Will Antminer R4 Will Release Again in Bitmain
Major Bitcoin mining hardware producer Bitmain can remotely close down well-nigh all active Antminer machines. Dubbed the "Antbleed" backstairs, abuse of the vulnerability could probably knock half of all hash ability on the Bitcoin network offline.
"Fifty-fifty if Bitmain had no bad intent, this is a gaping security hole," said our source, who discovered the backdoor but asked to remain anonymous.
The backdoor lawmaking can be seen on Pastebin and on GitHub, and today a website has been put up for Antbleed too.
How It Works
The Antbleed backstairs is "stupid simple," as our source described it.
Whenever an Antminer appears online, and once every one to eleven minutes, it contacts a "port 7000 service" on the domain auth.minerlink.com, which is owned by Bitmain. The domain currently does not connect to any IP-address, and therefore does goose egg.
However, the domain could in the (near) future beginning connecting to a corresponding IP-accost. If that happens, it will report the Antminer's serial number as well every bit the MAC address and the IP-address to Bitmain.
This could be enough for the company to link the machine to a specific user.
"Bitmain tin apply this data to cantankerous cheque against client sales and delivery records making it personally identifiable," our source explained. "And Bitcoin mining is a small industry, so it shouldn't fifty-fifty be hard to connect the machines to specific pools, or blocks."
Once connected, the server the Antminer connects to — Bitmain's server — sends a message dorsum. If that message is "true", the machine will continue mining. Only if that bulletin is "simulated", the lawmaking produces a piece of text that reads: "Stop mining!!!"
It seems obvious that this piece of text would make the automobile stop mining, which is indeed confirmed past our source, who tested it on an Antminer machine. Additionally, information technology can be checked by anyone with an afflicted miner; antbleed.com explains how.
The backdoor can exist verified, since information technology is embedded in open source code. In fact, information technology seems rather foreign Bitmain would include such a backstairs "out in the open", for anyone to run into.
Speaking to Bitcoin Magazine, Bitcoin Core developer Peter Todd, who was quick to comment to the issue on Twitter and Reddit, suggested:
"Bitmain probably underestimated how much source code really does get audited — it'southward a common myth that code never gets read. Likewise, if you're going to add together a backdoor, you do want plausible deniability in example it does go found. Hiding in plain sight, amongst thousands of lines of undocumented code, helps. Peradventure Bitmain volition claim this is actually a feature."
What It Affects
The backdoor probably affects virtually Antminers in apply today: the S9, the T9 the R4, as well as Litecoin'south L3.
The commit date indicates the backdoor was introduced in July 2016. This is one month after the first S9 machines were shipped. All machines that shipped since July 2016 should have the backstairs on board, which means they can be shut downward by Bitmain. Machines that were shipped before July 2016, just have been updated since, should be vulnerable, too.
"Information technology's difficult to say with certainty how much hash ability on the Bitcoin network is discipline to the vulnerability," our source said. "But since Bitmain is by far the market leader for hardware machines, it's not a stretch to attribute at least half of all hash power to the vulnerable machines. As such, Bitmain could potentially close downward an enormous share of Bitcoin's hash ability with the button of a button. In add-on to that, the visitor can target specific machines or customers."
And it's not just Bitmain who could shut downwardly the machines. Because the connection is unauthenticated, the code volition connect to anything that appears like "auth.minerlink.com", which tin can be spoofed by certain third parties. Apart from Bitmain, it could, for instance, be an internet service provider, anti-DoS service CloudFlare (used past Bitmain), or anyone who can hijack DNS records: rogue ICANN employees, hackers, the U.S. government, and more.
"The nicest possible explanation is that Bitmain is incompetent at security, putting the whole Bitcoin network at hazard," Todd concluded. "But given the history we have of miners threatening with attacks, it wouldn't surprise me if this was added as a last resort pick for shutting downward competitors if they needed to button something through with hashing ability."
Update
A representative for Bitmain commented on the issue:
"The code running on the machines is open source, anybody can review it so no secret features exist in it. The code that was pointed out is a feature to allow owners of the Antminers to exist able to remotely command their miners. It is not a secret and it does not provide any kind of remote control to Bitmain for the Antminers it does not own or operate in its own mining farms."
(Note: The representative provided this annotate a fleck earlier publication of the article, but due to a miscommunication this update was added only briefly afterwards publication.)
Update
Information technology should be noted that if you own an afflicted machine, a gear up is bachelor on antbleed.com as well.
Update
Bitmain has issued an official printing release commenting on the issue. In it, the company acknowledges the existence of the feature, stating:
"This feature was intended to allow the owners of Antminer to remotely shut down their miners that may have been stolen or hijacked by their hosting service provider, and to also provide police force enforcement agencies with more tracking information in such cases. Nosotros never intended to use this characteristic on any Antminer without authorization from its owner."
This story volition be updated as more news becomes bachelor.
The identity of our source is known to us and considered to be reliable.
Source: https://bitcoinmagazine.com/culture/bitmain-can-remotely-shut-down-your-antminer-and-everyone-elses
0 Response to "Will Antminer R4 Will Release Again in Bitmain"
Post a Comment