Industry News

Bitcoin website suspects it will be targeted by state-sponsored hackers, warns users

Hopefully we are all aware that we should exercise caution when downloading programs from the internet.

There have been plenty of cases of malicious software being distributed via the web, and even legitimate programs being tampered with in order to carry an unexpected payload in order to compromise security on the computer which downloaded them.

To reduce the chances of downloading a poisoned program, the normal advice is to go to the original publisher and (for additional security) verify the download matches what the vendor said it should be, by checking the binaries are correctly digitally signed.

Members of the Bitcoin community might want to bear this in mind today – in particular if they are in the habit of downloading executable versions of the Bitcoin Core client software from Bitcoin.org, rather than taking the recommended approach of compiling the open source software themselves.

The website Bitcoin.org published an advisory warning users to be particularly vigilant when downloading the upcoming 0.13.0 release of Bitcoin Core.

bitcoin-warning

Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this caliber. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.

bitcoin-core

The obvious fear is that a tampered version of the Bitcoin Core could lead to users losing the contents of their digital wallets, or see compromised computers hijacked into launching other attacks against the Bitcoin network.

Sensibly, Bitcoin.org recommends that all downloaders verify that the Bitcoin Core signatures are correctly cryptographically signed before running them on their computers.

The hashes of Bitcoin Core binaries are cryptographically signed with this key.

We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964.

Quite what spurred Bitcoin.org to release its warning is currently unclear, as they have not shared their reasons for suspecting a state-sponsored attacker is likely to target them. However, they do hint that the “origin of the attackers” suggests that Chinese users are most at risk.

As such, whether the warning is an over-reaction or not is difficult to judge.

Eric Lombrozo, who contributes to the Bitcoin Core, appeared to be advising Bitcoin users not to panic in a statement he was reported to give to The Register:

The maintainer of the bitcoin.org site (which is unaffiliated with the Bitcoin Core project itself) posted an advisory of an apparent threat he’s been informed about – without consulting anyone else. Why this was done is uncertain, but verifying cryptographic signatures for builds is generally recommended practice in any case…”

“Perhaps certain sites where people download the binaries could end up getting compromised, but let’s not unnecessarily spread paranoia about the Bitcoin Core binaries themselves.”

The fact that Bitcoin.org’s maintainer posted the warning without consulting with other members of the community makes me think that it might be sensible to take the warning with a small pinch of salt. But it doesn’t, in itself, say that the warning is mistaken.

One thing is clear, Bitcoin users are once again being spooked by security fears. And nervousness isn’t good news for any currency – digital or otherwise.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.