Politics has its “gates” and (mostly ironic) “gazis.” When it comes to security issues and reporting, tech now has its “bleeds.”
On Wednesday, a “backdoor” was revealed in Bitcoin mining hardware produced by a Chinese company called Bitmain. Because the security hole affects Bitmain hardware sold under the name Antminer, the backdoor was christened Antbleed.
The vulnerability could allow Bitmain, or potentially an outside attacker, to cause Bitcoin mining computers produced by the company to stop functioning. For Bitcoin, it’s a big deal. Bitmain is the majority supplier of Bitcoin mining computers in the world, with an estimated 70% share of the market for the application-specific integrated circuits (ASIC) chips that secure the Bitcoin network. In response to an inquiry from Rikitrader, Bitmain CEO Jihan Wu confirmed that “it’s true” that the Antbleed vulnerability could allow his company to shut down 70% of Bitcoin’s hash rate.
Bitcoin Markets Shake It Off
The news of a backdoor residing in Bitmain’s hardware was alarming news to many in the Bitcoin community. In recent months, miners have been torn over the implementation of technical changes to Bitcoin’s protocol. Accusations of censorship and malfeasance swirled around on Twitter as Bitcoin’s warring factions processed the Antbleed revelation.
However, the news has seemingly had little effect on the USD price of Bitcoin.
News of Antbleed broke in the afternoon of April 26, which corresponds to a sharp, but short, price decline across the various exchanges measured by Coindesk’s Bitcoin Price Index. However, Bitcoin traders shook off the news. One algorithmic Bitcoin trader we spoke with said the Antbleed revelation had “no effect on price,” and it is also unlikely to affect the market in the long run.
Anatomy Of Antbleed
The Antbleed “backdoor” is simple. Mining computers produced by Bitmain call back to a central service, transmitting several pieces of identifying technical data (like serial numbers, the device’s MAC address, and its IP address) every one to eleven minutes. According to the Antbleed website, “Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable.”
Presumably, Bitmain keeps sales records that include the serial numbers of devices it has sold to customers. If the serial numbers and other factors reported by the mining computer during its regular check-in don’t match up with what Bitmain has on record, the device could be flagged as stolen or fraudulent. In response to a faulty check-in request, the Antbleed documentation tells us “the remote service can then return “false” which will stop the miner from mining.”
That central service, Minerlink, is owned by Bitmain. And although the service never launched in full, parts of it were implemented.
Still, by most accounts, the parts of the service that were implemented would have allowed Bitmain or an outside attacker to identify and target specific devices for shutdown. The backdoor poses a serious threat to miners’ bottom lines and the consensus-driven nature of Bitcoin itself. Changes to the Bitcoin protocol are voted on by Bitcoin miners. If an attacker had access to a “kill switch,” like the Antbleed website suggests, that attacker could manipulate vote counts by shutting off specific mining computers that signal support for a proposal the attacker disagrees with.
Several models of Antminers built by Bitmain still phone home to that central server. Patching the vulnerability is as simple as updating the host list of affected Antminer hardware to point at the device’s local address: 127.0.0.1.
For its part, Bitmain contends that the security vulnerability was not placed maliciously. Fazio Bai, who works at Bitmain, commented on Github:
First of all, I apologize for this. I uploaded some uncompleted feature’s code and caused considerable misunderstandings.
This uncompleted feature was intended to allow the owners of Antminer to remotely shut down their miners that may have been stolen or hijacked by their hosting service provider. We never intended to use this feature on any Antminer without authorization from its owner. This is similar to the remote erase or shutdown feature provided by most famous smartphone manufacturers.
However, this feature was never completed. But I made a mistake to upload the test code to github without checking carefully, I’m (sic) really apologize for this.
Today, Bitmain responded to the controversy by officially announcing updates to the open-source firmware for the various models of affected Antminers.
Bitcoin Community’s Split Presents A Bigger Challenge
Antbleed might just be the latest scandal facing the Bitcoin ecosystem, but it’s certainly not the last. The Bitcoin ecosystem is still experiencing some growing pains, which might sound surprising for a digital currency with a market capitalization of over $20 billion.
Battles over technical issues like the size of Bitcoin blocks, the files that carry transaction information, and the implementation of Segregated Witness, a software change that would basically create a whole new version of Bitcoin, have caused real splits in the Bitcoin ecosystem.
Some of those fissures are beginning to show up in investment patterns. As venture investors shift their interest to other blockchain ecosystems like Ethereum, the amount of funding going to Bitcoin-specific companies has declined over time.
Based on analysis of nearly 400 venture investment deals struck with Bitcoin around the world since 2013, it’s easy to see that interest from investors has declined from its height in 2015. How 2017 will turn out for the space remains to be seen.
However, one takeaway is clear: so long as major technical debates continue and high-profile security issues like Antbleed emerge, the broader adoption of Bitcoin is likely to be held back. As competing blockchains gain traction among developers and industry alike, the Bitcoin community may lose the campaign to gain wide acceptance of the cryptocurrency if it can’t get better about picking its battles.