Oddbean

Today we disclose Dark Skippy - a powerful new method for a malicious signing device to leak secret keys. With a modified signing function, a device can efficiently and covertly exfiltrate a master secret seed by embedding it within transaction signatures https://darkskippy.com/demo.mp4 If an attacker manages to corrupt a signing device, Dark Skippy can deliberately use weak & low entropy secret nonces to embed chunks of the seed words into transaction signatures. It takes just two input signatures to leak a 12 word seedphrase onto the Bitcoin blockchain. The attacker can watch on-chain until they spot an affected transaction, unblind and invert the low entropy nonces using an algorithm like Pollard's Kangaroo algorithm to learn the master secret seed. Then the attacker can wait and steal the funds whenever they decide best. Despite this attack vector not being new, we believe that Dark Skippy is now the best-in-class attack for malicious signing devices. - The attack is impractical to detect - Requires no additional communication channels - Effective on stateless devices - Exfils master secret Beyond ensuring your device firmware is genuine and honest (opensource), mitigations include anti-exfil signing protocols and we present some new ideas for additions to PSBT specifications to disrupt this attack. We encourage mitigation discussion and implementation exploration. This attack highlights the importance of verifying and securing your device's firmware, and the danger of sharing stateless signing devices with other people. We will be publicly releasing our code later this year. Authors: @llfourn (follow him so he gets onto nostr), Robin Linus, and myself. If you have any concerns or questions we recommend checking out the FAQ page on our website: https://darkskippy.com

I remember listening to Stadicus on a podcast right when the BitBox02 came out (was still quite a noob), explaining their approach to privacy and fully open source - and I know this is the only HWW I'd trust. Never looked back since 🤙

Low IQ Boomer here... I like my BitBox02, but I prefer to use it on Sparrow Wallet. From reading the "Mitigations", I gather that the exfiltration threat can only be avoided by using the BitBox app. Is this correct?

Sorry if I'm being dumb here; but what do you mean by "it works"? I know the device works w/Sparrow Wallet; but does the protection against this darkskippy threat work on Sparrow as well as on the BitBox app?

Why are you using a nostr:nprofile1qqs09jtvjlmyrxjn37zv70a89csegcz7rpyqjmnw29cveedhv7vagqqpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhssu7403 and not other hw wallet in your video demonstration? That sucks.. nostr:nprofile1qqs09jtvjlmyrxjn37zv70a89csegcz7rpyqjmnw29cveedhv7vagqqpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhssu7403 has nothing to do with your point and you did not even make a clarification here.. Very unfair and probably done on purpose..

As with anything it's important to verify pgp signature when installing firmware and updates. The only way you get hacked after doing that is if maintainers pgp is compromised. Am I correct in my thinking. nostr:nevent1qqsp76e87v9cl8re47sljhn8ex9helc7nrry42t6sl3aywpqaz3wfyspzamhxue69uhky6t5vdhkjmn9wgh8xmmrd9skctczyzgah2ulvfnqa9f9sjqd9uk07mw0mdgn729gt7j0k40wnya9k35qjqcyqqqqqqg8q5dza

Since the launch of Jade in 2021, the anti-exfil protocol has safeguarded our hardware wallet users from the devastating and undetectable attacks demonstrated by the recent Dark Skippy disclosure. nostr:note1ra4j0uct37w8ntapl90x0jvt0nl3axxxf25h4plr6guzp69zujfqjgk7md Jade users can learn more about how anti-exfil stops malicious key extraction in the original blog post by the director of Blockstream Research Andrew Poelstra. https://blog.blockstream.com/anti-exfil-stopping-key-exfiltration Visit store.blockstream.com and use the code DARKSKIPPY for 10% off if you think it’s time that you got your hands on an open-source Bitcoin hardware wallet that is resilient to this class of attack. Code valid until midnight August 9th. https://image.nostr.build/04d915a06df35d0370071a870166520fcb97988930c653b9f34f05adcd070802.gif

👇👇😳😳😳👇👇 nostr:nevent1qqsp76e87v9cl8re47sljhn8ex9helc7nrry42t6sl3aywpqaz3wfyspzamhxue69uhkzarvv9ejumn0wd68ytnvv9hxgtczyzgah2ulvfnqa9f9sjqd9uk07mw0mdgn729gt7j0k40wnya9k35qjqcyqqqqqqgj4krrr

Great research and security disclosure by @nick @llfourn and Robin Linus. Here's what you need to know about the "Dark Skippy" vulnerability: 1. Hardware signing devices insert random values called 'nonces' every time they sign Bitcoin transactions. 2. Weak nonces (values that are not sufficiently random) can allow an attacker to mathematically brute-force the private key from the signatures alone, just by analyzing transactions on the public blockchain. This is a well-known class of attack. "Dark Skippy" is a new technique which makes it easier to grind the private key from weak nonces. What are the conditions required for the attack? The attack requires either: 1. Loading malicious firmware onto the device, which generates weak nonces. 2. A bug in the vendor's official firmware that produces weak nonces. How do I protect myself from this type of attack? 1. Order hardware signing devices straight from the vendors, if possible. The more direct, the lower the likelihood of tampering. 2. Use hardware vendors that have tamper-resistant mechanisms in place, such as tamper-evident sealed bags, firmware attestation, etc. 3. Use hardware where you can easily verify the integrity of the source firmware and its updates. 4. Use hardware that follows security standards in generating nonces. One such standard is RFC6979 (deterministic nonces). 5. Verify the authenticity of the firmware every time you upgrade. (Tip: bookmark the vendor website to avoid phishing). 6. Avoid updating firmware unless you absolutely have to. Use another device if you want to experiment with firmware features that you don't actually need for your main stash. 7. Use multisig, preferably multi-vendor multisig. This alone significantly increases the difficulty of executing the attack. Multisig versus Anti-exfil You might have heard that "anti-exfil" is a way to prevent the above attack. In short, anti-exfil describes a security technique which combines entropy from the hardware signing device with entropy from a SECOND DEVICE (typically the host of the companion software wallet) to generate the nonces. However, there are 2 downsides to this approach. First, there is currently no anti-exfil standard, so you'd have to trust that the vendors implement anti-exfil correctly. Secondly, since anti-exfil changes the way a signature is generated, i.e., asking for a nonce from a second device for every single transaction, it is not compatible with the way most Bitcoin wallets work today, and therefore introduces a UI/UX challenge. Until anti-exfil has a well-defined standard and wider wallet compatibility, we recommend multisig as the more practical approach. Fundamentally, multisig achieves the same goal as anti-exfil: it also requires entropy from a second device to authorize each Bitcoin transaction. Multisig can also add entropy from more than just 2 devices, if you so choose (3-of-5 multisig, for example). Last but not least, multisig has been used for 10+ years in Bitcoin, battle-tested (securing hundreds of billions worth of Bitcoin), and at this point has been very well standardized (PSBT, BSMS, Output Descriptors, to name a few standards). Hence, use multisig if you are concerned about Dark Skippy. In conclusion, while the "Dark Skippy" vulnerability highlights potential risks in hardware signing devices, users can significantly mitigate these risks by following best practices in device procurement and usage, and by implementing multisig setups. Stay informed, verify your devices and firmware, and consider multisig for enhanced security of your Bitcoin holdings. P.S. A common question is: “Does adding a passphrase to my seed phrase protect me against Dark Skippy and similar types of attacks?” The answer is no. Since nonce-based key grinding works against the master private key, not the seed phrase, adding a passphrase will NOT protect you against this class of attack. nostr:note1ra4j0uct37w8ntapl90x0jvt0nl3axxxf25h4plr6guzp69zujfqjgk7md