Firmware Distribution as Attack Surface: A Security Study of ASIC Cryptocurrency Miners

TL;DR

This study analyzes the firmware distribution ecosystem of ASIC cryptocurrency miners, revealing it as a significant attack surface that enables large-scale security vulnerabilities and attacks.

Contribution

Introduces a scalable static analysis methodology for firmware artifacts, uncovering security weaknesses and attack paths in the mining device ecosystem.

Findings

Firmware artifacts reveal internal architecture and vulnerabilities.

Identifies attack vectors like firmware phishing and Stratum V1 exploitation.

Validation confirms artifacts reflect deployed software and enable attacks.

Abstract

ASIC cryptocurrency miners are a core component of blockchain infrastructures, directly converting computation and energy into monetary value. Despite their economic importance, their security is rarely evaluated in a structured manner. In this paper, we show that the firmware distribution ecosystem of mining devices fundamentally challenges existing trust assumptions. We introduce a scalable methodology based on the collection and static analysis of publicly distributed firmware artifacts, requiring neither device access nor runtime interaction. Applying this approach, we reconstruct and analyze 134 firmware images spanning manufacturers that account for over 99% of deployed miners (Bitmain, MicroBT, Canaan, Iceriver). Our results reveal that firmware artifacts alone are sufficient to recover internal architecture, identify security weaknesses, and reconstruct complete attack paths leading to high-impact adversarial objectives. In particular, our analysis reveals vulnerabilities that enable realistic large-scale attack scenarios, including firmware phishing and the exploitation of miners still operating over Stratum V1. Validation on two real devices confirms that publicly distributed artifacts closely reflect deployed software and that these weaknesses translate into attack capabilities. Overall, our study shows that firmware distribution mechanisms themselves constitute a primary attack surface, significantly lowering the barrier to compromise in the ASIC mining ecosystem.