The MEW Attack: PolySwarm’s Take

PolySwarm CTO, Paul Makowski, is diving into last week’s MEW attack. What happened, why web-based wallets can be risky, and what PolySwarm can do to help in the future.

For a few hours on April 24, attackers announced malicious BGP routes so that they could hijack DNS traffic intended for Amazon’s Route 53, the DNS provider for MyEtherWallet (MEW). They used this vantage point to intercept and manipulate traffic to MEW in a somewhat successful attempt to steal crypto tokens and currency (~150k USD stolen).

The good news is there appears to be no direct compromise of MEW and there are a few things MEW can do to make this attack more difficult in the future. The bad news is there are a few things the attackers could have done to make this attack far more potent — and these speak to fundamental problems inherent to all web-based wallets.

The Technical Details of the MEW Attack

Let’s briefly unpack the technical details of this attack:

BGP is a backbone Internet protocol that major ISPs use to route traffic to appropriate destinations. In some respects, it’s a relic of the early Internet and like many early Internet protocols, it was not designed with security in mind. By default, anyone capable of announcing BGP routes is assumed to be acting in good faith. BGP attackers exploit this faith-based security model to hijack traffic that was intended for a target / victim.

In the MEW attack, the hijack targeted Amazon’s Route 53 DNS servers.

DNS is the “phone book” of the Internet. If you type “google.com” into your browser, your computer asks a DNS server how to resolve this domain name to something it can actually use (an IP address).

By hijacking traffic to Route 53, the attackers were able to send malicious responses to the question “how do I contact myetherwallet.com?” Users attempting to reach myetherwallet.com were directed to malicious servers designed to impersonate the true MEW.

Upon arrival to the impersonating host, users were presented with an invalid TLS (SSL) certificate. This would have thrown up big red flags in their browsers saying, in effect, “Hey you probably shouldn’t visit MEW right now.”

Sadly, much research has shown that a substantial portion of users choose to bypass these warnings and continue onto the malicious sites, which appears to be what happened here.

Going forward, MEW could prevent such bypass by deploying HSTS rule (I’m hoping they’re considering this).

The weirdest part of the incident was that attackers were able to pull off a BGP hijack against a major Internet property but that they were either unable or unwilling to get a fake MEW certificate. Had the attackers obtained a certificate for MEW (this would have been trivial, given their vantage point), the amount stolen would undoubtedly be far higher.

The Risk With Web-Based Wallets

The incident brings to light rather fundamental issues common to all web-based wallets:

Web-based wallets rely on a massive number of protocols, software packages and infrastructure maintainers to not only be honest, but be capable of defending themselves against attackers. I think MEW knows this, which is why they offer an offline Chrome extension version of MEW.

If you’re going to use MEW, we recommend using the Chrome extension. No matter what you use, we highly recommend a hardware wallet.

Learn more about keeping your wallet secure:

PolySwarm’s Future Role

Preventing these sorts of incidents is something PolySwarm will be focusing on in the future. PolySwarm’s Alpha will be released April 30th (coming soon!), Beta by the end of May and 1.0 by the end of the year. We’re starting with detecting malintent in files, but we’ll soon be expanding to detecting malintent in URIs.

In the future, we’d like companies to be able to query for crowdsourced security expertise applied to a particular domain name and path.

For incidents like the MEW attack, PolySwarm may serve as a distributed observatory for misconduct, complementing the Electronic Frontier Foundation’s SSL Observatory Project and various Certificate Transparency efforts undertaken by browser makers.

We’re excited to be a part of the solution to problems highlighted by this week’s events and we can’t wait to show them to the world.

Security experts: do you want to be part of the solution? Learn more about your role in the PolySwarm ecosystem at PolySwarm.io.