Dark Skippy: A New Threat to Hardware Wallets

The cryptocurrency landscape has seen a surge in security breaches recently. The first half of 2024 witnessed an escalation in thefts, with losses totaling $1.49 billion—a staggering 120% increase compared to the previous year. Hot wallet attacks and private key leaks were among the primary contributors to these losses.

Hardware wallets are one of the most sought-after mitigation techniques for such attacks. However, once considered the gold standard for digital asset security, hardware wallets are now facing unprecedented threats. A recently discovered attack method, dubbed "Dark Skippy" highlights a critical vulnerability in these devices.

What is Dark Skippy?

Dark Skippy is a malicious firmware attack that allows adversaries to extract a user's complete seed phrase from just a couple of signed transactions. This type of attack was first highlighted by BitVM creator Robin Linus on X (formerly Twitter) in 2023. It was discovered that attackers relied on a brute-force method known as "nonce grinding" to extract seed information from transaction signatures. This previous version of Dark Skippy was both time-consuming and resource-intensive, requiring numerous transactions to be analyzed. The latest version of Dark Skippy, on the other hand, leverages a more sophisticated technique. This method allows attackers to extract a user's complete seed phrase from just a few signed transactions, significantly reducing the effort required compared to previous methods.

Understanding the Dark Skippy Attack

At its core, Dark Skippy exploits a vulnerability in the transaction signing process. By manipulating the random numbers (nonces) used in creating transactions, attackers can potentially extract the entire seed phrase from a hardware wallet.

The attack involves embedding portions of the seed phrase within the signature itself. This covert channel allows attackers to efficiently extract the seed phrase by employing algorithms like Pollard's Kangaroo. This algorithm, inspired by the Australian children's television character, involves creating two computational paths (a "tame" and a "wild" kangaroo) that eventually converge, revealing the desired information.

The latest version of Dark Skippy was disclosed on August 5, 2024, in a tweet by Nick Farrow, co-founder and CEO of Frostsnap, a Bitcoin self-custody hardware wallet:

The attack, while representing a novel exploitation method, builds upon previously identified vulnerabilities in the transaction signing process. The research team behind the discovery conducted an in-depth analysis, surpassing initial estimates of the attack's effectiveness. They successfully extracted a complete 12-word seed phrase using minimal computational resources, emphasizing the attack's potency.

The team acknowledges the existence of prior research on nonce covert channel attacks but posits that Dark Skippy represents a more refined and potent execution of this technique.

The research team, including Frostsnap co-founders Lloyd Fournier and Nick Farrow, along with Robin Linus state on the Dark Skippy website:

“We investigated this attack as part of a security workshop we were running for a conference and found it to be even more effective than previously speculated, in that we were able to extract a 12-word seed with minor computational resources. In fact, a decent laptop suffices to achieve what Linus claimed.

Nonce covert channel attacks have been publicly discussed (and mitigated) in the past, within Bitcoin contexts so this attack does not represent a new vulnerability but rather a new way of exploiting an existing vulnerability.

We believe that Dark Skippy is now the best-in-class attack for malicious signing devices. So despite the attack vector not being new we deem disclosure to be worthwhile.”

How a Dark Skippy Attack Works

To execute a Dark Skippy attack, malicious actors must first compromise a hardware wallet by installing compromised firmware. This firmware is designed to embed parts of the user's seed phrase into the transaction signatures.

The malicious firmware employed in such attacks deviates from standard Schnorr signing protocols. Instead of generating random nonces, it deliberately selects weak, low-entropy nonces that are directly derived from the user's secret seed. Specifically, the first 8 bytes of the seed are used for the first signature's nonce and the remaining eight bytes for the second. This strategic manipulation allows for the covert extraction of the entire seed phrase through subsequent analysis of the generated signatures.

When a user signs a transaction, the malicious firmware subtly embeds a portion of the seed phrase into the signature. This data is then broadcast to the network.

The attacker meticulously scans the network's transaction pool (mempool) for signatures bearing the hallmarks of the malicious firmware. Upon identifying a target transaction, they employ algorithms like Pollard's Kangaroo algorithm to decrypt the public nonces embedded within the signature. By piecing together these decrypted components, the attacker reconstructs the 16 bytes of entropy that the malicious signer was trying to exfiltrate.

The Implications of Dark Skippy

The Dark Skippy attack poses a severe threat to the security of hardware wallets. It highlights the importance of firmware security and user vigilance. If successful, this attack could lead to the complete loss of a user's cryptocurrency holdings.

Moreover, the attack's efficiency in extracting seed phrases with minimal transactions makes detecting and determining an illicit flow nearly impossible.

Taxonomy of Malicious Signer Attacks

Understanding the various methods employed by attackers to compromise hardware wallets is crucial for developing effective countermeasures. This section categorizes malicious signer attacks based on the targeted component of the signing algorithm.

Attack Vectors:

• Predetermined Seed Attack: The attacker pre-programs the malicious device with a known seed phrase, bypassing the user's seed entirely. This attack is relatively straightforward but can be mitigated by users generating their own seed phrases.
• Malicious xpub Attack: The attacker provides a compromised public key (xpub) that doesn't correspond to the user's secret seed. This misleads the user into sending funds to the attacker's addresses. This attack can be detected by independently verifying the xpub against the seed phrase.
• Predetermined Nonce Attack: The attacker uses a pre-determined nonce value during the signing process. While this allows for some level of key recovery, it's often limited by the number of transactions required to extract enough information. Anti-exfil protocols can mitigate this threat.
• Nonce Grinding Attack: The attacker attempts to embed secret data within the public nonce by systematically trying different values. This is computationally intensive but can potentially yield results. Anti-exfil protocols can also deter this attack.
• Dark Skippy Attack: This advanced technique involves embedding portions of the secret seed within the low-entropy nonce, allowing for rapid key extraction. It represents a significant escalation in the sophistication of malicious signer attacks.

How Hardware Wallets and Users Can Mitigate the Dark Skippy Threat

To protect against Dark Skippy and similar attacks, hardware wallet manufacturers and users must adopt a multi-layered approach to security.

Here are some ways in which hardware wallets can be made more secure from Dark Skippy attacks:

Hardware Manufacturers:

• Secure Boot: Implementing robust measures to prevent the installation of unauthorized firmware, safeguarding the device from malicious code.
• Physical Fortifications: Employing tamper-evident seals and enclosures to deter physical tampering and device compromise.
• Firmware Integrity: Ensuring the authenticity and integrity of firmware updates through verification processes.
• Data Protection: Implementing anti-exfiltration protocols to prevent the leakage of sensitive data, such as seed phrases, through transaction signatures.
• Continuous Evaluation: Regularly assessing the security posture of hardware wallets through comprehensive audits to identify and address vulnerabilities.

And users of hardware wallets can take the following steps to further boost their security against threats:

• Firmware Updates: Keeping hardware wallet firmware up-to-date with the latest security patches.
• Physical Security: Protecting devices from physical tampering and unauthorized access.
• Backup Practices: Maintaining secure backups of seed phrases in offline locations.

It's crucial to stay informed about the latest security developments and to adopt a layered approach to protecting your digital assets. The new Dark Skippy attack method serves as a stark reminder that the cryptocurrency landscape is constantly evolving. While the threat is significant, it's essential to avoid panic and instead focus on implementing enhanced security measures. By understanding the risks and taking proactive steps, users can significantly improve the safety of their holdings.

‍