AntBleed: How BitMain Could Have Shut Down More Than Half of Bitcoin

May 26, 2017
Vote on Hacker News

When members of the Bitcoin community found out last month about the anonymous release of AntBleed, an exploit in BitMain miner firmware that allowed for remote unit shutdown, many had the same reaction: they can shut down more than half of the Bitcoin network?!

BitMain responded by assuring the community at large that they had never intended AntBleed for malicious use, but here’s what you should know.

Why was AntBleed created?

In their address to the public, BitMain explained that AntBleed was designed to be a user-friendly hardware recovery aid in the event of theft. The firmware project was never finished and the unfinished code did make it into production machines, however. AntBleed was patched out of miner firmware within a few short hours, thankfully not seeming to have been used maliciously.

Which machines are vulnerable?

AntMiner S9, L3, T9, and R4 units with BitMain firmware committed on or after July 11, 2016 and before April 27, 2017 are likely to be vulnerable to this exploit. While other mining equipment is not directly vulnerable to this exploit, AntBleed can be used to shut down mining equipment individually.

This capability provided the means to generate a 51% attack and drive the network forward against the miners’ will.

How did AntBleed kill mining equipment?

AntBleed was the result of an unfinished firmware patch being rolled out to miners. It forced the miners to communicate with the BitMain server at random intervals between every 1 and 11 minutes. During these communications, affected AntMiner hardware would broadcast MAC address, IP address, and serial number information to the server.

If the miner response failed to authenticate against BitMain records, it would result in the machine being sent a stop mining order. This method of recovery is troublesome for a few reasons:

• According to the AntBleed website, the BitMain authentication server was hosted by Cloudflare which provided state entities the ability to control the network, even if they never used it.
• Verifying miners in this way leaves the door open to man-in-the-middle attacks which allow malicious actors to selectively terminate bitcoin mining hardware.
• Allowing anyone to hold this type of control over the Bitcoin network strikes deep at the trust users have established in Bitcoin over the years.

How can miners protect themselves?

The best way for miners to protect themselves from AntBleed is to update to the latest firmware. If miners elect to remain on the older firmware, they can change the IP address of the minerlink target in their firmware to 127.0.0.1, their own machine. To make this change, connect to the miner in question, navigate to /etc/hosts and add 127.0.0.1 auth.minerlink.com

Minerlink is the area of the firmware which instructed miners where to broadcast their information and what to do with the response they received, whether that is to continue mining normally or to stop mining all together..

How could AntBleed have impacted Bitcoin?

The Bitcoin network has long championed the idea of decentralization of power, but AntBleed included two central aspects which seriously threatened the foundation of bitcoin.

First, AntBleed gave anyone with access to the minerlink server the ability to remotely shut down mining for BitMain mining equipment, a producer that accounts for an estimated 70% of hardware in use on the Bitcoin network, according to BraveNewCoin.

Second, BitMain placed the remote shutdown server on a hosted service, which could have allowed a government or malicious actor to remotely shut down over half of the entire network and removed trust in the strength of bitcoin and potentially leading to the loss of billions of dollars in stored value.

How is bitcoin secured?

Bitcoin is secured by two central facets: the sheer volume of users and miners which operate on the network and the value of bitcoins which ensure users act in the best interest of the community. Users who act selfishly when it may harm the network would risk devaluing their holdings.

What makes the Bitcoin Network so imposing to attack is not only the potential for currency devaluation, but also the sheer cost of performing an attack which would enable double spending or other specifically profitable actions.

Normal users could have seen their bitcoin holdings drop in value, or even seen the chain which they were on become obsolete along with their currency if AntBleed had been used maliciously during an attempted hard-fork or network split.

Thankfully AntBleed was remedied quickly, because the implications of such an exploit being used would have been enormous and the ramifications would be felt for years to come. The value of bitcoin and the trust which the network is built on would not only be impacted for bitcoin, but for other cryptocurrencies and blockchain networks by association.