Recently Discovered Computer Vulnerabilities Meltdown and Specter offer yet another reminder of the difficulty of the digital era in protecting private information – even private cryptocurrency keys –

Unveiled Wednesday, widespread hardware vulnerabilities simultaneously impact Intel, ARM and AMD computing chips, which power the vast majority of computers, mobile devices and servers around the world, to steal private data such as passwords, financial information or just about everything that is stored on a device using one of these chips.

When this is important for cryptocurrency in particular, hackers can potentially use the specific attack vector to pinch private keys that allow users to control their bitcoins on the blockchain.

Popular Mechanics called it "terrifying," claiming that it's "hard to target the most troubling part of this flaw" while a written news page by safety researchers pointed out that you are "very definitely" touched by the bug.

And although there is no evidence that passwords have been compromised, experts say that it would not be surprising that hackers or the NSA are exploiting the same. attack.

If you're already following best practices for cryptocurrency storage, then you're probably fine. But if that's not the case, or if you're a newer user, experts say that it's important to keep private keys on a secure device.

"Prevention is better than cure," said Bryan Bishop, developer of Bitcoin Core at CoinDesk, adding:

"An attacker who is aware of a sufficiently powerful vulnerability may theoretically force your CPU to reveal secret data such as private keys used to control your bitcoin."

Attack vectors

It is important to note that the advice of storing private keys on a secure device is not new. (Crypto developers have long warned against storing private keys on laptops or other devices that interact with the Internet.)

But the reasons may not be obvious to new users. Even though bitcoin and other cryptocurrencies are secure protocols, they must interact with the open internet and the usual computers. In short, storing private keys so close to the Internet can potentially expose users to hackers and theft.

And the new vulnerabilities of the UC make the situation even worse, because a chain of actions can lead to error and compromise.

"If the protected memory problem is real, a browser plugin or even a website can access your private keys," said Jonas Schnelli, a Bitcoin Core contributor.

The full details of the problem are not yet public, so we do not know which are the precise attack vectors. However, others have suggested that a similar impact could be likely.

"To be affected by this attack, all you have to do is click on a link by accident and maybe you end up on a website that is spreading bad publicity with the malicious code stealing your data. ".

And while these scenarios may seem far-fetched, most current malware uses similar vulnerabilities that have not been fixed yet. It's just impossible to know who and when they will really hit.

Operating system patches are now available that users must use to patch their Windows, Mac, and Linux devices. But, for cryptocurrency users, the best option is to not store private keys on a device connected to the Internet, a common recommendation well before this particular vulnerability.

One option is to store private keys on a so-called "hardware wallet", such as Ledger or Trezor. Smaller devices may not be as easy to use, but they are safer in that they are not connected to the Internet.

Pavol Rusnak, CTO of SatoshiLabs, the company behind Trezor, went so far as to say: "Using a wallet [hardware] is now more important than ever!" While the ethereum developer, Lefteris Karapetsas, was joking, "I bet Specter and Meltdown are the best thing that could have happened for cold cryptocurrency wallet companies."

Exchanging Treasures

Beyond consumer devices, cryptocurrency trading and businesses, which store private cryptocurrency keys for millions of users at a time, are a much more important and worrying target .

Some cryptocurrency exchanges use cloud-hosting services such as Amazon Web Services and Google Cloud to manage their websites, rather than creating their own servers.

Although these platforms make it easy to manage websites, they are particularly vulnerable to these attacks. A hacker can theoretically run a server using the same hardware as a crypto-currency startup running operations on such a cloud platform and suddenly having access to all its data.

In the world of crypto, a hacker could hypothetically use this attack vector to steal private keys.

On the one hand, most of the most popular cloud platforms quickly rolled out fixes. On the other hand, researchers are concerned that deep vulnerabilities could lead to unsettled variants, with possible lingering effects ahead.

Bitcoin in the dark image via Shutterstock

Leader in blockchain information, CoinDesk is an independent media company that strives to achieve the highest journalistic standards and adheres to a strict set of editorial policies. Do you want to offer your expertise or ideas for our reporting? Contact us at news@coindesk.com.

