A recently discovered attack vector, Dark Skippy, poses a significant threat to the security of Bitcoin hardware wallets. This method allows a compromised signer to extract the master seed phrase by embedding a portion of it in the transaction signature, and requires only two transactions to complete. Contrary to previous assumptions that multiple transactions were required, this simplified approach means that a single use of a compromised device can lead to a complete security breach.
The attack relies on using malicious firmware that alters the standard signing process. Typically, the signing operation uses a randomly generated nonce as part of the Schnorr signing process. However, in devices compromised by Dark Skippy, the firmware instead uses a deterministic, low-entropy nonce derived from the master seed. Specifically, the first half of the seed is used for one transaction, and the second half for another transaction, allowing the attacker to fragment the entire seed if they can observe both transactions.
This attack requires that the signing device be compromised, which can occur through a variety of means. Malicious firmware can be installed by the attacker or accidentally installed by the user. Alternatively, the attacker can distribute pre-compromised devices through the supply chain. Once installed, the compromised firmware embeds secret data into public transaction signatures, effectively using the blockchain as a covert channel to leak sensitive information.
The attacker monitors the blockchain for transactions with specific watermarks that reveal the presence of embedded data. Using algorithms such as Pollard’s Kangaroo, the attacker can retrieve a low-entropy nonce from the public signature data, reconstruct the seed, and gain control of the victim’s wallet.
While this attack vector does not present a new fundamental vulnerability (nonce covert channels are known and mitigated to some extent), Dark Skippy improves and exploits these vulnerabilities more efficiently than previous methods. The subtlety and efficiency of this technique make it particularly dangerous, as it can be executed without the user’s knowledge and is difficult to detect after the fact.
Robin Linus is Recognized I discovered the attack on Twitter and noticed its potential. Argument last year. Further investigation conducted at the security workshop confirmed that it was possible to extract the entire 12-word seed using minimal computing resources, demonstrating the effectiveness of this attack and its ease of execution on even moderately equipped systems.
Mitigations against these attacks include implementing ‘anti-escape’ protocols on signing devices, which can help prevent unauthorized leakage of confidential data. However, these defenses require rigorous implementation and ongoing development to stay ahead of evolving threats.
The crypto community and device manufacturers should quickly address these vulnerabilities to protect users from potential exploits facilitated by Dark Skippy and similar methods. Users should remain vigilant and ensure that their devices run genuine firmware and are sourced from reputable vendors to minimize the risk of compromise. Additionally, setting up multi-signatures can create additional defenses against attack vectors.