The IRS Wants Help Hacking Cryptocurrency Hardware Wallets (vice.com) 66
An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.
"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.
"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.
What do you want to achieve? (Score:1)
Re:What do you want to achieve? (Score:5, Insightful)
Re:What do you want to achieve? (Score:5, Informative)
Yes and no. The blockchain is public. But it does not contain names and street addresses and cell phone number and whatnot. If the IRS seizes a hardware wallet and is able to "open" it, they could then associate a person's identity with certain transactions and or balances on the blockchain which could open up a whole bunch of other avenues of investigation.
People who don't want to be tracked do try to obscure the picture by making large numbers of small transactions moving money around until it finally comes to rest somewhere.
Note that in some cases a single individual might control a large number of addresses. So if a chunk of coin gets fractured up into a bunch of small sums transferred to a large number of addresses it might be hard to figure out what is going on just by looking at the blockchain. But once you break open the wallet and see that all those addresses are in fact the same person, it becomes more clear what really happened.
My intention is to ignore the policy aspect of this. I just want to point out the technical side of it.
Re: (Score:2)
Don't really need to crack the wallet for that, just need the xpub. Which is probably available unlocked on the user's PC or phone.
Re:What do you want to achieve? (Score:4, Interesting)
My understanding with at least Bitcoin is the transactions are public so the only reason I can see this being needed is they want to seize the bitcoin.
The transactions are public, but pseudonymous. If you know someone's public wallet addresses, you can see their transaction history. Finding their addresses is the hard part. You can try to track them down if you know someone they've done business with, but it's much easier to grab their wallet and get the full list.
Re: (Score:1)
Re: (Score:1)
This is the IRS.... (Score:2)
The obvious answer is YES, they want to seize the bitcoin! It's what they do.... seize monetary units.
Re: What do you want to achieve? (Score:1)
Re: (Score:1)
They wanted to break the hardware wallet which is really quite easy. Get hardware wallet, get hammer, hit wallet with hammer repeatedly and watch naughty person cry. If they complain, replace the hardware wallet with a new one and wish they a nice day. Why hack them, when you can simply destroy the proceeds of crime and replace the hardware wallet, the tears worth the price of a new wallet ;DDD.
Might Happen (Score:2)
Re: (Score:2)
If you keep it on paper, they can crack it by cracking your fingers till you give them the paper. If you keep it in one of these hardware wallets they have the alternative of cracking the hardware wallet. Neither involves cracking the encryption.
Re: (Score:3)
If the hardware wallets are implemented the way they are supposed to be implemented, then even hardware attacks cannot succeed. Even if you force the wallet to produce all the encrypted data on it, you will not be able to decrypt the data unless you possess the secret key used to initialize the wallet. The secret key is not (assuming correct implementation) stored on the wallet. Any attack would have to find and exploit weaknesses in the implementation. OR you would have to go to the makers of the wallets a
Re: (Score:2, Informative)
These things haven't been hit as hard as one might expect the security community to do. The same attacks that bring down both CPU's and other USB devices are likely to work. Black boxes are usually dangerous.
You'd be surprised.
Of course not all hardware wallets are equal.
You're completely correct about the "blackbox" types. But many run open source software, and some are even open hardware.
For those running open source, the primary attack surface is in the implementation.
Also keep in mind that public key hardware devices have existed a very long time before cryptocurrencies existed. Decades longer.
All public certificate authorities use such hardware, which has been heavily attacked by the security community.
T
Good excuse not to have it. (Score:5, Insightful)
Seems to me that if the government wants access to this, that is a good reason to do everything to prevent them from having access to this.
Re: (Score:2)
Right but if they can do it then others can also. There is no trusted gatekeeper here. Anyone who knows the secret key can open the wallet. But nobody, including the maker of the wallet, can open it without the secret key. I mean that is the ideal, anyway.
If it is possible to open the wallet without the secret key then wallets will need to be physically guarded according to the amount of bitcoin they "store." Which just about defeats the purpose of the wallet.
Re: (Score:1)
All the need to do is question the individual, is there anything of value you need to declare on the wallet, when they say no, you erase the wallet, as easy as that. You can simply destroy the money and that is that, no revenue generated because it is gone, no proceeds of crime because the proceeds are gone. There is no real point in hacking them when the contents can simply be erased and you are done and they are done and the imaginary monies are now digital vapour.
Re: (Score:2)
Re: (Score:3)
Re:Good excuse not to have it. (Score:4, Interesting)
"If the IRS/Government has legitimate reasons (suspicion of tax evasion, money laundering, sex trafficking, etc.) then I wouldn't have any problems with them requesting and acquiring access to prove their case." - Yes but that's the problem. Who decides what is "legitimate"? And how long before it becomes a political weapon used to go after your opponents? We have already seen this happen with the CIA, FBI and Justice department. The banking laws meant to go after criminals with swiss bank accounts now apply to all American citizens. If you have a foreign bank account and the balance exceeds $10,000 for even one day of the year you have to report the bank account to the IRS.
A panel of judges (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Just another security arms race (Score:5, Insightful)
What's to stop the makers of wallets from using a more secure algorithm, more bits, etc? They're basically asking for a way to crack any encryption, which doesn't exist. And that's a good thing, even if it is exploited by criminals. Private citizens should be able to keep secrets if they want to.
Re: (Score:2)
How filling an external disk drive of random numbers then taking a copy of it to my friend is exorbitant? Or asking him to decode by using the time-pad from index X?
Or you mean that sending that time-pad securely is exorbitant? Exorbitant like splitting it with an algorithm like Shamir Secret Sharing and giving my friend a pice when I go to his home, another piece when he come to my home, another one through USPS, some more in my last holidays photos, by pigeon carrier, or in a hidden truecrypt volume? With
Re: (Score:2)
They just want to get a key out of it, it's not protected by encryption, only by the obscurity of the hardware.
They all use common slightly hardened microcontrollers (not even the properly hardened ones with shields, always on power and auto-zeroing on tamper detection). The NSA probably already has straightforward procedures for every one of those microcontrollers, there's not that many of them.
Re: (Score:2)
Why would the maker of the hardware wallet store the secret key in plaintext? If the implementation is that bad then it should be easy to break into the wallet. But there is no reason that the implementation should be that bad.
Re: (Score:2)
Because people are lazy and don't want to enter some long password to activate it each time.
It needs to know the unencrypted private keys to function ... without a password as a relatively poor encryption key, it always knows them. How it's stored in flash then becomes irrelevant, it can be decoded with information which is in plain "text" inside the device. Whether in flash, or in prom, or in fixed hardware.
Re: (Score:1)
>They all use common slightly hardened microcontrollers
No, not all of them - there are several that use the combination of a microcontroller for UI / communication and a real secure element for securing the cryptographic keys (e.g. Ledger's Nano S uses ST31 and the Nano X uses the ST33). Also, while the NSA might have the ability to break into these, they probably aren't going to share it with the IRS or other alphabet agencies unless there's a real national security issue at stake, since extracting data
Re: (Score:2)
Usually you don't attack the crypto, you attack the device to extract the key. Usually they are poorly designed and contain numerous flaws, if the data is actually encrypted at all.
Math! (Score:3)
Whaaa! (Score:2)
This means that authorities cannot effectively "investigate the movement of currencies"
If they want to know where my funds are going, the can read my Form 1040.
and it may "prevent the forfeiture and recovery" of the funds.
Not really. Just drag someone into court and the judge says "forfeit your funds." If they refuse, hold them on a contempt of court charge. Outside of a court (due process) the government doesn't have the right to go snatching anything.
How? (Score:2)
Circumventing a digital lock is a crime, you can't do that!
Reading Between the Lines.. (Score:4, Interesting)
Let's review the unredacted version...
"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value that is assuredly criminal in nature, outside of the traditional purview of law enforcement and regulatory organizations, and we must access it, because terrorists ," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations of law enforcement -- millions, perhaps even billions of dollars, exist within cryptowallets. , and we will assume you are hiding untaxed blood-mafia billions if we find so much as a Hello Kitty thumb drive on your person and you refuse to give up the password. Remain calm and cooperate, and we might not abuse a 'Freedom' law that allows us to lock a citizen up forever."
This isn't just about bitcoin wallets. Or taxes, terrorists, or cryptocurrency for that matter.
It's about Control.
And right now, is the perfect time to enact more of it.
pay up or it's an FPMIA Prison for you laundering (Score:2)
pay up or it's an FPMIA Prison for you as bit coin is seen as money laundering
Re: (Score:2)
With Biden giving the IRS a significant increase to it's operational money I'm not surprised by this.
https://www.wsj.com/articles/b [wsj.com]... [wsj.com]
First they will make the use of cryptocurrencies the a new 'crisis' that must be dealt with now, then they will work to make all alternate currencies illegal. The US government controls the dollar and they want to keep it that way.
You mean Trump, right? You mean Trump is going to collude with the Russians to reveal Hillary’s email (jokes on them, Hillary
Too bad (Score:2)
If the wallet is designed half decently, they won't be able to.
Bitcoin (and other crypto coins) are based on an elliptic curve public key system. Pisk a random very large number. That's your secret key. Multiply it by a well known point on the chosen elliptic curve. That's your public key. Since elliptic curve arithmetic doesn't offer anything faster than a brute force guess, you can't use division to derive the secret key from the public key in any practical timeframe.
A properly designed wallet derives an
Keep in mind... (Score:3)
the USA has a world wide taxation policy. Meaning that if you are a US citizen, no matter where in the world you live, you have to file a tax return with the IRS. So if you made a bunch of money on crypto and you're living in the Cayman Islands the IRS wants a piece of your profits. On the tax form it specifically asks you if you own any crypto currency. If you lie and the IRS finds out about it not only will they give you a hefty fine they will charge you with perjury and throw your ass in jail.
The IRS is probably the most aggressive tax collection agency in the world and you do not want to get on the wrong side of these people. The only way to get around it is to renounce your US citizenship and apparently that is getting more difficult and expensive than it used to be.
I suspect that the US government is going to find some way to sabotage Bitcoin. Central banks are not really in the business of inviting competition for their fiat currency. If people start fleeing to bitcoin the demand for US dollars will drop. How much I'm not sure but if enough people do it the value of the US dollar will go down and then the government starts to lose control of the economy.
In the past governments have confiscated gold and they are not beneath coercing international banks to refuse to accept it or putting in onerous reporting requirements. I hope that doesn't happen but I don't trust the pricks so nothing would surprise me. We have recently heard comments from Janet Yellen at the Treasury department and now the IRS. Something is brewing.
Re: (Score:1)
In the past governments have confiscated gold and they are not beneath coercing international banks to refuse to accept it or putting in onerous reporting requirements. I hope that doesn't happen but I don't trust the pricks so nothing would surprise me. We have recently heard comments from Janet Yellen at the Treasury department and now the IRS. Something is brewing.
Well you make good points but ... oh shit, did you see that? Some guy made a transphobic comment on Twitter! Oh shit, he said
Re: (Score:1)
policy. Meaning that if you are a US citizen, no matter where in the world you live, you have to file a tax return with the IRS
You seem smart. So imma axe you something.
The government has the constitutional authority to coin it’s own money, right?
The government does exactly this, and it buys all kinds of stuff. Federal taxes don’t “pay for stuff”, the stuff gets paid for regardless, right? I mean, they’re not like “I’ll totally pay rent for Guam, could you just gi
Re: (Score:2)
"So, with all this being the case, why do they spend so much time trying to take shit from you? I mean, we have the same dollars that they can print at will, right? So why do they need ours so badly? Why will they literally ruin your life, just to get your money, of which they have an unlimited supply?" - Great question. I wish I was smart enough to know the answer :-)
Part of it is that the government has an uncapped ability to spend money and with that an uncapped ability to collect it.
Part of it is the no
Re: (Score:2)
If pigs could fly, we'd all wear hats to avoid getting pig shit in our hair. I'd invest in hat manufacturers long before I'd invest in bitcoin.
It's not the people swapping to bit coin... It's the big corporations, the banks, the financial markets. And they aren't going to becau
Re: (Score:2)
Will somebody please do something about this extra-territorial taxation that only the freedom-loving USA does to its citizens? Oh... and Eritrea, too. Let's not forget about that other haven of freedom and democracy!
Alas, no politician has any incentive to give two shits about the 9 million US expats who are required every year to comply with the random mandates of not one but two separate tax administrations.
The Pirates Need Your Booty Plunderin’ Help (Score:2)
The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations,"
Oh no! No! Noooo! It’s like everyone’s worst nightmare come true!
If something of value is exchanged outside the purview of (some) law enforcement, before you know it, people will want to do other stuff outside the purview of law enforcement, and, well, that just doesn
Re: (Score:2)
So, who or what do you trust more? The full faith and credit of the USA, with its Reserve Bank and backed by its military and other powers?
Or mathematics?
Re: (Score:2)
Have they tried offering video cards? (Score:2)
The IRS will get you (Score:1)
Sorry borry (Score:2)
"Plus we estimate several billion dollars we can seize! This will replenish money brorrowed in 2006 between 3:42 AM and 6:17 AM. Almos 3 hours' borrowing, that's how much it is!"
They don't need help (Score:1)