
exploits.

~~~
xcubed
The difference is that with the Target breach, people knew that they would get
their credit card $$ back.

~~~
CalRobert
But the way this is implemented is "credit card companies will take 3% of
every transaction they perform, and then give back a very small portion of
that to counteract fraud". The power we give these organizations - basically a
3% tax on every transaction - is mind boggling.

~~~
pjc50
Compared to the spread and inconvenience on $ -> bitcoin -> $ transactions,
that's quite cheap.

Keeping bitcoin online enough for convenient transactions carries the small
but important risk of losing your entire wallet.

~~~
CalRobert
True, and there are benefits you get for that 3% (rental car insurance,
reduced cost of a mugging, etc. etc.) but I still wonder if cash (not
necessarily bitcoin) would be better for the system as a whole for everyday
purchases.

~~~
dmm
Keep in mind that cash has costs too. It has to be counted and secured. You
have to hire a security company to pick up deposits and most banks charge for
cash deposits over a certain amount.

------
kmod
The finger-pointing at BGP is red herring: the problem is that the stratum
protocol has zero authentication. If you can intercept those streams, you can
trivially ask anyone to start mining for you instead. This could also have
been done using DNS poisoning, ISP-side intercepts, or anything else in the
standard bag of tricks.
[http://blog.kevmod.com/category/bitcoin/](http://blog.kevmod.com/category/bitcoin/)

~~~
bdamm
Indeed, for bitcoin it's a solvable problem, however let's not let that
distract us from the monumental revelation that BGP hacking is so easy to do
that someone motivated by a relatively paltry reward can pull it off.

This is one aspect of bitcoin that I really like, it shows us where the
weaknesses are.

~~~
marcosdumay
You're certainly not looking, because BGP insecurity is very old news.

------
smutticus
Here is the link to the original research.

[http://www.secureworks.com/cyber-threat-
intelligence/threats...](http://www.secureworks.com/cyber-threat-
intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/)

~~~
cgjaro
Upvote the parent!

------
mickayz
The lack of auth and encryption is only part of the problem with Stratum's
implementation. At Toorcamp 2014 I presented about the vulnerabilities
discovered when looking into common miners and their impact on the network.
More details available in the associated white paper:

[http://www.dejavusecurity.com/blog/2014/7/15/bitcoin-
researc...](http://www.dejavusecurity.com/blog/2014/7/15/bitcoin-research-
whitepaper-announcement)

------
0x0
Could this be prevented by adding some TLS to the mining control channels?

~~~
Filligree
Yes.

It's both hilarious and ironic that they didn't.

------
rdl
It's mind boggling to me that this wasn't done a year or two ago.

If bitcoin were genuinely anonymous (it isn't, because it's highly linkable,
even if essentially pseudonymous), it would probably be vastly more dangerous
in this way -- there would be billions of dollars spent on exploiting security
outside bitcoin++ to steal bitcoin++.

~~~
runeks
> It's mind boggling to me that this wasn't done a year or two ago.

Two years ago, obtaining the same amount of bitcoins as this attack did would
net you 1/100th the profit in dollars (bitcoins were around $6 a piece two
years ago).

I think it's likely that attackers started considering this scheme around a
year ago, when the bitcoin price shot up to $100, and the potential rewards
became sizable.

------
gluczywo
Nobody has pointed it out so far. Since it is an attack on IP routing, it
could be prevented by using SSL for the Stratum protocol used by mining pools.

~~~
fsniper
Would it? With this sophistication and latest exposures of CAs security I'm
not fully sure that TLS MITM is a remote probability.

------
driverdan
I know a number of people who got hit by this type of reconnect attack. I
suspect I may have been hit by it for short periods of time. Most of the big
altcoin pools were targeted. Soon after most miner software was modified to
disable this Stratum feature but there are still plenty of other issues with
the Stratum protocol as highlighted by other comments.

------
scott_karana
Wow. Not sure why they don't name-and-shame the ISP, but that's really
ridiculous.

~~~
sergers
As a Canadian, using a Canadian ISP, I would like to know as well.

Not entirely surprised regarding rogue employee possibility.

~~~
dfox
There are two things at play here: attacker has to have access to one ISP to
inject the route (eg. rogue employee) and there has to be another ISP that
accepts such route from BGP (I would say that filtering weirdly specific
routes is good and common practice). When you have access to ISP network you
don't have to inject things into BGP to attack your own customers.

~~~
devicenull
A /24 is not a 'weirdly specific route'. I agree, that the upstream should
have been filtering things, but you can't expect them to just filter out all
the /24's.

For example, Google DNS anycast would stop working:
[http://bgp.he.net/net/8.8.8.0/24](http://bgp.he.net/net/8.8.8.0/24) as would
basically anyone else doing anycast.

------
nchelluri
Link is a 404 for me.

