Necessity is the mother of invention: How a seemingly lost Bitcoin account became a fortune is worthy of a movie.
What idea did he come up with? The protagonist of this drama surrounding a crypto wallet, referred to only as “Michael” by the original source Wired, faced a problem: In 2013, he had purchased and stored Bitcoin worth approximately 4,800 euros. Now, the Bitcoins are worth nearly 3 million euros – but he could no longer access them.
To protect his investment, he secured access using the program RoboForm. It generated a 20-character password for him back then. However, this was lost for unknown reasons. What to do? He decided to have his own account hacked and reached out to an expert in the field.
An almost uncrackable program
Whom did he contact? Michael contacted Joe Grand, also known as Kingpin. The electrical engineer is a well-known expert in hacking hardware in America, but also understands delicate interventions regarding software security issues. He gained fame through appearances on American television.
A specialty of his is called reverse engineering. This is essentially understood as the in-depth analysis of a device or program to understand how it works. In the case of security systems, this may reveal how generations of, for example, passwords occur. After initial hesitation, Grand took on the task with a German colleague.
What exactly was the challenge? Ultimately, Michael only knew a few details; he knew:
- The password has 20 characters.
- It must have been generated sometime in 2013 – when exactly is unclear.
- It contained no special characters, consisting only of numbers and letters.
- The program used was called RoboForm, and the version used was released in 2013.
Did they manage to guess the password? Guessing, no; but ultimately Michael accessed the Bitcoins worth about 3 million euros, though the path there was rocky. They quickly ruled out the classic approach of guessing the password through countless attempts – it would simply be too time-consuming.
How did they succeed? After months of research and work, they managed to exploit a tiny vulnerability in the version of RoboForm that was current at that time: The date and time of the password creation formed the basis for the key generation – and this process was not as random as one might think. So, if someone knew the exact time of creation, the password could be recreated.
Ultimately, they were able to generate the correct password based on recorded activities with the Bitcoin wallet from spring 2013 and much trial and error, which was created on May 15, 2013, at 4:10 PM GMT.
What can the average user of security software learn from this? Keep your software, especially antivirus programs, password managers, and the like, up to date. The error that caused the passwords to be not random but actually traceable was fixed by the developer of RoboForm in 2015.
In stark contrast to the hacker at the center of this article, there are also people in the vastness of the internet who are far less helpful. A US security company narrowly prevented a catastrophe in their own house: The new colleague is a cybercriminal from North Korea: US computer security company escapes attack
