First Meltdown and Spectre, then a bug in the popular Bitcoin wallet Electrum; if you don’t take care for your software, you are in danger of losing coins. We explain, what the newly discovered bugs mean for a crypto user and some minimal measures with which you can protect yourself.
Meltdown and Spectre
Maybe you already heard of the exploit pair Meltdown and Spectre. German tech magazine Heise called them “one of the worst security disasters possible” (“Security-Supergau”), and Bitcoin Unlimited’s developer Andrea Suisani tweeted “this the biggest clusterf***k I’ve ever seen in IT/infosec, and I’ve been around for quite a while.” Things seem to be serious.
This the biggest clusterf***k I've ever seen in IT/infosec, and I've been around for quite a while. https://t.co/G6pEcFfZJT
— sickpig (@sickpig) January 9, 2018
What the bug is about in detail, is hard to explain. Tech media and Wikipedia are a good starter. In short, nearly every CPU constructed in the last twenty years have implemented “out of order execution.” This function allows the CPU to read and execute contents of memory it is not tasked or authorized to. By a “speculative execution” of a future task, the operation system can better manage CPU cycles and significantly increase the overall speed of the system.
The problem is, this “out of order execution” can be exploited. Meltdown and Spectre are basically two variations of this exploit. They enable a hacker to gain access to memory content, for example, passwords or private keys, which are loaded when you sign a transaction with a wallet. Essentially, the computer becomes an open book.
How can you protect against this attack? As a starter, you should update your system and your software. Windows has an auto-update, at least for Windows 10. For a Linux user, it is more complicated. Debian has a regular update, for Ubuntu you need to do it manually, at least for now. If in doubt, you should not conduct cryptocurrency transactions until a fix is available. But even after the software is updated, there is no guarantee of protection. There are a lot of possible exploits of the out of order execution, and not all are known.
Maybe it is a good idea to consider your browser no longer as a friend, but as an enemy. Turn off scripts or just allow trusted websites to execute them. Use an adblocker or Ghostery to reduce the activity of your browser behind the graphical interface. Close the browser, if you don’t need it, especially, when you type in passwords or sign transactions. It can happen that your browser still does something when you closed it, so you should close all tabs before you shut down the browser.
But make no mistake; no matter what you do, you will never get perfect security. There could always be an exploit you’re not aware of. IT systems have become too complex to be completely controllable, so the best option is to reduce complexity. For example, you can store large amounts of coins on a paper wallet you’ve generated on a fresh system not connected to the internet.
For most internet users Spectre and Meltdown were enough to care about. For users of Bitcoin and Bitcoin Cash, it was just the beginning. A few days later Electrum fixed a creepy bug. If you use Electrum or Electron Cash, you should update your wallet immediately.
In case you want to learn more about it; Electrum uses an unprotected JSON-RPC interface, which opens a local host on the system. This is not needed for normal users, but in case you control the wallet with a web interface or use it in some advantages way to accept funds. Electrum chooses a random port for the local host, but it is possible for a script to scan the ports.
Even with a strong password, an attacker can use the local host to change your options. There could be some fancy methods to use this to steal coins, for example by manipulating entropy of the key generation, but that’s just speculation. At the very least, someone accessing your wallet is not something you want.
Installing the update is currently sufficient protection against this attack. However, you should be aware, that there might be other, similar vulnerabilities in the code, which remain as of yet unknown. To be protected against them, at least partially, you should always use strong passwords and be careful what websites you visit. Like with Spectre and Meltdown it helps not to allow every website to run scripts, and to close websites after you’ve finished reading them.