Hertzbleed, a new form of computer attack, would allow its perpetrator to discover the private keys of a Bitcoin wallet, the same ones that are used to send a transaction in this protocol, when said wallet is operated from a personal laptop or CPU.
The word Hertzbleed refers to the expression “frequency bleeding,” referring to “hertz” or hertz, the unit for measuring frequency, and bleedin English “bleeding”.
In this sense, Hertzbleed collects information about the performance of laptop microprocessors and CPUs. It uses the time and intensity of the cycles to carry out secret cryptographic processes, similar to those carried out when Bitcoin transactions are created with a private key and a public key of a wallet.
Can Hertzbleed affect a Bitcoin wallet?
In this week’s Bitcoin technical development bulletin, Bitcoin Optechreviewed this type of attack:
A newly discovered vulnerability affects many popular CPU-type processors in laptops, desktops, and servers, which would allow attackers to discover private keys when those keys are used to sign Bitcoin transactions (or do other similar operations). . The notable aspect of this attack is that it can affect signature generation code that was specifically written to always use the same type and number of CPU operations to prevent leaking information to attackers.
Bitcoin Optech.
From Optech they clarify that the attacker would have to calculate the power consumption of a CPU processor or measure the duration time that this processor takes to sign an operation. The ideal scenario for this to occur is when the same private key is frequently used to sign Bitcoin transactions from a computer.
“Therefore, the vulnerability can affect hot wallets [de software] that are frequently used, such as those used by services hosted by your provider and Lightning Network routing nodes. Most used wallets offline [como una hardware wallet] that are used in secure environments could be much more resistant to this attack, “they say.
Hertzbleed It was discovered by a group of researchers from the universities of Texas, Illinois and Washington, who conducted experiments on it. Intel, a leading microprocessor manufacturer, reviewed the study and assured that all your processors may be affected, describing Herzbleed thus:
The observable power management behavior of some Intel processors may allow an authenticated user to potentially obtain information via network access..
Intel.
Is Bitcoin Core resistant to Hertzbleed attack?
Some Bitcoin developers and Cryptography experts have clarified that while it is difficult to carry out this attack against a wallet, it is still a very new type of vulnerability to draw conclusions.
Developer Pieter Wuille Indian that although Bitcoin Core is able to carry out key generation processes in an armored manner, not all of them have the same level of protection for each time they are made.
the code library libsecp256k1 it is mainly used for Bitcoin, as it says on its GitHub, and is designed to generate public or secret keys with advanced cryptography.
Yes, libsecp256k1 has what it takes to protect itself and heavily armor itself [belt-and-suspenders]. But it doesn’t cover all secret operations, and regularly relies on adding more entropy (by making separate API calls) [subfunciones y rutinas de software].
[…] So I can’t at this point ensure that libsecp256k1 is not affected. This is a new type of attack with unforeseen consequences. Possibly lead to make some changes in the API [de Bitcoin].
Pieter Wuille, Bitcoin developer.
“Bitcoin Core shields processes only at startup, not every time for every signature operation,” Pieter Wuille said in another comment.
Regarding Hertzbleed, it might be worth considering that with this type of attack also other keys or the authentication signature of other processes could be stolen to be done on the computer. For now there is no patch or solution to this vulnerability, nor have attacks already been reported.