{"id":23953,"date":"2017-04-26T22:39:41","date_gmt":"2017-04-26T22:39:41","guid":{"rendered":"http:\/\/ci027cfe6e700f2697"},"modified":"2017-04-26T22:39:41","modified_gmt":"2017-04-26T22:39:41","slug":"bitmain-can-remotely-shut-down-your-antminer-and-everyone-elses","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/culture\/bitmain-can-remotely-shut-down-your-antminer-and-everyone-elses","title":{"rendered":"Bitmain Can Remotely Shut Down Your Antminer (and Everyone Else\u2019s)"},"content":{"rendered":"
<\/div>
<\/figure>\n

Major Bitcoin mining hardware<\/a> producer Bitmain<\/a> can remotely shut down almost all active Antminer machines. Dubbed the \u201cAntbleed\u201d backdoor, abuse of the vulnerability could probably knock half of all hash power on the Bitcoin network offline.<\/p>\n

\u201cEven if Bitmain had no bad intent, this is a gaping security hole,\u201d said our source, who discovered the backdoor but asked to remain anonymous.<\/p>\n

The backdoor code can be seen on Pastebin<\/a> and on GitHub, and today a website<\/a> has been put up for Antbleed as well.<\/p>\n

How It Works<\/strong><\/p>\n

The Antbleed backdoor is \u201cstupid simple,\u201d as our source described it.<\/p>\n

Whenever an Antminer appears online, and once every one to eleven minutes, it contacts a \u201cport 7000 service\u201d on the domain auth.minerlink.com<\/a>, which is owned by Bitmain<\/a>. The domain currently does not connect to any IP-address, and therefore does nothing.<\/p>\n

However, the domain could in the (near) future start connecting to a corresponding IP-address. If that happens, it will report the Antminer\u2019s serial number as well as the MAC address<\/a> and the IP-address to Bitmain. <\/p>\n

This could be enough for the company to link the machine to a specific user.<\/p>\n

\u201cBitmain can use this data to cross check against customer sales and delivery records making it personally identifiable,\u201d our source explained. \u201cAnd Bitcoin mining is a small industry, so it shouldn\u2019t even be hard to connect the machines to specific pools, or blocks.\u201d<\/p>\n

Once connected, the server the Antminer connects to \u2014 Bitmain\u2019s server \u2014 sends a message back. If that message is \u201ctrue\u201d, the machine will continue mining. But if that message is \u201cfalse\u201d, the code produces a piece of text that reads: \u201cStop mining!!!\u201d<\/p>\n

It seems obvious that this piece of text would make the machine stop mining, which is indeed confirmed by our source, who tested it on an Antminer machine. Additionally, it can be checked by anyone with an affected miner; antbleed.com<\/a> explains how.<\/p>\n

The backdoor can be verified, since it is embedded in open source code. In fact, it seems rather strange Bitmain would include such a backdoor \u201cout in the open\u201d, for anyone to see.<\/p>\n

Speaking to Bitcoin Magazine<\/em>, Bitcoin Core<\/a> developer Peter Todd, who was quick to comment to the issue on Twitter<\/a> and Reddit<\/a>, suggested:<\/p>\n

\u201cBitmain probably underestimated how much source code actually does get audited \u2014 it’s a common myth that code never gets read. Also, if you’re going to add a backdoor, you do want plausible deniability in case it does get found. Hiding in plain sight, amongst thousands of lines of undocumented code, helps. Perhaps Bitmain will claim this is actually a feature.\u201d<\/p>\n

What It Affects<\/strong><\/p>\n

The backdoor probably affects most Antminers in use today: the S9<\/a>, the T9<\/a> the R4<\/a>, as well as Litecoin\u2019s L3<\/a>.<\/p>\n

The commit date indicates the backdoor was introduced in July 2016. This is one month after the first S9 machines were shipped. All machines that shipped since July 2016 should have the backdoor on board, which means they can be shut down by Bitmain. Machines that were shipped before July 2016, but have been updated since, should be vulnerable, too.<\/p>\n

\u201cIt\u2019s difficult to say with certainty how much hash power on the Bitcoin network is subject to the vulnerability,\u201d our source said. \u201cBut since Bitmain is by far the market leader for hardware machines, it\u2019s not a stretch to attribute at least half of all hash power to the vulnerable machines. As such, Bitmain could potentially shut down an enormous share of Bitcoin\u2019s hash power with the push of a button. In addition to that, the company can target specific machines or customers.\u201d<\/p>\n

And it\u2019s not just Bitmain who could shut down the machines. Because the connection is unauthenticated, the code will connect to anything that appears like “auth.minerlink.com<\/a>“, which can be spoofed by certain third parties. Apart from Bitmain, it could, for example, be an internet service provider, anti-DoS service CloudFlare (used by Bitmain), or anyone who can hijack DNS records: rogue ICANN employees, hackers, the U.S. government, and more.<\/p>\n

\u201cThe nicest possible explanation is that Bitmain is incompetent at security, putting the whole Bitcoin network at risk,\u201d Todd concluded. \u201cBut given the history we have of miners threatening with attacks, it wouldn’t surprise me if this was added as a last resort option for shutting down competitors if they needed to push something through with hashing power.\u201d<\/p>\n

Update <\/strong><\/p>\n

A representative for Bitmain commented on the issue:<\/p>\n

“The code running on the machines is open source, everyone can review it so no secret features exist in it. The code that was pointed out is a feature to allow owners of the Antminers to be able to remotely control their miners. It is not a secret and it does not provide any kind of remote control to Bitmain for the Antminers it does not own or operate in its own mining farms.”<\/p>\n

(Note: The representative provided this comment a bit before publication of the article, but due to a miscommunication this update was added only briefly after publication.)<\/em><\/p>\n

Update <\/strong><\/p>\n

It should be noted that if you own an affected machine, a fix is available on antbleed.com<\/a> as well.<\/p>\n

Update<\/strong><\/p>\n

Bitmain has issued an official press release<\/a> commenting on the issue. In it, the company acknowledges the existence of the feature, stating:<\/p>\n

“This feature was intended to allow the owners of Antminer to remotely shut down their miners that may have been stolen or hijacked by their hosting service provider, and to also provide law enforcement agencies with more tracking information in such cases. We never intended to use this feature on any Antminer without authorization from its owner.”<\/p>\n

This story will be updated as more news becomes available.<\/em><\/p>\n

The identity of our source is known to us and considered to be reliable.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Major Bitcoin mining hardware producer Bitmain can remotely shut down almost all active Antminer machines. Dubbed the \u201cAntbleed\u201d backdoor, abuse of the vulnerability could probably knock half of all hash power on the Bitcoin network offline. \u201cEven if Bitmain had no bad intent, this is a gaping security hole,\u201d said our source, who discovered the […]<\/p>\n","protected":false},"author":2509,"featured_media":23954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[464,197,556,97,330],"class_list":{"0":"post-23953","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-culture","8":"tag-asics","9":"tag-bitmain","10":"tag-blockchain","11":"tag-mining","12":"tag-security"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/bitmain-can-remotely-shut-down-your-antminer-and-everyone-elses.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/23953","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=23953"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/23953\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/23954"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=23953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=23953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=23953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}