The bitcoin-only {hardware} pockets Coldcard has launched a beta firmware patch for a vulnerability that additionally affected a competitor {hardware} pockets earlier this 12 months.
Ben Ma, a safety researcher who works for {hardware} pockets producer Shift Crypto, found that the Coldcard {hardware} pockets has a flaw: An attacker might trick a Coldcard consumer into sending an actual bitcoin transaction once they suppose they’re sending a “testnet” transaction – or a fee on Bitcoin’s testing community, which isn’t the identical because the mainnet.
Each testnet and mainnet bitcoin transactions, although, “have the very same transaction illustration underneath the hood,” Ma writes in his submit disclosing the vulnerability. An attacker, then, might generate a bitcoin mainnet transaction for the {hardware} pockets however make it appear like a testnet transaction. The mainnet transaction is introduced like a testnet transaction on the consumer’s pockets, making it troublesome for customers to acknowledge the error.
Ma discovered of the vulnerability after a pseudonymous researcher found the so-called “isolation bypass” assault within the French-manufactured Ledger {hardware} pockets.
In contrast to Coldcard, Ledger helps many cash, so the bypass assault might work by tricking pockets customers into sending bitcoin once they imply to ship litecoin and bitcoin money, along with testnet BTC.
When the preliminary vulnerability within the Ledger pockets was disclosed, Coinkite founder and Coldcard creator Rodolfo Novak mentioned, “Coldcard doesn’t assist any shitcoins, we discover that to be the very best path,” implying that his bitcoin-only pockets could be secure because the flaw (partially) resulted from the truth that Ledger gadgets beforehand managed totally different cash utilizing the identical non-public key.
Since Coldcard doesn’t assist a number of cash, it theoretically shouldn’t have this downside. And it wouldn’t, if it weren’t for the truth that it may be exploited with bitcoin testnet addresses, as nicely.
If a consumer’s pc is compromised – and their Coldcard machine is unlocked and linked to that pc – then an adversary might trick them into sending actual bitcoin once they suppose they’re sending testnet bitcoin.
“The attacker merely has to persuade the consumer to e.g. ‘strive a testnet transaction’ or to purchase an ICO with testnet cash (I’ve heard there was a ICO like this not too long ago) or any variety of social engineering assaults to make the consumer carry out a testnet transaction. After the consumer confirms a testnet transaction, the attacker receives mainnet bitcoin in the identical quantity,” Ma writes within the submit.
Seeing as an attacker might execute this assault remotely, it met Shift Crypto’s standards as a crucial situation, triggering the accountable disclosure course of.
In keeping with the submit, Ma disclosed the vulnerability to Coinkite on Aug. four and Novak acknowledged it the subsequent day. On Nov. 23, Coldcard launched a beta firmware to patch the vulnerability.
