Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does the Antbleed backdoor vulnerability work?

Antbleed, a backdoor vulnerability, was discovered in bitcoin mining equipment. Expert Matthew Pascucci explains how the Bitmain flaw works and how it can be prevented.

A backdoor vulnerability called Antbleed, which enables the remote shutdown of bitcoin miners, was recently discovered...

in bitcoin mining equipment. How does it work? Could something like this happen on enterprise networks? How can you scan for this type of thing?

The popular bitcoin mining provider Bitmain Technologies recently came under fire for a supposed backdoor into the firmware of its popular cryptocurrency generating miner hardware. The vulnerability was aptly named Antbleed, after a combination of the Antminer models and other vulnerabilities, such as Heartbleed, which enable the leakage of data.

It's estimated that Bitmain has around 70% of the market when it comes to bitcoin mining, and with this vulnerability present in the firmware of the majority of their systems, there's concern among the bitcoin industry that Bitmain was looking to create device relationship management, or even to remotely monitor its customers.

Within the firmware of the Bitmain systems is a hardcoded domain that reaches out to auth.minerlink.com and checks in every couple minutes, with the longest timeframe being 11 minutes between callouts. When this callout occurs, it sends the MAC, IP address and even the serial number of the device to the site, and if it can't connect to the domain, the equipment stops mining. This is a privacy concern, since it enables personal information -- maybe even the location of the device based off of the IP address -- to a vendor that doesn't need this data.

The connection itself is an outbound connection, and it's difficult to stop without firewalling particular source addresses beforehand. Many privacy advocates were rightfully concerned with Bitmain potentially monitoring its clients.

Another security issue with this callout is its unauthenticated nature, which leaves the service completely open to domain name system hijacking or man-in-the-middle attacks. If this attack were to occur, or even a distributed denial-of-service attack on the hardcoded site, it could stop the functionality of mining operations for close to 70% of bitcoin miners.

In order to stop this from occurring, but to still have the functionality to continue mining, miners have gone through the effort to create custom entries in their localhost files to point 127.0.0.1 to auth.minerlink.com. This gives the system local domain resolution, but restricts it from sending information or shutting down the application.

After seeing the hysteria around Antbleed, Bitmain wrote a blog post explaining the reasoning for this system callout. It explained that this feature was going to be introduced as a way for customers to monitor equipment, which many times is hosted outside of their premise, and to shutdown miners that might have been stolen or hijacked. It gives multiple examples of Antminers being withheld from owners or being hijacked.

According to Bitmain's blog post, the feature was intended to give owners the capability to shut down systems over which they've lost control. It was, however, never fully developed, and was left within the code, which was open source and found by a researcher. It took steps to remediate all the firmware of the affected products and to update all the affected firmware that removes the feature.

Firmware hacks are nothing new, and both Cisco and Juniper have had malicious firmware exploits on their equipment. It's still up for debate, but the Antbleed issue doesn't seem to be malicious, just poor hygiene. Protecting against these attacks is incredibly difficult, and bringing in a behavior-based understanding of your network and callouts with proper segmentation and firewalling are the only options for preventing data theft.

Even with this in place, detection can be incredibly difficult to pinpoint. Following proper security hygiene across the board can go a long way in protecting against these types of threats.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read about employee use of corporate resources to mine bitcoins

Learn about the search for the real creator of bitcoin

Check out the cybersecurity questions raised by the use of bitcoin and blockchain

This was last published in July 2017

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with bitcoin mining vulnerabilities?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close