Network Hijacker Steals $83,000 In Bitcoin 101
An anonymous reader writes with news that bogus BGP announcements can be used to hijack work done by cryptocurrency mining pools. Quoting El Reg: Researchers at Dell's SecureWorks Counter Threat Unit (CTU) have identified an exploit that can be used to steal cryptocurrency from mining pools — and they claim that at least one unknown miscreant has already used the technique to pilfer tens of thousands of dollars in digital cash. The heist was achieved by using bogus Border Gateway Protocol (BGP) broadcasts to hijack networks belonging to multiple large hosting companies, including Amazon, Digital Ocean, and OVH, among others.
After sending the fake BGP updates miners unknowingly contributed work to the attackers' pools.
This is hilarious (Score:0, Insightful)
It has to be said.
And is this even illegal?
I doubt it.
That's okay.... (Score:3, Insightful)
...Bitcoins are like money in real banks and are insured. No harm to the victim.
Oh wait....
ISP Failure, not Application Failure (Score:5, Insightful)
This trick is as old as it gets. BGP will accept a more specific route as superior to a more general route, and there is no authentication in the exchange. The flaw here is the upstream providers involved did not properly filter the routing announcements allowed from this attacker, and instead let them announce net blocks that were not their own, then intercept the traffic to those net blocks.
In other words, nothing to see here, move along.
Sigh (Score:4, Insightful)
I've been pointing out the risks of router poisoning for, what, 17 years now.
Ever since the NSA started demonstrating router poisoning, it was only a matter of time before even the script kiddies figured it out.
I've been pointing out that the current rash of cryptocurrencies have excessive reliance on trust for the past year.
This sort of attack was inevitable. Bitcoin can plead semi-innocence because strong authentication is counter to strong anonymity. However, no router on the Internet should accept rogue announcements - even from three letter agencies - or accept unauthorized changes to the running configuration or active router tables.
MITM attacks are exceptionally dangerous and the hazards can only get worse.
Re:Where is the validation? (Score:3, Insightful)
Really, this sounds like the miner's fault for not realizing it earlier. My pools have an app that updates me in realtime what they see as my balance and my hash rate. If you've been re-directed to an invalid pool, you'd think your hash rate and earnings would drop to 0 over time and you'd pick up on that and try to correct the issue. I would probably notice within 15 minutes if this happened.
Bah ... (Score:3, Insightful)
You say unknown miscreant.
On Wall Street they're simply called "staff".
Frankly, I see little difference between stealing BitCoins from a mining pool and High Frequency Trading. And that's perfectly legal.
Re:Bah ... (Score:2, Insightful)
Welcome to capitalism, where gaming the system for profit is a moral imperative.
This is *NOT* hilarious ! (Score:5, Insightful)
The use of bogus BGP to treat networks into believing that it is connecting to a legitimate network instead of having its own network stream being hijacked can be used for much more than mere Bitcoin snatching
It can also be used to "branch out" legitimate net traffic to some listening posts (something NSA and all other spy agencies like to do) and thus, further compromise the legitimacy of the network itself - and the loss of privacy / data / whatever that the data stream happen to contain
This is a serious threat !
Re:That's okay.... (Score:5, Insightful)
Tax money is not yours, it's a payment for partaking in civilization which, after all, requires a lot of human effort to upkeep.
I think this is the problem with most libertarians: you've been surrounded by the invisible support systems of society all your life, so you mistake them for something that occurs naturally, like sunlight. Thus when you're required to pull your weight and help maintain these systems, you see this as an egregious violation of your property rights, completely oblivious to the fact that property is an artificial construct built and maintained by them in the first place. And everyone else, of course, sees a freeloader who's arrogant enough to be insulted by the very idea of having to chip in.
The world does not owe you unpaid servitude. You will never get things like property rights or a monetary system without having to pay for them. Nor can you pay only for things that directly benefit you, because that leads to a tragedy of the commons where everyone argues why someone else should pay for every single system and the end result is that no one pays for anything, and society collapses.
I doubt that you'll stop playing a victim because you've been told polish some of the tiles on the streets of gold you walk on every now and then, but this is why you aren't being taken seriously outside the lunatic fringe.