Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins

I work in InfoSec and it is mind-boggling to see the sophistication levels of some of the Bitcoin heists, like this BGP incident. When was the last time you saw a BGP attack? 99.9% of real-world attacks don&#x27;t even bother targetting such a core routing service. Another example: in March 2012, internal Linode management infrastructure was compromised to steal 47k BTC: <a href="http://blog.zorinaq.com/?e=67" rel="nofollow">http:&#x2F;&#x2F;blog.zorinaq.com&#x2F;?e=67</a> <a href="http://www.theregister.co.uk/2012/03/02/linode_bitcoin_heist/" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2012&#x2F;03&#x2F;02&#x2F;linode_bitcoin_heist...</a> This means attackers had effectively root access to any Linode&#x27;s customers&#x27; VM! When was the last time you saw an entire cloud provider environment being compromised?<p>I like to see it as ISPs and cloud providers increasing their security and patching vulnerabilities thanks to Bitcoin&#x27;s growing adoption :)

The finger-pointing at BGP is red herring: the problem is that the stratum protocol has zero authentication. If you can intercept those streams, you can trivially ask anyone to start mining for you instead. This could also have been done using DNS poisoning, ISP-side intercepts, or anything else in the standard bag of tricks. <a href="http://blog.kevmod.com/category/bitcoin/" rel="nofollow">http:&#x2F;&#x2F;blog.kevmod.com&#x2F;category&#x2F;bitcoin&#x2F;</a>

Here is the link to the original research.<p><a href="http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/" rel="nofollow">http:&#x2F;&#x2F;www.secureworks.com&#x2F;cyber-threat-intelligence&#x2F;threats...</a>

The lack of auth and encryption is only part of the problem with Stratum&#x27;s implementation. At Toorcamp 2014 I presented about the vulnerabilities discovered when looking into common miners and their impact on the network. More details available in the associated white paper:<p><a href="http://www.dejavusecurity.com/blog/2014/7/15/bitcoin-research-whitepaper-announcement" rel="nofollow">http:&#x2F;&#x2F;www.dejavusecurity.com&#x2F;blog&#x2F;2014&#x2F;7&#x2F;15&#x2F;bitcoin-researc...</a>

Could this be prevented by adding some TLS to the mining control channels?

It&#x27;s mind boggling to me that this wasn&#x27;t done a year or two ago.<p>If bitcoin were genuinely anonymous (it isn&#x27;t, because it&#x27;s highly linkable, even if essentially pseudonymous), it would probably be vastly more dangerous in this way -- there would be billions of dollars spent on exploiting security outside bitcoin++ to steal bitcoin++.

Nobody has pointed it out so far. Since it is an attack on IP routing, it could be prevented by using SSL for the Stratum protocol used by mining pools.

I know a number of people who got hit by this type of reconnect attack. I suspect I may have been hit by it for short periods of time. Most of the big altcoin pools were targeted. Soon after most miner software was modified to disable this Stratum feature but there are still plenty of other issues with the Stratum protocol as highlighted by other comments.

Wow. Not sure why they don&#x27;t name-and-shame the ISP, but that&#x27;s really ridiculous.

Link is a 404 for me.