An unknown security researcher has published details on a vulnerability named “Antbleed,” which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market.
The so-called “backdoor” code was added to the firmware of Bitmain products on July 11, 2016. A security researcher reported the issue to Bitmain on September 19, 2016, via the company’s GitHub repository, where the company hosts the source code of its firmware.
The original bug report was ignored until yesterday, when a newly-launched website called Antbleed detailed the backdoor’s features.
Antbleed allows remote shutdown of Bitcoin miners
According to an analysis of the backdoor’s source code, Bitmain equipment will check every 1 to 11 minutes with a central service hosted at auth.minerlink.com, a domain registered by Bitmain.
During this check-in operation, the owner’s equipment will send over its serial number, MAC address, and IP address. According to these lines of code, if the Bitmain service returns a response of “false,” the user’s equipment will stop any mining operations.
“At worst, this firmware backdoor allows Bitmain to shut off a large section of the global hashrate (estimated to be at up to 70% of all mining equipment),” said the anonymous researcher who discovered this flaw.
“It can also be used to directly target specific machines or customers. Standard inbound firewall rules will not protect against this because the Antminer makes outbound connections,” he also added.
Several Bitmain products include the Antbleed code
The Antbleed vulnerability was discovered in the firmware of Bitmain equipment like th Antminer S9, the company’s latest product.
Antminer is currently one of the most popular Bitcoin mining equipment on the market. Researchers believe Antbleed also affects the Antminer L3, T9 and R4 series, albeit they haven’t tested the products to officially confirm.
The Antbleed homepage lists a method to detect if Antminer equipment is running an Antbleed affected firmware version, by using the hosts file to redirect queries for auth.minerlink.com to a test server.
Furthermore, because the auth.minerlink.com domain is hardcoded in the firmware’s source code, owners of affected Bitcoin mining gear can permanently protect against remote the remote shut down of their mining equipment by modifying their hosts file and pointing the auth.minerlink.com domain towards localhost.
Around 70% of Bitcoin hashrate affected
Bitcoin Core developer Peter Todd says “any MITM attacker or DNS attacker can activate it [Antbleed backdoor]” as there is no authentication mechanism included in the firmware.
According to his estimatations around 70% of the entire Bitcoin hashrate calculations (mining operations) run on Bitmain devices, meaning an attacker could shut down a large part of the Bitcoin mining ecosystem if he manages to take over the minerlink.com domain and issue a shutdown command.
Shutting down Bitcoin mining means shutting down the verification of Bitcoin transactions, affecting the Bitcoin ecosystem itself.
Experts believe the Antbleed “backdoor” code was added as a crude DRM system so Bitmain could shut down the equipment of rogue customers. Other paranoid theories and plenty of curse words are available on Reddit and HackerNews.
Todd: I’d call it a backdoor, not DRM
Contacted by Bleeping Computer, Todd provided his own insight into the problem. “The functionality wasn’t publicly known to exist, so I’d call it a backdoor,” the Bitcoin expert said. “Equally, once you do know it exists, it’s relatively easy to block, so it’s not DRM in the sense that it’s effective. […] I just wouldn’t use the term ‘DRM’ to describe all of the above, because DRM usually is done with the goal of allowing your customers to keep using a product, just in a very constrained way.”
“I think they did put it in there to be able to shut down rogue customers. It’s just that they were doing it as a ‘last-ditch’ option,” Todd also added. “See, I’m not worried about Antbleed because Antbleed is effective. I’m worried about Antbleed because it shows that Bitmain is deeply untrustworthy and incompetent, and if they did that, who knows what else they’ve done.” Plus, there’s this issue.
Bitmain did not respond to a request for comment from Bleeping Computer in time for this article’s publication.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.