Compiled/Squidward
Produced by Gyro Finance
On a Wednesday in late September, at 9:30 a.m., a hacker who called himself Tom Smith sent me (the original author Andy Greenberg, a senior writer at Wired magazine) a confusing text message: "query voltage recurrence".
These three words prove a remarkable feat, and probably an extremely valuable one. A few days ago, I randomly generated these three words and set them as the encrypted password for an IronKey S200 USB flash drive. I then gave the USB drive to the Seattle lab of a startup called Unciphered where Smith works. .
Unciphered Seattle Lab Staff Photo: MERON MENTHISTAB
Smith told me it would take days to guess my password, and in fact, I didn't think they would be able to guess it at all. IronKey is designed so that as long as someone enters the wrong password 10 times, IronKey will permanently delete the contents of the USB flash drive. But the hackers at Unciphered say they have developed a secret IronKey password-cracking technique that they still refuse to fully describe to me or anyone outside their company. This technology allows them to enter the password unlimited times for cracking attempts without destroying the contents of the USB flash drive. The morning after my USB flash drive arrived at the Unciphered laboratory, I saw the password text message they cracked, which surprised me. Smith said that with the help of high-performance computers, the entire process only took 200 trillion attempts.
Smith's demonstration was not a party trick among hacker groups. He and the Unciphered team spent nearly eight months developing the technology to crack the IronKey password for a very special reason:They believed that a Swiss laboratory 5,000 miles east of the Seattle laboratory In the bank's vault, there is an IronKey containing 7,002 Bitcoin keys that can also be cracked using the technology they developed. This will be a huge fortune. At current prices, these Bitcoins are worth nearly $235 million.
For years,many in the Unciphered hacker and crypto community have been following Stefan Thomas, a Swiss crypto entrepreneur living in San Francisco, who holds The priceless IronKey USB drive mentioned above, and Thomas lost the unlock password. He said in an interview that he had tried the wrong password eight times, before IronKey deleted the keys stored on it, he was left with The next two chances, if the ten chances run out, he will never be able to get back these huge Bitcoins.
Unciphered Lab screen showing microscopic image of IronKey control chip layout and CT scan image of hard drive Photo: Meron Menghistab
Now, after months of hard work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use secret cracking techniques to do so. "We were hesitant to contact him until we had a complete, provable, reliable crack," said Smith, who asked Wired because of the sensitivity of using secret hacking techniques and the huge amounts of cryptocurrency involved. 》magazine not to reveal his real name.
The only problem is: Thomas doesn't seem to need their help.
Earlier this month, shortly after giving me a technical demonstration of the cracking method, Unciphered contacted Thomas through a mutual friend who could vouch for the company's new IronKey unlocking technology and offer to help. On the phone, before even discussing Unciphered's commission or fees, Thomas politely declined.
Thomas explained that he had reached a "handshake agreement" with two other cracking teams a year ago. To prevent the two teams from competing with each other, he offered both teams a portion of the proceeds if either team could unlock the USB drive. Even a year later, he's committed to giving those teams more time to figure it out before bringing in other teams. Although neither team has any indication that they can complete the decryption mission that Unciphered has accomplished.
This puts Unciphered in an awkward position: It has perhaps one of the most valuable decryption tools in the cryptocurrency world, but no "lock" to open. "We cracked IronKey," said Nick Fedoroff, Unciphered's director of operations. "But now we have to convince Stefan, and that's proving to be the hardest part."
In an email to Wired, Thomas confirmed that he had rejected Unciphered’s offer to unlock his crypto wealth. Thomas wrote in the email: I am already working with another group of experts for recovery, so I am no longer free to negotiate with new people. It's possible that if the current team decides that working with Unciphered is a good option, they decide to subcontract it out, we'll see. Thomas declined to be interviewed or make further comment.
01
A very valuable but "useless" USB flash drive
Thomas has said in past interviews thathis 7,002 Bitcoins were created in early 2011 when he created a project called "What is Bitcoin?" "The reward I received for the video was that one Bitcoin was worth less than a dollar at the time." Later that year, he told Wired magazine thathe accidentally deleted two backups of his wallet that held thousands of Bitcoins, and then The third backup password slip stored on IronKey was lost. By then, the value of his lost coins was close to $140,000. Thomas said he spent a week trying to retrieve his password, which was a painful process.
In the 12 years since then, the value of the inaccessible bitcoins on Thomas’ IronKey has sometimes skyrocketed to nearly $500 million, and sometimes fallen back to the still-staggering price it still has today. In January 2021, as Bitcoin began to approach its price peak, Thomas described to the New York Times the distress his long-hoarded Bitcoin had caused him over the years. He said: "As soon as I lie in bed and think about it, I will go to the computer and try some new strategies, but they will not work, which will make me despair again." "
Around the same time in 2021, a team of cryptographers and white hat hackers founded Unciphered with the goal of unlocking those huge amounts of frozen funds that cryptocurrency holders like Thomas had long since given up on. Cryptocurrency analysis firm Chainalysis estimates that the total value of these wallets forgotten on the blockchain will be $140 billion when Unciphered officially launches. Unciphered said it has successfully helped customers open locked wallets worth millions of dollars, often through new cryptographic vulnerabilities or software flaws they discovered in their cryptocurrency wallets. However, the funds of these customers are far from the scale of Thomas' IronKey.
Deconstructed IronKey in Unciphered laser cutting tool Photo: Meron Menghistab
It wasn’t until around early 2023 that Unciphered began looking at potential ways to unlock IronKey. They soon discovered some clues.The manufacturer of IronKey was sold to storage hardware company iMation in 2011, which left them with some potential opportunities. Smith said that they had already Some possible vulnerabilities of USB flash drives were discovered. (Kingston Storage, which now owns IronKey, did not respond to WIRED's request for comment).
Even the decade-old IronKey is a formidable target for hackers. The USB drive was developed in part with funding from the U.S. Department of Homeland Security and is FIPS-140-2 Level 3 certified, meaning it is tamper-resistant and its encryption is secure enough for use by military and intelligence agencies Handle confidential information. However, the founders of Unciphered discovered some clues of security vulnerabilities, and although Thomas was not involved, they decided to take on the task of cracking it. If there was a Mount Everest in the field of cracking USB flash drives, this crack would be it. Unciphered founder Fedoroff eventually assembled a group of about 10 employees and outside consultants, several of whom had backgrounds at the NSA or other government agencies, and called the cracking plan It's called the "Everest Project."
02
A $235 Million Treasure Hunt
Their first action wasUsing a process of elimination based on time, they determined the exact model of IronKey used by Thomas. They then bought up every supply of that model they could find online, eventually purchasing hundreds of identical IronKeys for their lab.
To fully reverse engineer the device, Unciphered used a CT scanner to scan an IronKey and then began an elaborate deconstruction surgery. They used precise laser cutting tools to carve out the Atmel chip that serves as the "secure enclave" of the USB flash drive, which stores the encrypted information of the USB flash drive. They "stripped" the chips by soaking them in nitric acid, removing the layer of epoxy resin designed to prevent tampering. They then began polishing the chip layer by layer with an abrasive silicon solution and a tiny rotating felt pad, removing a fraction of a micron of material from the chip's surface at a time, taking pictures of each layer with an optical microscope or scanning electron microscope. , and repeat this process until they can build a complete 3D model of the processor.
Because the chip's ROM is built into its physical circuit layout, thereby increasing efficiency, Unciphered's visual model gives it a head start in deciphering much of the logic of the IronKey encryption algorithm. But the team went a step further. They installed tenth-millimeter wires at the junctions of the secure elements to "eavesdrop" on communications to and from the secure elements. They even found engineers who had worked on Atmel chips and IronKey to ask for details about the hardware. "It feels a lot like a treasure hunt," Fedoroff said. It's like you're following a treasure map that's faded and full of coffee stains. You know there's a pot of gold at the end of the rainbow, but you Don't know where the rainbow leads.
The cracking process culminated in July, when the Unciphered team gathered at an Airbnb in San Francisco. They described being gathered around a table covered with millions of dollars' worth of lab equipment as a team member read out the decrypted IronKey for the first time. "What just happened? "Fedoroff asked those present. Eric Michaud, CEO of Unciphered, said: "We just climbed Mount Everest. ”
Unciphered still won't reveal the full extent of its research, nor any details about the "counters" it ultimately discovered that cracked IronKey and defeated it to limit password guessing. The company argued that the vulnerabilities they discovered were still potentially dangerous and could not be made public because the IronKey models they cracked were too old to be patched through software updates and some may still contain secrets. information. If somehow leaked, the impact on national security would be much greater than cracking a cryptocurrency wallet.
The research team noted that the final method they developed did not require any of the invasive or destructive strategies they used in their initial studies. They have now unlocked over a thousand IronKeys from the 2011 version without breaking them, and they also unlocked three IronKeys in a demo for Wired magazine.
03
mysterious contract
However, none of this convinced Stefan Thomas to let them crack his IronKey. The Unciphered hackers said they learned from the intermediary who contacted Thomas on their behalf that Thomas had been in contact with two other groups in the encryption and hardware hacking community to help him unlock the USB drive. . The two teams are cybersecurity company Naxo and independent security researcher Chris Tarnovsky.
Naxo declined WIRED's request for comment. But Chris Tarnovsky, a well-known chip reverse engineer, confirmed to Wired magazine that he had a call with Thomas in May last year. Tarnovsky said that during that call, Thomas told him that if he could successfully unlock IronKey, he would "make a generous donation" but did not specify the fee or commission. Tarnovsky said that since then, he has done very little work on the project, basically waiting for Thomas to start paying him monthly fees for the preliminary research.
But Tarnovsky said he hasn't heard from Thomas since that call, and it seems like nothing happened.
Nick Fedoroff, Chief Operating Officer of Unciphered Photography: MERON MENGHISTAB
Unciphered's team remains skeptical about Naxo's progress and whether it is further than Tarnovsky. They believe that only a handful of hardware hackers have the ability to perform the reverse engineering required to crack IronKey, and none of them appear to be working with Naxo. As for the subcontracting cooperation proposal proposed by Thomas, Fedoroff said that he would not rule out this possibility, but he believed that if Unciphered alone could crack IronKey, this approach would be meaningless. . Based on what Fedoroff knows, he doesn't think it would be in anyone's interest to go down this path.
Meanwhile,Thomas seemed uncharacteristically calm about unlocking his $235 million, only vaguely hinting Why hasn't it revealed any progress towards this goal? He said in an interview with the Thinking Crypto podcast this summer: When you are faced with so much money, everything becomes very lengthy. With the people you work with, you need to sign some contracts with them, andthe contract details must be "flawless". If there is a problem with the contract, hundreds of millions of dollars will be involved in the division of interests.
In order to speed up the process of signing the mysterious contract,Unciphered plans to release an open letter to Thomas and a video in the next few days, aiming to persuade Thomas to cooperate with them, or to He applies pressure. But Fedoroff admitted that Thomas might not really care about the money. The New York Times wrote in a report about Thomas in 2021 that Thomas may already have more wealth than the funds in the USB flash drive, thanks to other cryptocurrency companies.
Fedoroff pointed out that it is still unclear what Thomas has in his IronKey. Perhaps the key to the 7,002 Bitcoins was stored elsewhere, or has disappeared completely.
Unciphered remains hopeful about the collaboration, he said. But the team is ready to move on if Thomas doesn't cooperate with them. After all, the company has other locked wallets that can be hacked.
As for whether and how to unlock the wealth of this special USB flash drive, it will ultimately be decided by its owner alone. "It's very frustrating, but that's always the most complicated part of dealing with people," Fedoroff said. Code doesn't change, circuitry doesn't change unless you make it change, but people are fickle and unpredictable creatures. ”
Gyro Finance contact information
Business Cooperation|Contribution:
Xiao Huang (WeChat ID 18925291949)
Ning (WeChat ID 13631579042)
Recommended reading
