Friend
Professional
- Messages
- 2,670
- Reaction score
- 894
- Points
- 113
The attack allows attackers to steal private keys by infecting devices with malicious firmware.
In the world of cryptocurrencies, a serious security threat called Dark Skippy has appeared. This method allows attackers to extract secret keys from transaction signing devices, such as hardware wallets. The attack was detected in the context of devices for signing bitcoin transactions, but it can potentially be applied in other areas as well.
To implement the Dark Skippy attack, the signing device must be compromised by malicious firmware. At the time the vulnerability was discovered, no cases of using Dark Skippy in real-world conditions were recorded. However, the potential danger of an attack remains high, given its effectiveness and stealth.
The essence of the attack is the ability to modify the signature device's firmware so that it invisibly embeds parts of the secret key in transaction signatures. Previously, it was assumed that dozens of signatures were required to fully extract the secret key. However, researchers have shown that only two signatures are enough to compromise the device. A single use of a compromised hardware wallet may result in the loss of all funds.
The Dark Skippy attack process consists of several stages:
1. Signature device compromise: An attacker modifies the device's firmware. Modification can occur in three ways::
2. Using a modified signature function: Instead of the standard Schnorr scheme that uses random 32-byte nonces, the malicious firmware uses weak numbers with low entropy. The numbers represent parts of the extracted secret key. For a 12-word seed phrase (with a total size of 16 bytes), the process is divided into two parts:
3. Transaction Monitoring: The attacker scans the unconfirmed transaction pool (mempool) for signatures created by the compromised device.
4. Secret Data Extraction: When a suspicious transaction is detected, an attacker uses a special algorithm, such as Pollard's kangaroo algorithm, to recover secret nonces from public signature data.
5. Secret Key reconstruction: The reconstructed parts are combined to form the complete 16-byte device secret key, which is the entropy of a 12-word seed phrase.
The name "Dark Skippy" comes from the kangaroo Pollard algorithm used to extract secret data from signatures. "Skippy – is a reference to a kangaroo, while "Dark" highlights the stealthy nature of the attack.
More sophisticated versions of the attack may include additional measures to make detection more difficult. Attackers can use" blinding " nonces using the attacker's built-in device key. In addition, they can add "watermarks" to transactions to make it easier to identify them on the blockchain.
The Dark Skippy attack has several advantages:
Although the concept of hidden channels in one-time signature numbers has been discussed before, Dark Skippy is the most effective implementation of this idea to date.
Researchers Lloyd Fournier, Nick Farrow and Robin Linus, who discovered the vulnerability, privately reported it to about 15 different hardware manufacturers on March 8, 2024. The goal of this step is to gather feedback on the relevance of the threat within existing security models, discuss mitigation ideas, and prepare for public disclosure.
The release of the demo code of the attack is planned for about September 2024. The code will allow you to create malicious signatures, identify affected transactions in the pool of unconfirmed transactions, and decode the extracted seed phrases.
To protect against Dark Skippy, we recommend using devices that implement anti-exfil signature protocols.The researchers also offer new ideas for mitigating the impact of the attack, which require significant discussion and input from developers. Full disclosure of information about Dark Skippy, including the demo code, is planned for September 2024. This code will allow you to create malicious signatures, identify affected transactions in the mempool, and decode stolen seed words.
• Source: https://www.securitylab.ru/news/550912.php
• Source: https://darkskippy.com
• Video:
In the world of cryptocurrencies, a serious security threat called Dark Skippy has appeared. This method allows attackers to extract secret keys from transaction signing devices, such as hardware wallets. The attack was detected in the context of devices for signing bitcoin transactions, but it can potentially be applied in other areas as well.
To implement the Dark Skippy attack, the signing device must be compromised by malicious firmware. At the time the vulnerability was discovered, no cases of using Dark Skippy in real-world conditions were recorded. However, the potential danger of an attack remains high, given its effectiveness and stealth.
The essence of the attack is the ability to modify the signature device's firmware so that it invisibly embeds parts of the secret key in transaction signatures. Previously, it was assumed that dozens of signatures were required to fully extract the secret key. However, researchers have shown that only two signatures are enough to compromise the device. A single use of a compromised hardware wallet may result in the loss of all funds.
The Dark Skippy attack process consists of several stages:
1. Signature device compromise: An attacker modifies the device's firmware. Modification can occur in three ways::
- Physical interference with the device
- Deception of a user who installs malicious firmware by himself
- Introducing malicious devices to the supply chain
2. Using a modified signature function: Instead of the standard Schnorr scheme that uses random 32-byte nonces, the malicious firmware uses weak numbers with low entropy. The numbers represent parts of the extracted secret key. For a 12-word seed phrase (with a total size of 16 bytes), the process is divided into two parts:
- The first 8 bytes are used for the nonce of the first transaction entry signature
- The remaining 8 bytes are used for the nonce of the second input signature
3. Transaction Monitoring: The attacker scans the unconfirmed transaction pool (mempool) for signatures created by the compromised device.
4. Secret Data Extraction: When a suspicious transaction is detected, an attacker uses a special algorithm, such as Pollard's kangaroo algorithm, to recover secret nonces from public signature data.
5. Secret Key reconstruction: The reconstructed parts are combined to form the complete 16-byte device secret key, which is the entropy of a 12-word seed phrase.
The name "Dark Skippy" comes from the kangaroo Pollard algorithm used to extract secret data from signatures. "Skippy – is a reference to a kangaroo, while "Dark" highlights the stealthy nature of the attack.
More sophisticated versions of the attack may include additional measures to make detection more difficult. Attackers can use" blinding " nonces using the attacker's built-in device key. In addition, they can add "watermarks" to transactions to make it easier to identify them on the blockchain.
The Dark Skippy attack has several advantages:
- Stealth: It is almost impossible to detect an attack.
- No additional communication channels: data is extracted through standard transactions on the Bitcoin network.
- Performance against devices with no internal state: the attack can be performed within a single transaction with multiple inputs.
- Master key extraction: The attack allows access to the entire wallet by extracting the seed phrase.
- Impact on all users of the compromised device: even if the user generates a secure seed phrase on their own, they are still vulnerable.
Although the concept of hidden channels in one-time signature numbers has been discussed before, Dark Skippy is the most effective implementation of this idea to date.
Researchers Lloyd Fournier, Nick Farrow and Robin Linus, who discovered the vulnerability, privately reported it to about 15 different hardware manufacturers on March 8, 2024. The goal of this step is to gather feedback on the relevance of the threat within existing security models, discuss mitigation ideas, and prepare for public disclosure.
The release of the demo code of the attack is planned for about September 2024. The code will allow you to create malicious signatures, identify affected transactions in the pool of unconfirmed transactions, and decode the extracted seed phrases.
To protect against Dark Skippy, we recommend using devices that implement anti-exfil signature protocols.The researchers also offer new ideas for mitigating the impact of the attack, which require significant discussion and input from developers. Full disclosure of information about Dark Skippy, including the demo code, is planned for September 2024. This code will allow you to create malicious signatures, identify affected transactions in the mempool, and decode stolen seed words.
• Source: https://www.securitylab.ru/news/550912.php
• Source: https://darkskippy.com
• Video:
Last edited by a moderator:
