Flaws Could Have Exposed Cryptocurrency Exchanges to Hackers

Most people use either an app, an online platform, or a small hardware device as a wallet to store their cryptocurrency safely. The exchanges through which cryptocurrency changes hands, though, and other high stakes operations need something more like a massive digital bank vault. At the Black Hat security conference on Thursday, researchers detailed potential weaknesses in these specially secured wallet schemes, including some that affected real exchanges that have now been fixed.

The attacks aren't the digital equivalent of jackhammering a weak point on a safe or blowing up a lock. They're more like opening an old-timey bank vault with six keys that all have to turn at the same time. Breaking cryptocurrency private keys into smaller chunks similarly means an attacker has to cobble them together first to steal funds. But unlike distributing physical keys, the cryptographic mechanisms that underly multiparty key management are complex and difficult to implement correctly. Mistakes could be costly.

"These organizations are managing a lot of money, so they have quite high privacy and security requirements," says Jean-Philippe Aumasson, cofounder of the cryptocurrency exchange technology firm Taurus Group and vice president at Kudelski Security. "They need a way to split the cryptocurrency private keys into different components, different shares, so no party ever knows the full key and there isn't a single point of failure. But we found some flaws in how these schemes are set up that are not just theoretical. They could really have been carried out by a malicious party."