Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security of Bitcoin light wallets (aka SPV)

Renaud Lifchitz
September 09, 2017
Research
0
420

Security of Bitcoin light wallets (aka SPV)

This talk introduces the internals of Bitcoin light wallets
and draws up a state-of-the-art of the security of Bitcoin light wallets (SPV, aka "Simplified Payment Verification"). It details the possible vulnerabilities, attacks and countermeasures dealing with current applicative and network implementations.

Renaud Lifchitz

September 09, 2017
Tweet

More Decks by Renaud Lifchitz

See All by Renaud Lifchitz
Les mots de passe sont-ils obsolètes? Les alternatives pour un avenir sécurisé
rlifchitz
0
37
Bitcoin Lightning Network en pratique (v2)
rlifchitz
0
290
Blockchains dans la cybersécurité et cybersécurité des blockchains
rlifchitz
0
390
Bitcoin Lightning Network en pratique
rlifchitz
0
100
Cybersecurity Uses of Blockchains
rlifchitz
0
160
Age post-quantique : quels sont les risques, comment se préparer ?
rlifchitz
0
210
Debunking fake USB flash drives
rlifchitz
0
800
DIY DNA OSINT! or... how to enhance your social engineering skills using recent genomics
rlifchitz
0
1.2k
Ordinateurs quantiques et futur de la sécurité
rlifchitz
0
700

Other Decks in Research

See All in Research
Source Code Diff Revolution (JetBrains Open Reading Club)
tsantalis
0
300
媒介分析と疫学
kingqwert
0
130
Azure Arc-enabled Serversを利用した ハイブリッド・マルチクラウド環境の管理 / Managing Hybrid Multi-cloud Environments with Azure Arc-enabled Servers
nttcom
0
220
Accurate Method and Variable Tracking in Commit History
tsantalis
0
290
Prompt Tuning から Fine Tuning への移行時期推定
icoxfog417
17
7.2k
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
900
フルリモートワークでのスクラムのスケール
kmorita1111
2
1k
プロシェアリング白書2024_PROSHARING_REPORT_2024
circulation
0
750
CASCON 2023 Most Influential Paper Award Talk
tsantalis
0
130
ICLR2024 LLMエージェントの研究動向
masatoto
8
3.6k
Breaking Tradeoffs: Extremely Scalable Multi-Agent Pathfinding Algorithms
kei18
0
150
F0に基づいて伸縮された画像文字からの音声合成 [ASJ2024春]
nehi0615
0
130

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Side Projects
sachag
451
41k
KATA
mclloyd
16
12k
Faster Mobile Websites
deanohume
300
30k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.8k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
21
1.6k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
What's in a price? How to price your products and services
michaelherold
238
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
Done Done
chrislema
178
15k
Six Lessons from altMBA
skipperchong
22
3k

Transcript

  1. Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September

    9th, 2017

  2. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 2 Speaker’s bio • Senior security expert working @ Econocom Digital Security (https://www.digitalsecurity.fr/en/) • Main interests: – Security of protocols – Wireless protocols – Cryptography – Blockchain! • Bitcoin & Ethereum developper & enthusiast • Public presentations: https://speakerdeck.com/rlifchitz • Twitter: @nono2357

  3. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 3 What are light wallets? • Light wallets = lightweight clients = thin clients • A kind of wallet that doesn’t need to download the full blockchain to work • SPV (Simplified Payment Verification): – Most light wallets use SPV – SPV suggested in original Bitcoin paper: https://bitcoin.org/bitcoin.pdf – Use of all block headers and tx count to know if a transaction was already included in the blockchain (only ~ 4.2 Mb/year) – Use of Bloom filters to request&match its own transactions

  4. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 4 What are light wallets? Source: https://eprint.iacr.org/2014/763.pdf

  5. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 5 Bloom filters • Space-efficient data structure • Used to test whether an element is a member of a set without storing the full set • Probabilistic but... no false negative! (only few false positive) • Used in SPV to know what transactions can be related to some user’s addresses

  6. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 6 Bitcoin light wallets examples • Most smartphone wallets... for performance reasons • Jaxx: https://jaxx.io/ • Electrum: https://electrum.org/

  7. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 7 Peer discovery • Needed to connect to full nodes to: – Download block headers – Submit Bloom filters – Download specific transactions • Possibilities to bootstrap the discovery: – Hardcoded list of nodes – Use of DNS seeds • Sensitive because an attacker can set up malicious nodes • Sybil attacks: if an attacker is able to set up a lot of malicious nodes, the victim will probably pick one of them...

  8. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 8 Peer discovery – DNS seeds $ host seed.bitcoin.sipa.be seed.bitcoin.sipa.be has address 83.149.125.79 seed.bitcoin.sipa.be has address 150.140.188.181 (... 21 other IPv4 hosts ...) seed.bitcoin.sipa.be has address 104.199.142.247 seed.bitcoin.sipa.be has address 37.120.174.32 seed.bitcoin.sipa.be has IPv6 address 2607:5300:204:40f1:: seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:90d7:3858:553f:92ce:18b8 (... 11 other IPv6 hosts ...) seed.bitcoin.sipa.be has IPv6 address 2001:0:4137:9e76:24f9:302a:4d39:ee08 seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:6ab8:18c2:3a46:a1ec:987c $ host seed.bitcoin.sipa.be seed.bitcoin.sipa.be has address 37.120.174.32 seed.bitcoin.sipa.be has address 104.199.142.247 (... 21 other IPv4 hosts ...) seed.bitcoin.sipa.be has address 150.140.188.181 seed.bitcoin.sipa.be has address 83.149.125.79 seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:6ab8:18c2:3a46:a1ec:987c seed.bitcoin.sipa.be has IPv6 address 2001:0:4137:9e76:24f9:302a:4d39:ee08 (... 11 other IPv6 hosts ...) seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:90d7:3858:553f:92ce:18b8 seed.bitcoin.sipa.be has IPv6 address 2607:5300:204:40f1:: DNS seeds are predictable because of DNS Round-Robin!

  9. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 9 Typology of possible attacks • An attacker might: – Spoof some full nodes – Block some SPV requests – Spoof some SPV requests – Sniff some SPV requests – Block some SPV answers • But spoofing full answers shouldn’t be possible because of transactions hash verification • IMHO, most possible attacks are LAN attacks against SPV user or full Bitcoin node

  10. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 10 Local network (LAN) attacks • If the attacker is on the same local network as the victim: – Prevent any (full or light) node from working (denial of service) – Spoof any node request/response – Spoof any unprotected request (HTTP) to a Bitcoin explorer API or web site

  11. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 11 Local network (LAN) attacks • A lot of techniques can be used: – ARP cache spoofing/poisoning – DNS cache spoofing/poisoning – DHCP spoofing – ICMP redirect – MAC flooding

  12. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 12 Privacy issues • SPV queries can be quite easily sniffed • An attacker might associate user IP address, submitted Bloom filters and downloaded transactions to know all addresses of a given user • See “On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients” (by Gervais et al.): https://eprint.iacr.org/2014/763.pdf

  13. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 13 Summary of possible impacts • An attacker can: – Known (nearly) all victim’s Bitcoin addresses (or a superset of them) – Associate user IP, addresses, and owner together – Prevent the user to use SPV by blocking the network (denial of service) – Prevent any outgoing transaction from being broadcasted → the victim cannot spend bitcoins – Prevent any ingoing transaction from being seen → the victim cannot see earnings/incoming transactions – Spoof unprotected requests to API/web sites → create arbitrary fake transactions

  14. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 14 My recommendations about SPV • To make an attack more difficult: – Use a VPN, or better a VPN connection to your own full Bitcoin node – Don’t directly use hardcoded nodes or DNS seeds (but use their direct or indirect neighbors) – Don’t use a precise Bloom filter – Cross-check with requests to a clean blockchain explorer API (HTTPS only, public CA, use of CRL) : tx count, balance, ...

  15. Security of Bitcoin light wallets - September, 9th 2017 -

    Renaud Lifchitz 15 Thank you! Any questions? BTC: 1GfztUeyrt3ewxdCHXNr58SPaidUrswoJj @nono2357