{"id":20513,"date":"2019-02-20T20:44:04","date_gmt":"2019-02-20T20:44:04","guid":{"rendered":"http:\/\/ci027cfe80c00126c3"},"modified":"2025-01-28T16:02:07","modified_gmt":"2025-01-28T16:02:07","slug":"will-vulnerability-finally-compel-bitmain-open-source-its-firmware","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/business\/will-vulnerability-finally-compel-bitmain-open-source-its-firmware","title":{"rendered":"Will This Vulnerability Finally Compel Bitmain to Open Source Its Firmware?"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><figure><img decoding=\"async\" src=\"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2025\/01\/will-this-vulnerability-finally-compel-bitmain-to-open-source-its-firmware.jpg\" title=\"\"><\/figure>\n<p>As if Bitmain\u2019s year hasn\u2019t been rough enough, having posted big losses and laying off entire departments, its flagship product now has a firmware vulnerability.<\/p>\n<p>A few weeks ago, Bitcoin Core contributor James Hilliard discovered an exploit in Bitmain\u2019s S15 firmware. The pseudonymous Twitter user <a href=\"https:\/\/twitter.com\/00whiterabbit\" target=\"_blank\" rel=\"noopener\">00whiterabbit<\/a>, also known simply as \u201cjohn,\u201d subsequently wrote exploit code based on Hilliard\u2019s findings. A <a href=\"https:\/\/twitter.com\/james_hilliard\/status\/1095225270011781120\" target=\"_blank\" rel=\"noopener\">video<\/a> proving that the exploit code worked was shared on Hilliard\u2019s Twitter account last week.<\/p>\n<p>Hilliard is offering to disclose the vulnerability to Bitmain but under one condition: Bitmain would have to comply to the <a href=\"https:\/\/www.gnu.org\/licenses\/gpl-faq.en.html\" target=\"_blank\" rel=\"noopener\">GNU General Public License<\/a> (GNU GPL), the popular open source license that the Chinese mining giant is currently breaching, and open source its firmware.<\/p>\n<p>\u201cBitmain firmware is very buggy in general,\u201d Hilliard told <em>Bitcoin Magazine<\/em>, \u201cand it&#8217;s important for the health of the Bitcoin network that users be able to fix the bugs Bitmain introduces.\u201d<\/p>\n<h2><strong>The Exploit<\/strong><\/h2>\n<p>Hilliard, who is perhaps best known for proposing <a href=\"https:\/\/bitcoinmagazine.com\/articles\/bip91-segwit-activation-kludge-should-keep-bitcoin-whole\">BIP91<\/a>, discovered the vulnerability several weeks ago by auditing a firmware update file on Bitmain\u2019s support site. While details have not yet been disclosed, the exploit was found in firmware of the S15, the company\u2019s most powerful SHA256 miner in store. Hilliard thinks the same vulnerability almost certainly exists in all of Bitmain\u2019s mining firmware.<\/p>\n<p>\u201cI\u2019m also quite sure there are many other vulnerabilities in the firmware,\u201d he added. \u201cIt is very poorly designed when it comes to security.\u201d<\/p>\n<p>When exploited, the vulnerability gives users root access to the machine \u2014 which is supposed to be impossible. In theory, this can be done remotely using just the IP address of the miner, and means the machine can be reprogrammed to do just about anything. This includes mining to a different Bitcoin address or having it stop mining entirely. The firmware could also be replaced by different firmware altogether (such as <a href=\"https:\/\/bitcoinmagazine.com\/articles\/braiins-os-open-source-alternative-bitcoin-mining-firmware\">Braiins OS<\/a> or <a href=\"https:\/\/bitcoinmagazine.com\/articles\/bitcoin-developer-about-take-mining-hardware-industry\">Dragonmint<\/a> firmware).<\/p>\n<p>In practice, however, it\u2019s unlikely the machines can be remotely exploited at all. For one, as long as the miner is properly firewalled and\/or protected with a strong username and password, it cannot be broken into. And second, without access to the firmware\u2019s source code, it&#8217;s difficult to make compatible custom firmware. As such, this specific vulnerability is perhaps not the main issue. \u201cThe bigger problem is that Bitmain firmware is generally quite buggy,\u201d said Hilliard.<\/p>\n<p>Indeed, this is not the first time a vulnerability has been found in Bitmain\u2019s firmware. In early 2017, an anonymous security engineer <a href=\"https:\/\/bitcoinmagazine.com\/articles\/bitmain-can-remotely-shut-down-your-antminer-and-everyone-elses\">found<\/a> that almost all Antminer machines could be shut down remotely. Dubbed \u201cAntbleed,\u201d this previous vulnerability could have probably knocked about half of all hash power on the Bitcoin network offline. It was arguably not just a problem for Antminer owners, but a security risk for the entire Bitcoin network.<\/p>\n<h3><strong>The License<\/strong><\/h3>\n<p>Hilliard and 00whiterabbit have not released the exploit code \u2014 but they are developing a version of it to be released eventually. The two are also willing to disclose the vulnerability to Bitmain, allowing the hardware producer to patch their firmware and fix the vulnerability. But only if Bitmain stops breaching the GNU GPL.<\/p>\n<p>Bitmain\u2019s firmware is built on the Linux operating system as well as <a href=\"https:\/\/github.com\/ckolivas\/cgminer\" target=\"_blank\" rel=\"noopener\">cgminer<\/a>: open source mining software developed by Hilliard and others. Both Linux and cgminer are licensed under the GNU GPL. This widely used open source license allows anyone the freedom to run, study, share and modify the software \u2014 under the condition that the resulting software is free, too.<\/p>\n<p>\u201cLegally, therefore, Bitmain\u2019s firmware should be open source as well,\u201d Hilliard explained. \u201cBut Bitmain doesn\u2019t seem to care about following copyright law. Unfortunately, closed source firmware is not a good thing to have on the Bitcoin network, as stuff like Antbleed can be hidden in it. It&#8217;s a centralization risk.\u201d<\/p>\n<p>It is not very clear <em>why<\/em> the mining giant is breaching the GNU GPL. Hilliard suspects it is \u201cprobably to prevent users from overclocking their machines and support costs associated with that.\u201d Others have suggested Bitmain may prefer to keep its firmware closed source because this makes it harder for attackers to find vulnerabilities.<\/p>\n<p>So far, Bitmain has not commented on the exploit at all, and its firmware is still closed source. As such, there is little reason to believe the company will change its ways now \u2014 though Hilliard remains hopeful Bitmain will comply with the GPU GPL and <a href=\"https:\/\/twitter.com\/james_hilliard\/status\/1095434024032464896\" target=\"_blank\" rel=\"noopener\">encourages<\/a> users to file a request to have the code open sourced.<\/p>\n<p>\u201cIn the past they have released what appeared to be the real source, presumably because there was public pressure to do so,\u201d Hilliard said. \u201cSo, maybe?\u201d<\/p>\n<p><em>Bitcoin Magazine reached out to Bitmain to ask what the company knew of the vulnerability that Hilliard found and if it had plans to fix it. We also asked if they had any intention of complying with the GNU GPL. In response, a Bitmain spokesperson issued the following statement:<\/em><\/p>\n<blockquote>\n<p><em>&#8220;We are truly grateful to the open-source community in identifying potential vulnerabilities and we are actively investigating the matter. We will continue to do what is necessary to ensure the best and safest possible mining experience for Antminer customers.&#8221;<\/em><\/p>\n<\/blockquote>\n<p><em>Update (February 28, 2019):<\/em><\/p>\n<blockquote>\n<p>From what I can tell @BITMAINtech\/@Antminer_main has still failed to fix the vulnerability I found even with this update. <a href=\"https:\/\/t.co\/ERGeEaiI3C\">https:\/\/t.co\/ERGeEaiI3C<\/a><\/p>\n<p>\u2014 James Hilliard (@james_hilliard) February 28, 2019<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Bitcoin Core contributor James Hilliard appears to have discovered an exploit in Bitmain\u2019s S15 firmware.<\/p>\n","protected":false},"author":2509,"featured_media":7570,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[197,403],"class_list":{"0":"post-20513","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"tag-bitmain","9":"tag-open-source"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/will-this-vulnerability-finally-compel-bitmain-to-open-source-its-firmware.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=20513"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/7570"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=20513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=20513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=20513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}