BeatCoin: Leaking Private Keys from Air-Gapped Cryptocurrency Wallets

TL;DR

This paper demonstrates that air-gapped cryptocurrency wallets, considered secure offline storage, can have private keys exfiltrated through various covert channels, highlighting significant security risks even in isolated environments.

Contribution

The paper introduces methods to exfiltrate private keys from air-gapped wallets using multiple covert channel techniques, revealing vulnerabilities in cold wallet security.

Findings

Private keys can be stolen in seconds from air-gapped wallets.

Multiple exfiltration techniques are feasible, including electromagnetic and acoustic channels.

Air-gapped wallets are not immune to sophisticated malware attacks.

Abstract

Cryptocurrency wallets store the wallets private key(s), and hence, are a lucrative target for attackers. With possession of the private key, an attacker virtually owns all of the currency in the compromised wallet. Managing cryptocurrency wallets offline, in isolated ('air-gapped') computers, has been suggested in order to secure the private keys from theft. Such air-gapped wallets are often referred to as 'cold wallets.' In this paper, we show how private keys can be exfiltrated from air-gapped wallets. In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code. The malware can be preinstalled or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet's computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade (e.g., [1],[2],[3],[4],[5],[6],[7],[8],[9],[10]). Having obtained a foothold in the wallet, an attacker can utilize various air-gap covert channel techniques (bridgeware [11]) to jump the airgap and exfiltrate the wallets private keys. We evaluate various exfiltration techniques, including physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal techniques. This research shows that although cold wallets provide a high degree of isolation, it is not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin's private keys) can be exfiltrated from an offline, air-gapped wallet of a fictional character named Satoshi within a matter of seconds