Dark Skippy, a recently discovered attack vector, poses a significant threat to the security of Bitcoin hardware wallets. The method allows a compromised signer to exfiltrate its master seed phrase by embedding portions into transaction signatures, requiring only two transactions to complete. Unlike previous assumptions that multiple transactions were necessary, this streamlined approach means that a single use of a compromised device can lead to a complete security breach.
The attack hinges on using malicious firmware that alters the standard signing process. Typically, signing operations use a randomly generated nonce as part of the Schnorr signature process. However, in a device compromised by Dark Skippy, the firmware instead uses deterministic, low-entropy nonces derived from the master seed. Specifically, the first half of the seed is used for one transaction and the second half for another, allowing an attacker to piece together the entire seed if they can observe both transactions.
This attack requires that the signing device be corrupted, which can occur through various means: malicious firmware could be installed by an attacker or inadvertently by a user; alternatively, attackers might distribute pre-compromised devices through supply chains. Once in place, the compromised firmware embeds secret data within public transaction signatures, effectively using the blockchain as a covert channel to leak sensitive information.
The attacker monitors the blockchain for transactions with a specific watermark that reveals the presence of the embedded data. Utilizing algorithms such as Pollard’s Kangaroo, the attacker can retrieve the low-entropy nonces from the public signature data, subsequently reconstructing the seed and gaining control over the victim’s wallet.
Although this attack vector does not represent a new fundamental vulnerability—nonce covert channels have been known and mitigated to some extent—Dark Skippy refines and exploits these vulnerabilities more efficiently than previous methods. The subtlety and efficiency of this technique make it particularly dangerous, as it can be executed without the user’s knowledge and is challenging to detect after the fact.
Robin Linus is credited with Discovering the attack and bringing attention to its potential during a Twitter discussion last year. Further investigation during a security workshop confirmed the feasibility of extracting an entire 12-word seed using minimal computational resources,…
Click Here to Read the Full Original Article at Bitcoin (BTC) News | CryptoSlate…
