Summary
The hack that occurred on May 12 2016 to steal 7,218 ethers from Patrick only affects miners where:
- Incoming RPC connections from the Internet on TCP port 8545 are forwarded to the machine running the Ethereum node software
geth
; geth
is running with the parameters--rpc
enabled; and- The Ethereum Wallet (Mist) is used on the same
geth
machine and is used to send a transaction, requiring thegeth
account to be unlocked for a 2 second period.
The hacker sent a continuous stream (every 2 seconds) of sendTransaction(...)
request to Patrick's IP address on port 8545, and this request was forwarded to the geth
instance. When Patrick used the Ethereum Wallet to send a transaction, the Ethereum Wallet unlocked Patrick's account for 2 seconds and the hacker's transaction succeeded in moving Patrick's ethers to the hacker's account.
The Details
User Patrick on the DAOHub forum posted the message yesterday with the subject [Urgent]Buying DAO using Mist has hacked.
Patrick used the Ethereum Wallet to transfer 1 ether to test out buying TheDAO tokens on his mining computer. When (so far it seems that) Ethereum wallet unlocked his geth
wallet for 2 seconds (via the IPC API, not exposed to the Internet), a bot that was watching his geth
wallet activity swooped in to send a transfer instruction to geth
(via JSON-RPC, exposed to the Internet) and transferred his remaining 7218 ethers into the hacker's account.
Here is Patrick's account showing the 1 ether transfer before the removal of his remaining balance ~ 17 seconds later (0x95a3ba0aabc6296cbbe3862a889ecb37979da493):
Here is the hacker's account showing the 7,218 ethers being split into many fragments of 97.54489533580829 ether transactions (0xc5d431ee2470484b94ce5660aa6ae835346abb19):
Here is the bit of code from the Ethereum Wallet mist/interface/client/templates/popupWindows/sendTransactionConfirmation.js #228 that unlocks the geth
account for 2 seconds:
web3.personal.unlockAccount(Session.get('data').from, pw || '', 2, function(e, res){
The 1 ETH transaction occurred at 2016-05-12 03:12:57.
The 7218.368874849814 ETH transaction occurred at 2016-05-12 03:29:03, ~ 17 seconds after the 1 ETH transaction, which is the 2 second window + the average ~ 15 second Ethereum blocktime.
After the hack, Patrick ran some analysis on his computer and found network communications every few seconds over the geth
RPC port 8545 executing the following commands:
eth_accounts
– to list the accounts on thegeth
instanceeth_mining
– to find out the mining activity on the nodeminer_setEtherBase
– to try to setgeth
etherbase account but this failedeth_getBalance
– to find the balance of Patrick's accounts
There is a question of why the RPC port 8545 was enabled so that RPC communications from the Internet would be forwarded to the geth
computer.
Patrick runs GPU miners outside his network and enabled the port forwarding for port 8545 for his GPU miners outside his network, understanding that his account would remain locked for 99.99% of the time. All it took was a 2 second window.
As @tayvano has listed below, Holy shit my eth accounts been hacked documents another exploit via the RPC protocol.
Also note that a hacker with access to the local machine will also be able to access geth
's IPC communication during this 2 second unlock period to send rogue transactions.
What are some steps that can be taken to reduce the chances of this occurring?
Best Answer
(Please edit me. I'm a community wiki)
Summary
geth
machine--rpc
without checking that only your GPU mining computers can access TCP port 8545 on your Ethereum nodegeth
computergeth
computer.geth
instance.EDIT 31/05/2016 - SECURITY ALERT!
From blog.ethereum.org - Security Alert – cpp-ethereum keeps accounts unlocked:
Details
Here are some steps to reduce the chances of getting your Ethereum wallet hacked.
1. Restrict Access To RPC On Your Mining Computers
For most Ethereum miners, you will be using
geth
to running the blockchain node andethminer
to perform the mining calculations.If you are running only one
geth
instance and theethminer
s on just one computer, restrict your RPC port to only serve on the local computer. The option--rpcaddr 127.0.0.1
(which is the default setting) will restrict your RPC communications to just that computer.If you are running only one
geth
instance on one computer andethminer
on the same computer plusethminer
on other computers that will need to communicate with the onegeth
instance, you will have to use your computer's local network IP, for example--rpcaddr 192.168.1.123
. In this case, it is best set up a firewall to restrict communications via RPC togeth
to your mining rigs only.2. Don't Run The Ethereum Wallet (Mist) On Your Mining
geth
Node ComputerIf you run Mist on your mining node, when you send a transaction with Mist, it will communicate via the IPC socket to instruct
geth
to unlock your account for 2 seconds.If you have RPC turned on and this port is accessible from the Internet, scripts and bots will be able to send transactions on your
geth
node to snatch your coins in the short period of time that Mist unlocks your accounts, as happened to Patrick.If you have RPC turned off and your mining computer has been compromised, any locally installed malware will be able to use the IPC socket to snatch your coins.
Don't run Mist on your mining computer. Use it on a separate secure computer instead.
3. Check You
$HOME/.ethereum/history
File And Erase If NecessaryThe history of the commands you type into
geth ... console
is stored in$HOME/.ethereum/history
. The following shows what I have just typed into the console:And here are the last two lines of my
$HOME/.ethereum/history
file:Check the contents of your history file using the command:
If you have ever used the command
personal.unlockAccount(...)
, erase your history file:By default the directory in which your history file is located is only readable by your own user. But if your account is compromised, your password is in your history file:
4. Move Your Mining Rewards If They Are Too Much To Lose
Your mining computer is continually communication with other programs on the Internet and is at a higher-than-usual risk of getting compromised.
Hackers can easily find Ethereum nodes on the Internet and your computer may be targeted. Move your mining rewards to a more secure Ethereum account to reduce the size of your losses if you do get hacked.
5. Reduce Your Attack Surface If Possible
Run the server version of Ubuntu Linux if possible. It is a little bit harder to install, especially the GPU drivers, but you have a lower chance of getting hacked as fewer services run in this version compared to the desktop version.
Ubuntu Desktop has many more bits of software running continually with exposed ports. If you do have to use Ubuntu desktop, turn off unnecessary services, don't install untrusted software. You may want to use the privacy settings to reduce any leakage of information:
/etc/default/appport
. Setenabled=0
Macs and Windows continually phone home and very likely have backdoors for Apple and Microsoft respectively. Even if Apple and Microsoft have little incentive to expose themselves by utilising the backdoors, the continuous chatter makes it hard to detect abnormal communications between your server and other computers.
6. Secure Your Network
geth
instance, only allow communications on the RPC port from your mining computers.7. Don't Use The User
root
(Or User With Administrator Privileges) To Run Your MinersIf your Internet facing programs (
geth
) has a vulnerability, a hacker can cause more damage if the program is running with administrator privileges.8. Check Your Port Forwarding Rules On Your Router Or Firewall
Only the port 30303 for TCP and UDP traffic should be forwarded by your modem or firewall to your
geth
node computer. Port 8545 (or whatever you configured for your RPC port) should NOT be forwarded to yourgeth
node computer.My firewall rules are for my 2 mining rigs (.120 has the
geth
instance, .121 is just a GPU miner, .111.* is my DMZ):9. Test For Open Ports On Your Internet Connection
Use a service like GRC to probe for the open ports on your Internet connection. Click on grc.com, click on Shields UP!!, then click on ShieldsUP! again. Read the text and click Proceed.
On the web page shown below, I've typed in ports
8545, 30303
and clicked User Specified Custom Port Probe:The probe results are shown below - Port 8545 (
geth
RPC) is not open to the Internet while port 30303 (Ethereum P2P port) is:It's probably a good idea to test All Service Ports (Ports 0 to 1055) at the same time to confirm which ports you have open. The following results show that I only have port 443 (HTTPS) open:
10. Opening RPC Ports For Miners Outside Your Network (Your Own Solo Mining Pool With Your Own Distributed Miners)
Don't open up your RPC port 8545 if you have GPU miners outside your network.
Your alternatives if you have GPU miners outside your network with your
geth
instance:geth
locally within each of your GPU miner's networks pointing to the same coinbase account if necessary; orether-pool
component of open-ethereum-pool. You don't have to run the web frontend, theunlocking
or thepayout
modules. Only safe instruction from/to the GPU miners to/fromgeth
passes through the mining pool software. One advantage of running this software is that you get a better performance from the stratum mining proxy protocol. The ability to mine with a particular coinbase (payout address) is not contingent on the mining node having access to the coinbase's private keys; you can generate the address and private key on another machine and set the mining node's coinbase to the generated address. This reduces damage from a compromised node: past payouts cannot be stolen by merely compromising the node.