Could attackers make your web browser mine for bitcoins? How about your TV? Security flaws in some systems might make it possible, say experts.
German researchers have discovered a flaw in Hybrid Broadcast Broadband TV (HbbTV) television sets that could allow an attacker to run malicious code, including bitcoin miners, says one report.
These devices are among a growing number of Smart TVs, always connected to the Internet and accessing online services in addition to digital TV, to improve the viewing experience. The research was carried out by Marco Ghiglieri, Florian Oswald and Erik Tews of the Technical University of Darmstadt. Martin Herfurt from Germany consultancy Nruns also explored the Samsung TVs in question. They were found to have flaws that would allow attackers to inject their own content.
This has happened before with other Samsung TVs. Some believe that it is possible to run bitcoin miners on hacked devices such as these.
âIt is completely possible, and some Smart TVs have been hacked remotely,â said cryptography and security expert Sergio Lerner, CEO of Argentinian company Certimix, who is involved in testing security flaws in the Bitcoin protocol.
SC Magazineâs report argues that a browser-based JavaScript miner, such as Bitcoin Plus, could be used to manipulate smart TV browsers into mining for coins. This software uses a link to a remote JavaScript file, contained in code that can be embedded into any web page (thereâs also a WordPress plugin). Computers visiting a page with the code will be persuaded to start mining the coins, sending them to the page ownerâs address.
We have seen others using the idea of embedded JavaScript to âstealâ CPU power from visiting computers. One savvy team of programmers has created Smidge, a technology that divides problems between lots of computers visiting a single web site. Theyâre using it to solve chess problems now, but a web-based distributed bitcoin miner surely canât be far away, says one.
Using lots of computers to do your bidding without consent is known as botherding â and a network of these zombie machines is called a botnet. Perhaps we should call the same technique for mining bitcoins bitherding. And such a network would be a bitnet.
âI assume you can use pretty much any system and any hardware to mine bitcoins, itâs just a matter of efficiency,â says Claudio Guarnieri, a researcher at security firm Rapid7, who has explored bitnets such as Skynet in the past. These generally involve malware placed on a machine, whereas these âattacksâ use JavaScript not to install any malware, but simply to have the victim do some free computation.
The problem with bitherding using CPU power is that you just need so much of it, points out Guarnieri, disagreeing with Nadolny. âBoth the cases that you specified are interesting hacks, but they will never be a profitable way to mine Bitcoins: using JavaScript would just be too slow.â
Skynet had between 150,000 and 200,000 hosts, and that was relatively successful, he said. Lerner agrees. âA Smart TV would be a very slow Bitcoin miner and you will need a thousands TVs to earn something meaningful. Not a good source of income,â he asserts.
It would be very slow. An Intel Core2 Duo will deliver around 2.5Megahashes/sec, meaning that youâd need to have 240 of those users visit your site to equal the hash rate of an AMD 7970.
That said, it isnât outside the realm of possibility to control a GPU with a web page, upping the computing power. WebGL, the web-based graphics language designed for high-performance online graphics, has been used to create hardware-accelerated examples.
You might have more of a chance making this work with a Scrypt-based currency, which is CPU and GPU friendly, and many of which have a lower hash rate. Feathercoinâs current normal hash rate is around 660 Megahashes/sec, making those 240 CPUs far more tractable.
That assumes that these unwitting visitors are not doing anything else with their computer, and stay on your web site. But then, how do you get people to stay on the page? Youâd need sustained, constant hit rates, with people keeping the page open, to make the mining work. Thatâs fine if youâre enlisting a bunch of volunteers (in which case, it isnât a bitnet, itâs a community). Less so if youâre trying to deceive people into browser-based mining.
Youâd need to embed this on a very popular site, and if youâre the type of person to bitherd anyway, youâd probably just infect visitorsâ computers with a drive-by download, so that you could have them mine unwittingly even when theyâre off the site.
The most appropriate way to mount a bitherding attack would be to compromise a machine directly and have it use its GPU, agrees Guarnieri. âThere are tons of botnets dropping bitcoin miners, in most cases they actually just embed a legitimate mining client like the Ufasoft one,â he says.
Alternatively, youâd target gaming-optimised systems that would be more likely to have the kinds of graphics-friendly software well known for high hash rates. This is exactly what the E-Sports Entertainment Association (EASA) did, when it embedded bitcoin mining software inside its client software â allegedly as an April foolâs prank â and irritated its users. The client was designed to stop other players cheating while you were playing online games, but the firm included the bitcoin mining code as a covert extra, before pulling the patch some weeks later in response to user complaints.
In short, then, hacking TVs to mine bitcoins, or maliciously deceiving computers into mining them simply by visiting a web site, is a specious proposition. There are far easier ways to covertly strongarm people into mining your coins for you. But if you wanted to marshall a team of non-technical volunteers into knowingly mining Scrypt-based currencies for a good cause, that idea may just have legs.
