The Roboform random password generator has been hacked to recover bitcoins worth over $3 million. The bitcoin had been inaccessible for 11 years after the password was lost.

While the story is interesting because of the value of the bitcoins, what's equally interesting is the tools and techniques used, which are described in a video by the team who carried out the research.

Also of interest is the fact that the weakness in the random password generator that enabled them to break the password comes down to relying on a random generator that used a seed that's replicable - just like we've all been told never to do. In fairness, the creators of the random password generator realized their mistake a long time ago and put it right in later versions.

The Roboform password generator and manager was used by the anonymous owner of the bitcoin wallet to create a password made up of a random mixture of 20 upper and lower case characters and digits.

The owner of the bitcoin wallet generated the password using Roboform and put it in the passphrase container of their Roboform wallet along with copying it to a text file that they then encrypted. The tool used to encrypt the file was TrueCrypt. Unfortunately, the hard disk of the computer became corrupted, and the wallet was then inaccessible. Over time, the value of the bitcoin increased to be worth over $3 million. The owner then contacted offspec.io, a team specializing in password recovery from hardware and software wallets.

While the problem sounded insurmountable at first, the team noticed that after the password was created in 2013, a later update to Roboform was described as increasing the randomness of passwords. They reasoned that this meant there might be a weakness in the original method of generating the passwords, so reducing the complexity.

They ran the old version of Roboform while running a tool called Cheat Engine, which is a memory scanner/debugger usually used for scanning for variables used within a game that allows you to change them. The team used Cheat Engine to look for a password being created to narrow down which bit of Roboform was doing the creation. Having narrowed down the search, they then used the reverse engineering tool Ghidra. This was created by the US National Security Agency, and is now open source. It can be used to reverse engineer and disassemble code.

Having narrowed down which bit of code was being used, the offspec team found a reference to the system time and date, which they hypothesized might mean that Roboform used to use the local system time and date as part of the input to the random password generator. This would mean that the password would have a non-random seed so could be regenerated. Having narrowed down the date when the original password was generated, the researchers ran Roboform multiple times with all the potential passwords based on setting the time and date incrementally throughout the original time period when the password was created. After some fine tuning (the original owner recollected he used upper and lower case alphabetic characters, numeric digits and special characters, but it turned out he didn't include special characters), the process worked and the team got the password.

Later versions of Roboform don't include this weakness.

More Information

Offspec.io Website

Ghidra Website

Cheat Engine Website

 Roboform Website

Related Articles

Inside Random Numbers

W3C Declares WebAuthn Official

GitHub Announces Passkey Authentication Beta

The Ultimate Guide to Password Safety

Password Cracking RAR Archives With Perl

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info