A recently discovered attack vector, Dark Skippy, poses a significant threat to the security of Bitcoin hardware wallets. It allows a compromised signer to steal the master seed phrase by embedding part of it in the transaction signature, requiring only two transactions to complete. Unlike the previous assumption that multiple transactions were required, this streamlined approach means that a single use of a compromised device can lead to a complete security compromise.
The attack relies on the use of malicious firmware that modifies the standard signing process. Typically, the signing operation uses a randomly generated nonce as part of the Schnorr signing process. However, in devices compromised by Dark Skippy, the firmware instead uses a deterministic, low-entropy nonce that is derived from a master seed. Specifically, the first half of the seed is used for one transaction and the second half is used for another, allowing an attacker to piece together the entire seed if they can observe both transactions.
This attack requires the signing device to be corrupted, which can happen in a variety of ways. Malicious firmware could be installed by an attacker or accidentally by a user. Alternatively, an attacker could distribute pre-compromised devices through the supply chain. Once in place, the compromised firmware embeds secret data within public transaction signatures, effectively using the blockchain as a covert channel to leak sensitive information.
An attacker watches the blockchain for transactions that have a specific watermark that reveals the presence of embedded data. Using algorithms such as Pollard's Kangaroo, the attacker can derive a low-entropy nonce from the publicly signed data and subsequently reconstruct the seed, taking control of the victim's wallet.
While this attack vector does not represent a new fundamental vulnerability (nonce covert channels are already known and mitigated to some extent), Dark Skippy improves upon these vulnerabilities, exploiting them more efficiently than previous methods. The sophistication and efficiency of this technique make it particularly dangerous, as it is performed without the user's knowledge and is difficult to detect after the fact.
Robin Linus is credit This attack was discovered during a Twitter discussion last year, which brought attention to its potential. Further research at a security workshop confirmed that the entire 12-word seed could be extracted using minimal computational resources, demonstrating the effectiveness of the attack and how easily it can be carried out on even modestly equipped systems.
Mitigating such attacks includes implementing “anti-exfil” protocols on signing devices to prevent unauthorized disclosure of sensitive data, but these defenses must be rigorously implemented and continually developed to stay ahead of evolving threats.
The crypto community and device manufacturers are urged to address these vulnerabilities promptly to protect users from potential exploits posed by Dark Skippy and similar methods. Users should remain vigilant and ensure their devices are running genuine firmware and are sourced from trusted vendors to minimize the risk of a compromise. Additionally, multisig configurations can create additional defenses against attack vectors.