There has been some major hype surrounding two security vulnerabilities called ‘Meltdown’ and ‘Spectre’, but what do we really know about them? Cyber security threats are a very serious issue in the cryptocurrency ecosystem. Both investors and firms (exchanges, wallet providers, miners, blockchain technology providers, etc.) alike are concerned about hacks and other attacks that might drain their crypto storage systems, or at least freeze them.
History shows that they have quite a few reasons not to take this issue lightly. The crypto ecosystem has seen countless DDOS attacks, breaches, hacks, clone sites and other malicious activities.
Lately, these concerns intensified after the exposure of Meltdown and Spectre. While there is no evidence of anyone taking advantage of these vulnerabilities yet, under some circumstances, they might become industry’s nightmare. Finance Magnates sat down with Alex Heid, white hat hacker and chief research officer at SecurityScorecard – a leading cybersecurity rating and monitoring platform – to better understand this new threat.
What are Meltdown and Spectre, how do they work, and what harm can they do to crypto traders?
As the time of writing. the Meltdown and Spectre vulnerabilities have not been observed as being exploited in the wild by malicious actors. The recent hype surrounding the disclosure of these vulnerabilities resulted from a published whitepaper and proof of concept tools released by ethical white hat researchers, who sought to prove that the legacy architectures of modern CPUs are vulnerable to a specific methods of attack that they discovered and promptly reported.
These methods of attack were nicknamed Meltdown, and a similar attack was nicknamed Spectre. To emphasize an important point – these two vulnerabilities have not yet been reported as being used by attackers in the wild at the time of writing.
Does it really mean that our storage codes are vulnerable now?
No, Meltdown and Spectre have no impact on cryptocurrency private keys that are properly stashed away in cold storage. Of course, improperly stored cold wallets will always be at risk regardless of the latest emerging technical threat.
The cold storage method is still the best way to store cryptocurrency for long periods of time. Redundant copies of GPG encrypted wallets stored on multiple formats of media in multiple locations is recommended (such USB sticks, physical paper, and/or external SSD hard drives). The use of multiple formats of encrypted media protects the user from accidental data loss due to theft, unforeseen technology changes, and other unpleasant surprises. The Bitcoin Wiki has great information on secure methods for cold storage of cryptocurrency.
So, are cold storage wallets and paper wallets safe?
Cold storage wallets and paper wallets are only as safe as the physical location they are stored in, and as safe as the hardware they are stored on.
While cold storage wallets will protect you from an online theft, it is important to make sure the wallet is encrypted even in cold storage with several copies on various media formats. If someone physically steals the USB or hard drive with an unencrypted wallet, then the attacker can make use of the coins quite easily.
However, if the attacker steals a GPG encrypted wallet file that has been secured with a complex passphrase then the data will remain safe. Multiple copies and formats create a condition of redundancy whereby if copies vanish due to theft, damage, or hardware failure.
Paper wallets are safe as long as they do not physically fall into the possession of a thief or get damaged. While paper wallets are immune from the issues of digital attacks, technology format changes and hardware failure, they are still vulnerable to physical theft, loss, and/or physical damage.
Beyond the danger to private traders, what are the perils for servers and other aggregators of crypto users?
Perhaps the biggest threat to cryptocurrency users is the misplaced trust that is placed in hosted third party wallet services, centralized exchange platforms, and ‘lightweight’ alternative third party wallets that are popular among entry level users (both software and hardware).
Many new users are averse to using the “Core” or “Node” versions of wallets, such as Bitcoin Core, because these implementations require the download of the full blockchain database, which is hundreds of gigabytes and growing. Instead, an observed trend has been for users to make use of third party software and hardware wallet solutions with erroneous assumption that security was baked in to the design of the solution. Unfortunately, many come to this incorrect conclusion based solely on word of mouth, combined with the marketing efforts of the solution provider.
For example, the Electrum wallet software series was recently reported to have had a vulnerability that gave attackers the ability to steal coins through web browser attacks and by connecting into exposed ports on IP addresses in the public internet.
It is reported this week that all Electrum users were open to attack in this way for over two years and it was not fixed until this month.
That discovery and disclosure of the Electrum wallet vulnerability has a significantly bigger impact to the security of the cryptocurrency community than the disclosures of the Meltdown and Spectre vectors, as private keys were used with Electrum are to be considered compromised and potentially already stolen. As per the instructions of the Electrum development team, users should take steps to move their coins into a new wallet if they were on any version released before this month.
Even hardware wallets that promise to store cryptocurrency in secure cold storage have been proven to be vulnerable to attack. Specifically, the Trezor wallet was reported to have a memory dumping vulnerability that would reveal private keys to attackers who had physical access.