Owning the hardest money in the world makes you a prime target as the size of the Bitcoin market increases, and so does your purchasing power as you own a relative share of that market.
The more your net wealth increases, the better class of criminals that would come after you; as a Bitcoin holder who practices self-custody, you protect yourself against third-party risk, but you also take on the responsibility to safeguard your funds and gains and threats, both foreign and domestic.
The cryptocurrency world is no stranger to vulnerabilities; a quick search for crypto hacks reveals a history of failures to protect digital funds. Wallet-draining scripts are nothing new; phishing scams to get you to sign over your funds and fake wallet software with backdoors are common among the blockchain crowd.
While the crypto market offers hackers a relative smorgasbord of digital pickpocketing opportunities, Bitcoiners have remained unscathed. Due to the nature of the asset, most people hold it and don’t interact with the chain too often, as is the case with DEFI and smart contract chains.
Additionally, a lot of time, care and research has gone into making the self-custody experience as secure as possible, but that doesn’t mean it’s completely impenetrable.
Bitcoin wallet vulnerabilities are rare, but a few that spring to mind are August 2023, when cybersecurity firm SlowMist reported that over $900,000 worth of Bitcoin had been stolen via a flaw in the Libbitcoin explorer library. In November, Unciphered reported that $2.1 billion worth of Bitcoin held in old wallets may be in danger of being drained by attackers because of a flaw in BitcoinJS wallet software.
Self-custody takes a knock but hasn’t been cooked
Creating an offline set of keys, storing them offline and only using a signing device to generate public keys or an X-Pub has minimal attack surface and still gives you the best protection around.
However, the recent publication of the upgraded “Dark Skippy” attack has sent shockwaves through the Bitcoin community.
This sophisticated method targets a core of Bitcoin security, the hardware wallet.
What is Dark Skippy?
At its core, Dark Skippy is a malicious attack that exploits a weakness in Bitcoin’s transaction signing process. By manipulating the random numbers (nonces) used in creating Bitcoin transactions, attackers can potentially extract private keys from a hardware wallet and leak them onto the public blockchain.
This vulnerability could potentially affect all models of hardware wallets, but it only becomes effective if the victim is tricked into downloading malicious firmware.
A previous version of the method required the victim to post “dozens” of transactions to the blockchain, which made this form of attack impractical and a long con kind of play. That all changes now with the latest version of ‘Dark Skippy’ which requires significantly fewer transactions to execute compared to its previous iterations, which needed dozens of transactions.
Additionally, the attack can be carried out even if users rely on separate devices to generate mnemonic phrases.
How does Dark Skippy work?
Now, before you bin your hardware wallet and go full purge on your current stack, it’s important to know that your wallet would either need to be compromised by the manufacturer while in transit to you or you would have to have invited the thief in yourself by upgrading your devices firmware with a compromised version.
According to the report, a hardware wallet’s firmware can be programmed to embed portions of the user’s seed words into “low entropy secret nonces,” which are then used to sign transactions.
When transactions are confirmed, the resulting signatures are posted to the blockchain, and the attacker can scan it to find and record these signatures.
The resulting signatures contain only “public nonces,” not the portions of seed words themselves. However, the attacker can enter these public nonces into Pollard’s Kangaroo Algorithm to successfully compute the secret nonces from their public versions.
When reversing your seed phrase, wallets with 12 words would require just two signatures and 24 words, just four. In other words, a single transaction could theoretically publish a user’s entire wallet secret.
To summarise, the process is as follows:
- Malicious Firmware: The attack hinges on the installation of compromised firmware on a hardware wallet. This firmware is designed to generate weak nonces during transaction signing.
- Nonce Manipulation: Unlike standard random numbers, weak nonces can be predicted and exploited.
- Key Extraction: Attackers can recover the private key by analysing multiple signed transactions with weak nonces, using mathematical techniques like Pollard’s Kangaroo algorithm.
- Wallet Compromise: With the private key, attackers can gain complete control over the victim’s Bitcoin wallet.
What about passphrases?
A passphrase is a common security measure that you can add to your hardware singing device. Even if the user gets your seed phrase, without the additional passphrase, they cannot access your funds.
So it would stand to reason that adding a (BIP39) passphrase to a seed phrase protects you against Dark Skippy and similar attacks.
However, the answer is no. This attack can work directly against the master private key, not the seed phrase, so adding a passphrase will not protect you from this type of attack.
Dark Skippy in action
While Dark Skippy does require massive coordination somewhere in the supply chain, once done, the attack itself is pretty easy to operate. If you want to freak yourself out, the video below should give anyone the goosebumps, ready to check if their stack is still secure.
The implications of Dark Skippy
The Dark Skippy attack poses a significant threat to the security of Bitcoin users. Hardware wallets, long considered the gold standard for Bitcoin storage, are no longer a purchase you can take for granted, and you will need to verify and never trust a device at face value simply because it has some pretty branding and came in a nice box.
Since the attack can affect any signing device, even legit ones that have been flashed by a third party or by yourself by accident, with an over-the-air update, you’ll need to remain vigilant when buying and setting up a signing device to hold your stash.
Dark Skippy undermines the trust in hardware wallets, a cornerstone of Bitcoin security, but to me, that’s a good thing; we shouldn’t be mindlessly trusting anything; the mantra of Bitcoin is to verify and not trust, so this is a stark reminder to stick to those principles.
If you don’t, you will have to deal with the financial losses of your faith in the fact that everyone works in your best interest. The scary part of a Dark Skippy attack is that it can lay dormant for years, you could be diligently stacking, and the day you finally process a transaction, you open yourself up to a successful Dark Skippy attack that can result in substantial financial losses for victims.
While Dark Skippy does affect Bitcoin users, it does have wider implications, as similar vulnerabilities could exist in other cryptocurrency systems. Given the fact that the average crypto person manages more assets from a single wallet, trusts more than they verify and is open to regular updates while also performing more transactions than the average Bitcoiner, they open themselves up to both versions of the Dark Skippy attack.
Protecting yourself against Dark Skippy
It’s all good to be a holder, buy regularly, and transfer to your cold storage single signature wallet, but you will have to upgrade your security model at some point. Single Sig cold wallets are ideal for entry-level risk mitigation; in fact, they should be the bare minimum for your long-term holding while your hot wallet manages your day-to-day Bitcoin transactions.
But as you grow your stack and your relative purchasing power increases, the trusted single sig might need to be trimmed down and replaced with something more robust.
While the Dark Skippy threat is unlikely, it remains a real possibility, and you need to prepare accordingly.
So what can you do about it?
- Firmware Verification: Always verify the authenticity of firmware updates for your hardware wallet. (Tip: bookmark the vendor website to avoid phishing or speak to the manufacturer directly to confirm the latest version).
- Avoid upgrading: Your wallet’s firmware shouldn’t require regular updates. Old software should always work with the chain, so there is no real need to update. Unless you’ve independently verified the update and others have confirmed it you’ve got time on your hands before you have to click the update button
- Physical Security: Protect your hardware wallet from unauthorised access.
- Verify your vendor: If possible, order hardware signing devices directly from the vendors. The more direct, the lower the likelihood of tampering. If you don’t trust local vendors, your best bet is to build a singing device with an open-source project like SeedSigner.
- Check for signs of tampering: Use hardware vendors that have tamper-resistant mechanisms in place, such as tamper-evident sealed bags, firmware attestation, etc.
- Verify your device: Use hardware where you can easily verify the integrity of the source firmware and its updates.
- Research your wallet’s operations: Use hardware that generates nonces according to security standards. One such standard is RFC6979 (deterministic nonces).
- Have multiple devices: Use another device to experiment with firmware features you don’t need for your main wallet.
- Use multi-sig: preferably multi-vendor multi-sig. This alone significantly increases the difficulty of executing the attack.
Future-proofing against Dark Skippy
The discovery of Dark Skippy is not all doom and gloom, and self-custody is not completely borked; the industry has plenty of researchers actively working on countermeasures to address these attacks and many more.
These include:
- Improved Random Number Generation: Developing more robust methods for generating nonces.
- Mandatory adaptor signatures: A PSBT field would include a one-time public nonce Y=y⋅G produced by the software wallet. The signer must integrate each input into the signature through an adaptor signature.
- Mandatory nonce “proof-of-work”: The software wallet can demand that the public nonce R conform to a random challenge like SHA256.
- Anti-exfil: A security technique that combines entropy from the hardware signing device with entropy from a second device (typically the host of the companion software wallet) to generate nonces.
- Moving to multi-sig: Multisig achieves the same goal as anti-exfil since it also requires entropy from a second device to authorise each Bitcoin transaction.
Protect your stack from attack
I’m not here to fearmonger and get you to burn down your entire security protocol all because some research was published on a possible attack vector. For all you know, you’ve been doing the right thing, and your funds are safe and sound.
The Dark Skippy attack serves as a stark reminder to never become complacent and that the security landscape is constantly evolving, so you can never be too careful when it comes to your coins; what might have worked in the past doesn’t guarantee security in the future.
While I think most plebs are in the clear, it doesn’t hurt to give your setup a once-over and check that it’s above board. Verifying your firmware won’t take you more than a few minutes.
What does scare me is the concentration of Bitcoin with exchanges and other paper products like Spot ETFs. Digital asset custody providers would be the primary target for attacks like this because the payoff is so large. If you could pay an employee to upload some fake firmware or you’re able to socially engineer your way into getting someone to download software, you could easily put thousands, if not tens of thousands, of Bitcoin at risk.
Do your own research.
If you want to learn more about Dark Skippy, use this article as a starting point. Don’t trust what we say as the final word. Take the time to research other sources, and you can start by checking out the resources below.
