EthClipper: A Clipboard Meddling Attack on Hardware Wallets with Address Verification Evasion (2108.14004v1)

Abstract: Hardware wallets are designed to withstand malware attacks by isolating their private keys from the cyberspace, but they are vulnerable to the attacks that fake an address stored in a clipboard. To prevent such attacks, a hardware wallet asks the user to verify the recipient address shown on the wallet display. Since crypto addresses are long sequences of random symbols, their manual verification becomes a difficult task. Consequently, many users of hardware wallets elect to verify only a few symbols in the address, and this can be exploited by an attacker. In this work, we introduce EthClipper, an attack that targets owners of hardware wallets on the Ethereum platform. EthClipper malware queries a distributed database of pre-mined accounts in order to select the address with maximum visual similarity to the original one. We design and implement a EthClipper malware, which we test on Trezor, Ledger, and KeepKey wallets. To deliver computation and storage resources for the attack, we implement a distributed service, ClipperCloud, and test it on different deployment environments. Our evaluation shows that with off-the-shelf PCs and NAS storage, an attacker would be able to mine a database capable of matching 25% of the digits in an address to achieve a 50% chance of finding a fitting fake address. For responsible disclosure, we have contacted the manufactures of the hardware wallets used in the attack evaluation, and they all confirm the danger of EthClipper.

• The paper demonstrates an attack exploiting users’ incomplete Ethereum address verification to redirect funds via clipboard manipulation.
• It employs a ClipperCloud tactic to generate deceptive addresses matching up to 25% of legitimate address characters.
• Empirical tests on Trezor, Ledger, and KeepKey reveal significant security gaps in hardware wallet transaction processes.

An Overview of EthClipper: Clipboard Meddling Attack on Hardware Wallets

The paper "EthClipper: A Clipboard Meddling Attack on Hardware Wallets with Address Verification Evasion" by Nikolay Ivanov and Qiben Yan from Michigan State University introduces a security threat to Ethereum hardware wallets by exploiting vulnerable address verifications when conducting transactions. The hardware wallets targeted include popular models such as Trezor, Ledger, and KeepKey. The attack, termed EthClipper, allows an adversary to usurp funds by substituting wallet addresses with attacker-owned addresses, leveraging users' propensity to minimize verification by validating only a few prefix and suffix symbols in addresses.

Attack Description and Mechanism

EthClipper targets the inherent weakness in human-involved verification processes of cryptocurrency addresses during transactions. Ethereum addresses are represented by long alphanumeric sequences, making them difficult to manually verify entirely. Many users check just the initial few and some trailing characters when they confirm a transaction's receiver address on their hardware wallets, creating an exploitable vulnerability for visual deception and confirmation bias.

EthClipper malware manipulates the clipboard contents on users' infected systems, replacing the correct Ethereum address with a similar-looking one from a database maintained by a distributed system called ClipperCloud. This system pre-generates and stores large quantities of Ethereum addresses that resemble legitimate ones. The paper presents experimental results demonstrating that the mining capabilities of ClipperCloud can match up to 25% of the address’ characters, yielding a 50% likelihood of deceptive address similarity.

Methodical Evaluation

The authors test their EthClipper prototype across four commonly used hardware wallet models, validating the attack's practical viability without exploiting the intrinsic security features of the hardware wallets directly. They provided significant empirical evidence that supported the potential efficacy of this attack vector in realistic scenarios, considering the observed user behavior and the capabilities of their ClipperCloud service.

Security Implications and Future Directions

The investigation conducted in this paper highlights significant implications for the security of hardware wallet transactions that are considered safer than software alternatives due to their isolation from computational networks. By demonstrating the feasibility of their attack without direct extraction or compromise of private keys, the authors argue for improved user interfaces and transactions protocols that may help mitigate such clipboard-based attacks. The necessity for enhanced educational initiatives about securely verifying entire cryptocurrency addresses is also emphasized.

From a broader perspective, EthClipper foregrounds the challenges in dealing with human factors in cybersecurity. Even the most technically sound cold storage solutions can become vulnerable when dependencies like manual address verification are exploited by attackers. As the authors collaborated with hardware wallet manufacturers to discuss potential defenses, this work stands as a preparatory alarm for more robust security measures.

Conclusion

As financial activities increasingly involve blockchain technologies, this work insists on introspection pertaining to cognitive biases in manual security measures, urging the continuous evolution of security norms to adapt to both technological advancements and human vulnerabilities. The paper suggests that the further fortification of wallet interfaces, such as automated alerts for clipboard actions, serves as an area for immediate research and development. As research and practical defenses develop, it will be integral for users, developers, and technology providers to remain vigilant and proactively safeguard against such indirect threats.