Dark Skippy: New Threat Steals Secret Keys from Signing Devices
A serious security threat called Dark Skippy has emerged in the cryptocurrency world. This method allows malicious actors to extract private keys from transaction signing devices, such as hardware wallets. The attack was discovered in the context of Bitcoin transaction signing devices but potentially applies to other areas as well.
To execute the Dark Skippy attack, the signing device must be compromised with malicious firmware. At the time of discovery, there were no recorded instances of Dark Skippy being used in real-world conditions. However, the potential danger remains high, given its effectiveness and stealth.
The essence of the attack lies in the ability to modify the device’s firmware to covertly embed parts of the private key into transaction signatures. Previously, it was believed that dozens of signatures were needed to extract the complete private key. However, researchers have shown that only two signatures are sufficient to compromise the device. A single use of a hacked hardware wallet can lead to the loss of all funds.
The Dark Skippy attack process consists of several stages:
- Compromising the Signing Device: The attacker modifies the device’s firmware. This modification can occur through:
- Physical tampering with the device
- Deceiving the user into installing malicious firmware
- Inserting malicious devices into the supply chain
- Using the Modified Signing Function: Instead of the standard Schnorr scheme, which uses random 32-byte nonces, the malicious firmware employs weak numbers with low entropy. These numbers represent parts of the extracted private key. For a 12-word seed phrase (totaling 16 bytes), the process is divided into two parts:
- The first 8 bytes are used for the nonce of the first input signature of the transaction
- The remaining 8 bytes are used for the nonce of the second input signature
- Monitoring Transactions: The attacker scans the mempool for signatures created by the compromised device.
- Extracting Secret Data: Upon identifying a suspicious transaction, the attacker uses a special algorithm, such as Pollard’s kangaroo algorithm, to recover the secret nonces from the public signature data.
- Reconstructing the Private Key: The recovered parts are combined to form the full 16-byte private key, which corresponds to the entropy of the 12-word seed phrase.
The name “Dark Skippy” derives from Pollard’s kangaroo algorithm used to extract secret data from signatures. “Skippy” is a reference to the kangaroo, and “Dark” emphasizes the stealthy nature of the attack.
More sophisticated versions of the attack might include additional measures to complicate detection. Attackers could use “blinding” nonces with an attacker-embedded key within the device. Furthermore, they might add watermarks to transactions to make them easier to identify in the blockchain.
Dark Skippy boasts several advantages:
- Stealth: Detecting the attack is nearly impossible.
- No additional communication channels: Data is extracted through standard Bitcoin network transactions.
- Effectiveness against stateless devices: The attack can be executed within a single transaction with multiple inputs.
- Master key extraction: The attack allows access to the entire wallet by extracting the seed phrase.
- Impact on all users of the compromised device: Even if a user generates a secure seed phrase independently, they remain vulnerable.
The attack was discovered by Robin Linus during a discussion on Twitter*. Subsequent research indicated that extracting a 12-word seed phrase is possible even with a standard laptop, making the attack more dangerous than initially thought.
Although the concept of covert channels in signing nonces had been discussed previously, Dark Skippy represents the most effective implementation of this idea to date.
Researchers Lloyd Fournier, Nick Farrow, and Robin Linus, who discovered the vulnerability, privately disclosed it to about 15 different hardware manufacturers on March 8, 2024. The goal was to gather feedback on the threat’s relevance within existing security models, discuss mitigation ideas, and prepare for public disclosure.
The release of the demonstration code for the attack is planned for September 2024. The code will enable the creation of malicious signatures, identification of affected transactions in the mempool, and decoding of extracted seed phrases.
To protect against Dark Skippy, it is recommended to use devices that implement anti-exfil data signing protocols. Researchers also propose new mitigation ideas that require significant discussion and input from developers. Full disclosure of Dark Skippy, including the demonstration code, is planned for September 2024. This code will allow for the creation of malicious signatures, identification of affected transactions in the mempool, and decoding of stolen seed words.