Chip flaw raises fear of bitcoin and cryptocurrencies theft

Hackers have often targeted the exchanges and wallets where many people store their digital currencies. Picture / 123RF

Millions of dollars worth of cryptocurrency could be at risk following the disclosure of a major chip flaw which could leave the passwords and private keys that are used to secure online transactions open to thieves.

The Meltdown and Spectre vulnerabilities, which were confirmed this week, could be exploited by hackers to steal huge amounts of cryptocurrency until they are patched, security experts have warned.

Many online services that use a shared cloud could potentially be at risk, but bitcoin and other cryptocurrency exchange sites will be a particular target as it is easier to steal from them than a bank.

The bugs affecting Intel, AMD and ARM processors are understood to be present on billions of devices, including cloud providers, which many cryptocurrency providers rely on to keep their businesses running.

"The most obvious use of Spectre and Meltdown is to dump cryptocurrency private keys and steal wallet passwords without having to send out ransomware, thus gaining instant profit," Matt Carr, security consultant at Insinia told the Telegraph.

"I think we will see people exploiting this to steal bitcoins."

The two vulnerabilities allow a perpetrator remote access to sensitive data like personal photos, emails and business documents stored on a devices' operating system. This includes smartphones, laptops, servers and cloud computers.

If a hacker gains access to a currency exchange's processor, they could store it remotely to look for keys and passwords.

They could even automate the process, creating a database of keys and passwords found and on what host so they can begin emptying wallets or sell on the black market.

Customers using any online services are at risk including banking, but hackers are more likely to target digital currency as it is easier to steal than money from financial institutions.

"With bitcoin, you can just copy some data from a hacked server, but with a bank you still need to route it through the banking network which can be reversed and stopped by anti-fraud systems," explained Matthew Hickey, co-founder at My Hacker House.

While the bitcoin network itself has proved itself to be secure, hackers have often targeted the exchanges and wallets where many people store their digital currencies.

Amazon Web Services said that most of its servers used for cloud computing had been patched and Microsoft Azure and Google cloud services are now protected, the companies confirmed.

The flaw cannot be fixed but developers have created "workarounds" that will impact computing performance, which is likely to put many vendors off implementing them as they will slow speeds for transactions. Carr said it was likely that some systems would remain vulnerable "for years".

Now that a manual on how to exploit both Meltdown and Spectre has been published online as part of the disclosure, the clock is ticking.

"Someone with the right skill set could weaponise this today to steal wallet passwords and coin private keys," Carr added.

"Plus, the bar has lowered since a paper explaining how this was possible was published on Wednesday evening."

Individuals could also become targets if hackers lure them to browsers laden with malware. Chrome, FireFox and Internet Explorer Edge browser have created add-ons that can be switched on to help protect against this.

The Telegraph has contact five of the most popular coin exchanges, all of whom have not issued statements on whether they are affected.