There have been recent allegations that Bitmain can shut down all of its Antminer mining hardware remotely. This supposed “backdoor” vulnerability has been dubbed “Antbleed,” and can be viewed via lines of code on Github and Pastebin. The website antbleed.com was created apparently to explain the vulnerability to the public.
According to the website, the process of shutting down the mining hardware is accomplished when Antminer firmware connects with the centralized service every 1 to 11 minutes. The Antbleed website clarified what happens when the miner connects with the central server,
“Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return “false” which will stop the miner from mining.”
The Antbleed website authors claimed the vulnerability could allow for the mass shutdown of miners worldwide, contributing to a loss of about 70% of the hashing power. They mentioned this vulnerability could allow Bitmain or government officials to disrupt or target specific miners.
They also suggested that even if Bitmain is not being malicious, the API is non-authenticated and could cause disastrous problems in the event of a hijack or hack. This would likewise shutdown Antminers on a global scale.
However, the Bitcoin developer Sergio Demian Lerner did not see the problem as that significant or devastating. He tweeted that it’s not necessarily exploitable anyway, depending on the code. According to his tweet, the way the code is set up does not allow for easy hacking or backdoor usage.
unexploitable out-of-buffer read access in if(strstr(rec,"false")) as rec may not be zero-ended if 1024 bytes are received.
— Sergio Demian Lerner (@SDLerner) April 26, 2017
Bitmain’s Blog Response to Accusations
In a news post, Bitmain also rejected claims that their “Antbleed” code is malicious. They called it open source and available for all to see. It was not intended to be nefarious. It was only supposed to be a feature. Bitmain said they meant for this feature to allow customers to have access to shutting off their miners in case they were stolen or put into use by others. They even cited some statistics about when miners were withheld or stolen by others:
“In 2014, around 1,000 Antminers were withheld from the owner by a hosting service provider in Shenyang, China. In 2015, around 2,000 units of Antminers were withheld from the owner by a hosting service provider in Georgia. In 2017, Bitmain’s own miners were withheld and sold without its consent in Canada.”
They went on to state that the feature was implemented to provide law enforcement with more tracking information if miners were indeed stolen. Their post said they never planned on arbitrarily shutting off anyone’s mining equipment without proper consent or authorization. The company compared their feature to Smartphone auto erase or remote shutdown functionality.
Bitmain also admits they never completed the auto shutdown feature on their blog post. They said it was started when they began development on Antminer S7, and wanted to finish it on the S9. The project came to a halt due to technical difficulties. They claimed the leftover code is merely a bug—and combined with the scaling debate in the bitcoin community—it has caused mass misunderstanding based on old grudges.
Bitmain Offers Solution to Vulnerability
Nonetheless, Bitmain quickly offered a solution to the “bug.” They said, “we have released the new updated source-code on GitHub and new firmware on our website which removes this bug.” Bitmain suggested that all Antiminer owners upgrade their software to an updated list provided in their blog article. They also advised no one to download any “firmware” from third-party contributors, because it could lead to problems with hardware functioning and be susceptible to attacks from hackers.
Do you think “Antbleed” is a purposeful vulnerability or an accidental bug? Let us know in the comments below.
Images via Shutterstock and Bitmain.com