As if Bitmain’s year hasn’t been rough enough, having posted big losses and laying off entire departments, its flagship product now has a firmware vulnerability.
A few weeks ago, Bitcoin Core contributor James Hilliard discovered an exploit in Bitmain’s S15 firmware. The pseudonymous Twitter user 00whiterabbit, also known simply as “john,” subsequently wrote exploit code based on Hilliard’s findings. A video proving that the exploit code worked was shared on Hilliard’s Twitter account last week.
Hilliard is offering to disclose the vulnerability to Bitmain but under one condition: Bitmain would have to comply to the GNU General Public License (GNU GPL), the popular open source license that the Chinese mining giant is currently breaching, and open source its firmware.
“Bitmain firmware is very buggy in general,” Hilliard told Bitcoin Magazine, “and it's important for the health of the Bitcoin network that users be able to fix the bugs Bitmain introduces.”
Hilliard, who is perhaps best known for proposing BIP91, discovered the vulnerability several weeks ago by auditing a firmware update file on Bitmain’s support site. While details have not yet been disclosed, the exploit was found in firmware of the S15, the company’s most powerful SHA256 miner in store. Hilliard thinks the same vulnerability almost certainly exists in all of Bitmain’s mining firmware.
“I’m also quite sure there are many other vulnerabilities in the firmware,” he added. “It is very poorly designed when it comes to security.”
When exploited, the vulnerability gives users root access to the machine — which is supposed to be impossible. In theory, this can be done remotely using just the IP address of the miner, and means the machine can be reprogrammed to do just about anything. This includes mining to a different Bitcoin address or having it stop mining entirely. The firmware could also be replaced by different firmware altogether (such as Braiins OS or Dragonmint firmware).
In practice, however, it’s unlikely the machines can be remotely exploited at all. For one, as long as the miner is properly firewalled and/or protected with a strong username and password, it cannot be broken into. And second, without access to the firmware’s source code, it's difficult to make compatible custom firmware. As such, this specific vulnerability is perhaps not the main issue. “The bigger problem is that Bitmain firmware is generally quite buggy,” said Hilliard.
Indeed, this is not the first time a vulnerability has been found in Bitmain’s firmware. In early 2017, an anonymous security engineer found that almost all Antminer machines could be shut down remotely. Dubbed “Antbleed,” this previous vulnerability could have probably knocked about half of all hash power on the Bitcoin network offline. It was arguably not just a problem for Antminer owners, but a security risk for the entire Bitcoin network.
Hilliard and 00whiterabbit have not released the exploit code — but they are developing a version of it to be released eventually. The two are also willing to disclose the vulnerability to Bitmain, allowing the hardware producer to patch their firmware and fix the vulnerability. But only if Bitmain stops breaching the GNU GPL.
Bitmain’s firmware is built on the Linux operating system as well as cgminer: open source mining software developed by Hilliard and others. Both Linux and cgminer are licensed under the GNU GPL. This widely used open source license allows anyone the freedom to run, study, share and modify the software — under the condition that the resulting software is free, too.
“Legally, therefore, Bitmain’s firmware should be open source as well,” Hilliard explained. “But Bitmain doesn’t seem to care about following copyright law. Unfortunately, closed source firmware is not a good thing to have on the Bitcoin network, as stuff like Antbleed can be hidden in it. It's a centralization risk.”
It is not very clear why the mining giant is breaching the GNU GPL. Hilliard suspects it is “probably to prevent users from overclocking their machines and support costs associated with that.” Others have suggested Bitmain may prefer to keep its firmware closed source because this makes it harder for attackers to find vulnerabilities.
So far, Bitmain has not commented on the exploit at all, and its firmware is still closed source. As such, there is little reason to believe the company will change its ways now — though Hilliard remains hopeful Bitmain will comply with the GPU GPL and encourages users to file a request to have the code open sourced.
“In the past they have released what appeared to be the real source, presumably because there was public pressure to do so,” Hilliard said. “So, maybe?”
Bitcoin Magazine reached out to Bitmain to ask what the company knew of the vulnerability that Hilliard found and if it had plans to fix it. We also asked if they had any intention of complying with the GNU GPL. In response, a Bitmain spokesperson issued the following statement:
"We are truly grateful to the open-source community in identifying potential vulnerabilities and we are actively investigating the matter. We will continue to do what is necessary to ensure the best and safest possible mining experience for Antminer customers."
Update (February 28, 2019):
From what I can tell @BITMAINtech/@Antminer_main has still failed to fix the vulnerability I found even with this update. https://t.co/ERGeEaiI3C
— James Hilliard (@james_hilliard) February 28, 2019