Users storing bitcoin with hardware from a leading data protection company have been urged to update their devices or risk losing funds.
In a company blog post on Friday, Gemini CSO Cem Paya released details of a vulnerability he encountered that allows attackers to brute-force secret keys from SafeNet's brand of hardware security modules, or 'HSMs'.
These tamper-proof, specialist devices are used to safeguard all manner of cryptographic keys for the likes of governments, banks and payment companies. They've been hailed as the 'next step' for bitcoin security.
While testing the SafeNet Luna G5 for use in the forthcoming exchange's cold storage, Paya discovered a design flaw in its software that meant both public and private keys could be extracted – even though they are designed never to leave the device. Clients using any of Safenet's three HSMs to manage their bitcoin keys would be at risk, he said, adding:
"Bitcoin is the one payment technology where possession of money can be boiled down to pure cryptographic capability: generating a signature with an ECDSA private key is money. If you lose control of that private key, you lose the ability to spend your funds, plain and simple."
According to SafeNet, which released a fix last Thursday, the firm rated the severity of the vulnerability as 'high'.
Chris Dunn, VP of technology and crypto management at Gemalto, the company that acquired SafeNet in January, told CoinDesk there have been no known exploits so far. This, he added, was partly due to the specialised nature of the hardware – which can only be accessed by a trusted client.
"Vulnerabilities with the HSM itself are quite rare and difficult to exploit given where and how customers deploy their HSM. The HSM also includes several usage and access control policies that can be used to protect against this type of vulnerability."
Commonly, HSMs are held in air-gapped, covert locations that are only known to select staff members. Certain models are even programmed to self-destruct if they are compromised.
Bitcoin and HSMs
Though the company protects some 750 million encryption keys, relatively few of its 25,000 clients are using these machines to protect their bitcoin.
"We ... have some bitcoin focused customers currently, however this is a new use case for our HSMs," Dunn said.
The devices are still a relatively niche, and costly, product for the bitcoin industry. However, as part of a wider move to traditional security standards – also visible in insurance – venture-backed companies like Gemini and API developer Gem are now utilising these bits of kit as part of their offline (or 'cold') storage solutions.
"There are things [in bitcoin] we can do better than Visa, MasterCard and American Express, but they do a pretty good job of securing private keys. How do they do that? They do that through HSMs," Gem's COO Ken Miller told CoinDesk.
SafeNet Luna SA
The SafeNet Luna SA – an Ethernet-attached HSM server
His company has been vocal about its eight-month integration with Thales, a manufacturer of military-grade HSMs, which required a team of engineers from both companies to create new software that allowed the machines to "speak bitcoin", not RSA.
"We've since found out that a lot of really well-known companies in the bitcoin space have gone down this path and decided not to for that very reason, it's too much work," Miller said, adding that if enough people come knocking, Gem might consider reselling its custom machines.
By contrast, Paya said Gemini did not run into any significant compatibility issues when using SafeNet for bitcoin key storage. "Their HSMs supported ECDSA algorithm as well as the specific bitcoin curve out-of-the-gate without any problems," he said, adding:
"While I'm not familiar with the specific problems Gem face, I can say that each product has a unique set of strengths and weaknesses. Some units we are evaluating did not support bitcoin until recently, while others had OS/software issues that required additional workarounds."
Future adoption
Due to its rarity, Paya said the vulnerability – now patched – does not impact Gemini's plans to use HSMs as part of its back-end security, or Safenet hardware in particular.
"This vulnerability serves as a reminder that sometimes even the additional layers of defence that go above-and-beyond (such as using dedicated HSMs to manage keys) can fail," he said.
However, he added: "HSMs remain the best-practice for managing cryptographic keys."
Gem's COO agreed. While there is no silver bullet for companies to safeguard bitcoin and prevent attacks, the best strategy, he said, was one based on multiple layers of security – including HSM hardware.
"Any hardware or software solution is only going to be as good as the implementation of that solution so it’s critical to be rigorous and thoughtful around the implementation, management, and review of the solution. But having the best available hardware solution is worlds better than not having it."