Antbleed exposes ‘70 percent’ of Bitcoin miners to attack

Antbleed.com recently revealed a backdoor in Bitmain’s Antminer brand of Bitcoin miners, which allows attackers and Bitmain to remotely shut down the bitcoin mining hardware.

The brand new website was created solely for the purpose of exposing the security issue. The anonymous creators state that Bitmain mining machines contain code in their firmware that checks-in with a central service randomly every 1 to 11 minutes.

“Each check-in transmits the Antminer serial number, MAC address and IP address,” the website explains. “Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable.” However, the remote service can then return “false," which will stop the miner from mining.

“At worst, this firmware backdoor allows Bitmain to shut off a large section of the global hashrate (estimated to be at up to 70% of all mining equipment). It can also be used to directly target specific machines or customers.”
— – Antbleed.com

The backdoor code is in a driver file located in the open source database Github, where it has been publicly available, but overlooked, for several months. Antbleed.com states that Bitmain S9 hardware includes the code, as well as L3, T9 and R4 series.

Bitmain confirmed that those models are indeed infected. The company added L3+ series to the list of the affected models, which is a Litecoin miner. The list now covers all Antminer products for sale on the company website.

Bitmain states that the feature was designed and coded by the same team that is responsible for the firmware of Antminers: “As the firmware has always been open-source, the feature was never intended to be malicious.”

The company states that the feature, called Minerlink, was designed to “empower customers to control their miners which often times can be hosted outside their premises.”

Bitmain states that Minerlink was inspired by several incidents involving mining hardware being stolen from a mining farm or being hijacked by the operator of the mining farm, and is similar to the remote erase or shutdown features provided by smartphone manufacturers.

However, the feature was never completed. “We hoped to make it a useful feature that we could advertise to our customers. But, due to some technical problems,” the company states. “We were unable to finish the development of this feature and shut down the testing server in December 2016.”

“It is a bug to leave the code there before the feature is fully complete and acknowledged to the users. This bug has now been pointed out in context of Bitcoin’s scaling roadmap debate and has caused considerable misunderstandings within the Bitcoin community.”
— – Bitmain

The developer of the code has since taken personal responsibility for the bug on Github. "I apologize for this. I uploaded some uncompleted feature’s code and caused considerable misunderstandings." Bitmain developer Fazio admitted. “I made a mistake to upload the test code to github without checking carefully, I’m really apologize for this.”

Software patches to remove the backdoor entirely have been developed both by the Bitcoin developers behind the Antbleed website and from Bitmain themselves already, but every miner with the infected firmware has to upgrade their machines manually before they are safe from remote takeover attacks.

Antbleed was named after a string of internet exploits including Heartbleed and Cloudbleed, which both left gaping holes in internet security. The new website points out that mining rigs running the code could  be controlled by Bitmain personnel or easily hacked into and used by a third parties. “Even without Bitmain being malicious, the API is unauthenticated and would allow any MITM, DNS or domain hijack to shutdown Antminers globally,” the website describes. This firmware backdoor "can also be used to directly target specific machines or customers," they further claim.

A Man in the Middle Attack (MITM) is a classic computer exploit where an unknown attacker intercepts messages between two parties, and changes the messages, for malicious purposes. In this case, the messages from the Antminer hardware and Bitmain could be exchanged for a message telling the hardware to shut down, or possibly even disabling it permanently.

A Domain Hijack attack, or “domain spoof” attack, is similar. In this case, the attacker can imitate the service that Antminers are sending messages to, auth.minerlink.com, and reply with a subversive alternative message.

“Additionally the domain in question DNS is hosted by Cloudflare making it trivially subjected to government orders and state control.”
— – Antbleed.com

This is the second controversy to surround Bitmain this month. On April 5, Bitcoin Core developer Greg Maxwell revealed that the company has covertly implemented patent pending technology known as AsicBoost.

AsicBoost is designed to reduce power consumption, and claims to offer a 20% increase in miner returns. Timo Hanke and Sergio Lerner claim to have invented the technology, and have submitted patents in the US.

While Hanke and Lerner are inviting licensing application, they claim that the technology has yet to be deployed. While Bitmain has deployed the technology covertly, the company claims to have not used it.

Maxwell describes the covert deployment as, “a clear and present danger to the Bitcoin system which requires a response.” The developer provided two examples of the harm that covert implementations of  ASICboost can do; Creating “inequality in the mining process,” and causing “interference with useful improvements.”

The Bitcoin core developer points out that AsicBoost technology is incompatible with a number of blockchain scaling solutions, such as Segregated Witness (SegWit). While the Bitcoin Improvement Proposal has wide support within the industry, only ~40 percent of miners have indicated their support for implementing the change.

SegWit needs 95% of miners signaling for the change over a 2016 block period in order to activate.