Developer James Hilliard, best known for his Bitcoin Improvement Proposal #91 (the BIP which activated SegWit and prevented SegWit2x) and the CGMiner program, discovered a vulnerability in Bitmain’s Antminer S15 firmware.
The vulnerability was then turned into an exploit by an anonymous security researcher. Hilliard has publicly demonstrated the exploit in action:
@BITMAINtech tried and failed to lock down the S15 firmware, I identified the vulnerability and @00whiterabbit wrote/tested the attack code. Once @BITMAINtech complies with the GPL licenses for the firmware I will disclose the vulnerability to them so that they can fix it. pic.twitter.com/zwsAaPQjRL
— James Hilliard (@james_hilliard) February 12, 2019
The exploit allows an attacker to do basically anything, including modifying the payout address of an exploited miner. A previous vulnerability called “Antbleed” allowed any Antminer to be shutdown remotely, creating an existential risk to the Bitcoin network, which relies heavily on Bitmain hardware.
Open The Code And No One Gets Hurt
Hilliard and anonymous 00whiterabbit have offered to disclose the details of the vulnerability and help patch it, but there is a catch: Bitmain must cease its ongoing violation of the GNU General Public License agreement. The GPL dictates that derivatives of GPL code should be “free.” Free as in freedom – users should have access to the code in order to use, modify, and create their own derivatives.
The Bitcoin Core software package itself is open source, under the MIT License.
Hilliard’s request is not random in any sense. The code for CGMiner is part of what makes up the Antminer S15 firmware.
If Bitmain fails to release the source code for its firmware, Hilliard and 00whiterabbit will react. They will release the exploit into the wild.
However, launching the exploit on Bitcoin miners will not be a trivial affair. The attacker must able to access the network in order to open a shell on the Antminers.
Antbleed on Crack
The Antbleed vulnerability was pretty serious. But this new attack, dubbed “antsploit” in the video above, could create much more havoc for Bitmain users. Virtually anything imaginable is possible, from switching the pool you are mining on to changing your payout address. The vulnerability is at the base level of Bitmain’s hardware, which means there’s not much you can do about it at present.
Security vulnerabilities are one of the main arguments in favor of open source software. There is no code that doesn’t benefit from the public review of the very people who might otherwise attack it. Especially when users have an incentive to turn over findings, as in bug bounty programs, companies benefit far more than they “lose.”
Hilliard speculated to Bitcoin Magazine that Bitmain probably has closed the source in order to prevent users from overclocking their hardware and creating increased support costs. He also said:
Bitmain doesn’t seem to care about following copyright law. Unfortunately, closed source firmware is not a good thing to have on the Bitcoin network, as stuff like Antbleed can be hidden in it. It’s a centralization risk.
One ongoing complaint about the GNU GPL is the lack of actual enforcement surrounding it. Companies have repeatedly violated its rules with little or no retribution. The Free Software Foundation conducts very little license enforcement.