updated 12:52 pm EDT, Fri August 8, 2014
Network compromise redirected mining pool traffic to alternate server
Security researchers have discovered a vulnerability in the way cryptocurrencies, such as Bitcoin, are stored in mining pools, allowing for funds to be stolen. Discovered by the Dell SecureWorks Counter Threat Unit, the exploit has allegedly already been used at least once, with one attacker said to have acquired approximately $83,000 using the technique.
The attack used fake "Border Gateway Protocol" (BGP) broadcasts, an external routing protocol typically used to allow networks to see each other. The Register reports the attackers spoofed the broadcast in order to route communications to their servers, instead of legitimate mining servers hosted by Amazon, Digital Ocean, OVH, and other hosting networks. Rather than the mining pool issuing payouts for work completed, the rerouted traffic allowed the attacker to instead receive the rewards.
A total of 51 networks were compromised by the technique across 19 Internet providers, the research team advised. The $83,000 attack was a sustained campaign which lasted between February and May of this year, and though the researchers tracked the broadcasts to an unnamed Canadian ISP's router, the identity of the attacker remains unknown. Due to the nature of the attack, it is hypothesized that it could be a rogue employee or an ex-employee of the ISP with an unchanged router password, or a malicious hacker. The ISP in question has been informed and put a stop to the malicious BGP broadcasts, but did not feed back any further details about the issue.
Since the attack hinges on being able to create BGP broadcasts, a process which requires both the sender and the recipient to be manually configured before communication can start, the research team advises that BGP peering is still "reasonably secure," with hijacking being a minimal threat. Even so, it suggests to ISPs that they opt in to the Resource Public Key Infrastructure, while pool servers could use the SSL protocol to prevent such redirection attempts.
The exploit is the latest security incident to occur to companies connected to Bitcoin. In March, Bitcoin exchange Flexcoin closed after the theft of approximately $620,000 in the currency. In the same month, large exchange Mt. Gox discovered a cache of Bitcoins thought to have been stolen by hackers, and though the 200,000 bitcoin collection was worth $115 million at the time, it still had another 600,000 bitcoin left to account for.