Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Bitcoin Government The Almighty Buck Hardware

The IRS Wants Help Hacking Cryptocurrency Hardware Wallets (vice.com) 66

Posted by BeauHD from the give-us-the-password dept.
An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.

"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.
This discussion has been archived. No new comments can be posted.

The IRS Wants Help Hacking Cryptocurrency Hardware Wallets More

The IRS Wants Help Hacking Cryptocurrency Hardware Wallets

Comments Filter:
  • If a suspected criminal has a hardware wallet, and you can take it away and crack it, you can take their Bitcoin, sell it, and keep the money. Or you can just get evidence that there is Bitcoin, or both.

    • Re:What do you want to achieve? (Score:5, Insightful)

      by Stephenmg ( 265369 ) on Thursday April 29, 2021 @03:53PM (#61329330)
      My understanding with at least Bitcoin is the transactions are public so the only reason I can see this being needed is they want to seize the bitcoin.

      • Re:What do you want to achieve? (Score:5, Informative)

        by mamba-mamba ( 445365 ) on Thursday April 29, 2021 @04:23PM (#61329430)

        Yes and no. The blockchain is public. But it does not contain names and street addresses and cell phone number and whatnot. If the IRS seizes a hardware wallet and is able to "open" it, they could then associate a person's identity with certain transactions and or balances on the blockchain which could open up a whole bunch of other avenues of investigation.

        People who don't want to be tracked do try to obscure the picture by making large numbers of small transactions moving money around until it finally comes to rest somewhere.

        Note that in some cases a single individual might control a large number of addresses. So if a chunk of coin gets fractured up into a bunch of small sums transferred to a large number of addresses it might be hard to figure out what is going on just by looking at the blockchain. But once you break open the wallet and see that all those addresses are in fact the same person, it becomes more clear what really happened.

        My intention is to ignore the policy aspect of this. I just want to point out the technical side of it.

        • Re: (Score:2)

          by profet ( 263203 )

          Don't really need to crack the wallet for that, just need the xpub. Which is probably available unlocked on the user's PC or phone.

      • Re:What do you want to achieve? (Score:4, Interesting)

        by subreality ( 157447 ) on Thursday April 29, 2021 @04:25PM (#61329440)

        My understanding with at least Bitcoin is the transactions are public so the only reason I can see this being needed is they want to seize the bitcoin.

        The transactions are public, but pseudonymous. If you know someone's public wallet addresses, you can see their transaction history. Finding their addresses is the hard part. You can try to track them down if you know someone they've done business with, but it's much easier to grab their wallet and get the full list.

      • Re: (Score:1)

        by Anonymous Coward
        They may need to prove possession/ownership. The publicly recorded transactions are between "random" numbers, not names. To prove possession/ownership, you need to prove control over the keys. The keys are usually in encrypted wallets.
      • yea its not possible for "a bitcoin" to not exist on the blockchain of bitcoins but stored sep for later use, it would violate the fundamental laws of Satoshis metaverse. In essence, actually all wallets are open to ye olde proverbial guessing no matter how small the chance of getting it right, given enough time and iterations any wallet would open without a second layer to fall back on, chances of getting the right combo-string are pretty small though but in the urban legends people do win the national lot

      • The obvious answer is YES, they want to seize the bitcoin! It's what they do.... seize monetary units.

    • Canâ(TM)t edit when you posted to quick... if you get someoneâ(TM)s hardware wallet and canâ(TM)t crack it, you canâ(TM)t get their Bitcoin. You canâ(TM)t get evidence there was Bitcoin. But you can deny them access to their Bitcoin, or force the to use a less secure method to access their Bitcoin. If that is enough - destroying a criminals wealth instead of confiscating it, then you donâ(TM)t need to crack anything.

      • Re: (Score:1)

        by rtb61 ( 674572 )

        They wanted to break the hardware wallet which is really quite easy. Get hardware wallet, get hammer, hit wallet with hammer repeatedly and watch naughty person cry. If they complain, replace the hardware wallet with a new one and wish they a nice day. Why hack them, when you can simply destroy the proceeds of crime and replace the hardware wallet, the tears worth the price of a new wallet ;DDD.

  • These things haven't been hit as hard as one might expect the security community to do. The same attacks that bring down both CPU's and other USB devices are likely to work. Black boxes are usually dangerous.

    • If the hardware wallets are implemented the way they are supposed to be implemented, then even hardware attacks cannot succeed. Even if you force the wallet to produce all the encrypted data on it, you will not be able to decrypt the data unless you possess the secret key used to initialize the wallet. The secret key is not (assuming correct implementation) stored on the wallet. Any attack would have to find and exploit weaknesses in the implementation. OR you would have to go to the makers of the wallets a

    • Re: (Score:2, Informative)

      by Anonymous Coward

      These things haven't been hit as hard as one might expect the security community to do. The same attacks that bring down both CPU's and other USB devices are likely to work. Black boxes are usually dangerous.

      You'd be surprised.

      Of course not all hardware wallets are equal.
      You're completely correct about the "blackbox" types. But many run open source software, and some are even open hardware.
      For those running open source, the primary attack surface is in the implementation.

      Also keep in mind that public key hardware devices have existed a very long time before cryptocurrencies existed. Decades longer.
      All public certificate authorities use such hardware, which has been heavily attacked by the security community.

      T

  • Good excuse not to have it. (Score:5, Insightful)

    by jwhyche ( 6192 ) on Thursday April 29, 2021 @04:02PM (#61329374) Homepage

    Seems to me that if the government wants access to this, that is a good reason to do everything to prevent them from having access to this.

    • Comment removed based on user account deletion

      • Re: (Score:3)

        by ghoul ( 157158 )
        We really need to stop these kids who are killing terrorists, burning their bodies and snorting the ashes.
    • Agreed.

    • Re: (Score:2)

      by ghoul ( 157158 )
      Seems to me the govt already has backdoors into these wallets and the purpose of this piece of disinformation is to convince people that these are safe. Just remember the hash code if you dont want to be hacked.

  • Just another security arms race (Score:5, Insightful)

    by marcle ( 1575627 ) on Thursday April 29, 2021 @04:04PM (#61329380)

    What's to stop the makers of wallets from using a more secure algorithm, more bits, etc? They're basically asking for a way to crack any encryption, which doesn't exist. And that's a good thing, even if it is exploited by criminals. Private citizens should be able to keep secrets if they want to.

    • They just want to get a key out of it, it's not protected by encryption, only by the obscurity of the hardware.

      They all use common slightly hardened microcontrollers (not even the properly hardened ones with shields, always on power and auto-zeroing on tamper detection). The NSA probably already has straightforward procedures for every one of those microcontrollers, there's not that many of them.

      • Why would the maker of the hardware wallet store the secret key in plaintext? If the implementation is that bad then it should be easy to break into the wallet. But there is no reason that the implementation should be that bad.

        • Because people are lazy and don't want to enter some long password to activate it each time.

          It needs to know the unencrypted private keys to function ... without a password as a relatively poor encryption key, it always knows them. How it's stored in flash then becomes irrelevant, it can be decoded with information which is in plain "text" inside the device. Whether in flash, or in prom, or in fixed hardware.

      • >They all use common slightly hardened microcontrollers

        No, not all of them - there are several that use the combination of a microcontroller for UI / communication and a real secure element for securing the cryptographic keys (e.g. Ledger's Nano S uses ST31 and the Nano X uses the ST33). Also, while the NSA might have the ability to break into these, they probably aren't going to share it with the IRS or other alphabet agencies unless there's a real national security issue at stake, since extracting data

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Usually you don't attack the crypto, you attack the device to extract the key. Usually they are poorly designed and contain numerous flaws, if the data is actually encrypted at all.

  • Math! (Score:3)

    by MarcoPon ( 689115 ) on Thursday April 29, 2021 @04:05PM (#61329384) Homepage
    That's the "portion of this cryptographic puzzle that continues to elude organizations".

  • Whaaa! (Score:2)

    by PPH ( 736903 )

    This means that authorities cannot effectively "investigate the movement of currencies"

    If they want to know where my funds are going, the can read my Form 1040.

    and it may "prevent the forfeiture and recovery" of the funds.

    Not really. Just drag someone into court and the judge says "forfeit your funds." If they refuse, hold them on a contempt of court charge. Outside of a court (due process) the government doesn't have the right to go snatching anything.

  • How? (Score:2)

    by Gabest ( 852807 )

    Circumventing a digital lock is a crime, you can't do that!

  • Reading Between the Lines.. (Score:4, Interesting)

    by geekmux ( 1040042 ) on Thursday April 29, 2021 @04:26PM (#61329444)

    Let's review the unredacted version...

    "The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value that is assuredly criminal in nature, outside of the traditional purview of law enforcement and regulatory organizations, and we must access it, because terrorists ," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations of law enforcement -- millions, perhaps even billions of dollars, exist within cryptowallets. , and we will assume you are hiding untaxed blood-mafia billions if we find so much as a Hello Kitty thumb drive on your person and you refuse to give up the password. Remain calm and cooperate, and we might not abuse a 'Freedom' law that allows us to lock a citizen up forever."

    This isn't just about bitcoin wallets. Or taxes, terrorists, or cryptocurrency for that matter.

    It's about Control.

    And right now, is the perfect time to enact more of it.

  • pay up or it's an FPMIA Prison for you as bit coin is seen as money laundering

  • If the wallet is designed half decently, they won't be able to.

    Bitcoin (and other crypto coins) are based on an elliptic curve public key system. Pisk a random very large number. That's your secret key. Multiply it by a well known point on the chosen elliptic curve. That's your public key. Since elliptic curve arithmetic doesn't offer anything faster than a brute force guess, you can't use division to derive the secret key from the public key in any practical timeframe.

    A properly designed wallet derives an

  • Keep in mind... (Score:3)

    by erp_consultant ( 2614861 ) on Thursday April 29, 2021 @05:42PM (#61329692)

    the USA has a world wide taxation policy. Meaning that if you are a US citizen, no matter where in the world you live, you have to file a tax return with the IRS. So if you made a bunch of money on crypto and you're living in the Cayman Islands the IRS wants a piece of your profits. On the tax form it specifically asks you if you own any crypto currency. If you lie and the IRS finds out about it not only will they give you a hefty fine they will charge you with perjury and throw your ass in jail.

    The IRS is probably the most aggressive tax collection agency in the world and you do not want to get on the wrong side of these people. The only way to get around it is to renounce your US citizenship and apparently that is getting more difficult and expensive than it used to be.

    I suspect that the US government is going to find some way to sabotage Bitcoin. Central banks are not really in the business of inviting competition for their fiat currency. If people start fleeing to bitcoin the demand for US dollars will drop. How much I'm not sure but if enough people do it the value of the US dollar will go down and then the government starts to lose control of the economy.

    In the past governments have confiscated gold and they are not beneath coercing international banks to refuse to accept it or putting in onerous reporting requirements. I hope that doesn't happen but I don't trust the pricks so nothing would surprise me. We have recently heard comments from Janet Yellen at the Treasury department and now the IRS. Something is brewing.

    • In the past governments have confiscated gold and they are not beneath coercing international banks to refuse to accept it or putting in onerous reporting requirements. I hope that doesn't happen but I don't trust the pricks so nothing would surprise me. We have recently heard comments from Janet Yellen at the Treasury department and now the IRS. Something is brewing.

      Well you make good points but ... oh shit, did you see that? Some guy made a transphobic comment on Twitter! Oh shit, he said

    • policy. Meaning that if you are a US citizen, no matter where in the world you live, you have to file a tax return with the IRS

      You seem smart. So imma axe you something.

      The government has the constitutional authority to coin it’s own money, right?

      The government does exactly this, and it buys all kinds of stuff. Federal taxes don’t “pay for stuff”, the stuff gets paid for regardless, right? I mean, they’re not like “I’ll totally pay rent for Guam, could you just gi

      • "So, with all this being the case, why do they spend so much time trying to take shit from you? I mean, we have the same dollars that they can print at will, right? So why do they need ours so badly? Why will they literally ruin your life, just to get your money, of which they have an unlimited supply?" - Great question. I wish I was smart enough to know the answer :-)

        Part of it is that the government has an uncapped ability to spend money and with that an uncapped ability to collect it.

        Part of it is the no

    • If people start fleeing to bitcoin the demand for US dollars will drop.

      If pigs could fly, we'd all wear hats to avoid getting pig shit in our hair. I'd invest in hat manufacturers long before I'd invest in bitcoin.

      How much I'm not sure but if enough people do it the value of the US dollar will go down and then the government starts to lose control of the economy.

      It's not the people swapping to bit coin... It's the big corporations, the banks, the financial markets. And they aren't going to becau

    • Re: (Score:2)

      by mad7777 ( 946676 )
      Thank you.
      Will somebody please do something about this extra-territorial taxation that only the freedom-loving USA does to its citizens? Oh... and Eritrea, too. Let's not forget about that other haven of freedom and democracy!
      Alas, no politician has any incentive to give two shits about the 9 million US expats who are required every year to comply with the random mandates of not one but two separate tax administrations.

  • The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations,"

    Oh no! No! Noooo! It’s like everyone’s worst nightmare come true!

    If something of value is exchanged outside the purview of (some) law enforcement, before you know it, people will want to do other stuff outside the purview of law enforcement, and, well, that just doesn

    • So, who or what do you trust more? The full faith and credit of the USA, with its Reserve Bank and backed by its military and other powers?

      Or mathematics?

      • Re: (Score:2)

        by ghoul ( 157158 )
        Military power is ultimately mathematics. Wars are won by logistics and quantity has a quality of its own. I can go on with the mathematical sayings which apply to the military like it being more than the sum of its parts. Geeks have been sending off jocks to die for them since the beginning of time. The very definition of civilization is jocks dying for the benefit of geeks. Thats how we evolve for intelligence instead of strength.
  • That might be the incentive that would garner some interest. If they confiscated video cards from those who skipped on paying taxes then that could be self sustaining. P.S. I'm sort of kidding here as I'm not a fan of how government confiscates first, gets convictions later.
  • The Taxman willet you sooner later https://www.reuters.com/techno... [reuters.com]

  • "Plus we estimate several billion dollars we can seize! This will replenish money brorrowed in 2006 between 3:42 AM and 6:17 AM. Almos 3 hours' borrowing, that's how much it is!"

  • In 2015 law enforcement stole more cash and assets from unconvicted people than burglars stole for the whole year. I think they'll be fine without crypto added to the mix.

Slashdot Top Deals

"Inquiry is fatal to certainty." -- Will Durant

Close