Bitmain Can Remotely Shut Down Your Antminer (and Everyone Else’s)

Major Bitcoin mining hardware producer Bitmain can remotely shut down almost all active Antminer machines. Dubbed the “Antbleed” backdoor, abuse of the
Major Bitcoin mining hardware producer Bitmain can remotely shut down almost all active Antminer machines. Dubbed the “Antbleed” backdoor, abuse of the
Privacy & security - Bitmain Can Remotely Shut Down Your Antminer (and Everyone Else’s)

Major Bitcoin mining hardware producer Bitmain can remotely shut down almost all active Antminer machines. Dubbed the “Antbleed” backdoor, abuse of the vulnerability could probably knock half of all hash power on the Bitcoin network offline.

“Even if Bitmain had no bad intent, this is a gaping security hole,” said our source, who discovered the backdoor but asked to remain anonymous.

The backdoor code can be seen on Pastebin and on GitHub, and today a website has been put up for Antbleed as well.

How It Works

The Antbleed backdoor is “stupid simple,” as our source described it.

Whenever an Antminer appears online, and once every one to eleven minutes, it contacts a “port 7000 service” on the domain auth.minerlink.com, which is owned by Bitmain. The domain currently does not connect to any IP-address, and therefore does nothing.

However, the domain could in the (near) future start connecting to a corresponding IP-address. If that happens, it will report the Antminer’s serial number as well as the MAC address and the IP-address to Bitmain. 

This could be enough for the company to link the machine to a specific user.

“Bitmain can use this data to cross check against customer sales and delivery records making it personally identifiable,” our source explained. “And Bitcoin mining is a small industry, so it shouldn’t even be hard to connect the machines to specific pools, or blocks.”

Once connected, the server the Antminer connects to — Bitmain’s server — sends a message back. If that message is “true”, the machine will continue mining. But if that message is “false”, the code produces a piece of text that reads: “Stop mining!!!”

It seems obvious that this piece of text would make the machine stop mining, which is indeed confirmed by our source, who tested it on an Antminer machine. Additionally, it can be checked by anyone with an affected miner; antbleed.com explains how.

The backdoor can be verified, since it is embedded in open source code. In fact, it seems rather strange Bitmain would include such a backdoor “out in the open”, for anyone to see.

Speaking to Bitcoin Magazine, Bitcoin Core developer Peter Todd, who was quick to comment to the issue on Twitter and Reddit, suggested:

“Bitmain probably underestimated how much source code actually does get audited — it's a common myth that code never gets read. Also, if you're going to add a backdoor, you do want plausible deniability in case it does get found. Hiding in plain sight, amongst thousands of lines of undocumented code, helps. Perhaps Bitmain will claim this is actually a feature.”

What It Affects

The backdoor probably affects most Antminers in use today: the S9, the T9 the R4, as well as Litecoin’s L3.

The commit date indicates the backdoor was introduced in July 2016. This is one month after the first S9 machines were shipped. All machines that shipped since July 2016 should have the backdoor on board, which means they can be shut down by Bitmain. Machines that were shipped before July 2016, but have been updated since, should be vulnerable, too.

“It’s difficult to say with certainty how much hash power on the Bitcoin network is subject to the vulnerability,” our source said. “But since Bitmain is by far the market leader for hardware machines, it’s not a stretch to attribute at least half of all hash power to the vulnerable machines. As such, Bitmain could potentially shut down an enormous share of Bitcoin’s hash power with the push of a button. In addition to that, the company can target specific machines or customers.”

And it’s not just Bitmain who could shut down the machines. Because the connection is unauthenticated, the code will connect to anything that appears like "auth.minerlink.com", which can be spoofed by certain third parties. Apart from Bitmain, it could, for example, be an internet service provider, anti-DoS service CloudFlare (used by Bitmain), or anyone who can hijack DNS records: rogue ICANN employees, hackers, the U.S. government, and more.

“The nicest possible explanation is that Bitmain is incompetent at security, putting the whole Bitcoin network at risk,” Todd concluded. “But given the history we have of miners threatening with attacks, it wouldn't surprise me if this was added as a last resort option for shutting down competitors if they needed to push something through with hashing power.”

Update 

A representative for Bitmain commented on the issue:

"The code running on the machines is open source, everyone can review it so no secret features exist in it. The code that was pointed out is a feature to allow owners of the Antminers to be able to remotely control their miners. It is not a secret and it does not provide any kind of remote control to Bitmain for the Antminers it does not own or operate in its own mining farms."

(Note: The representative provided this comment a bit before publication of the article, but due to a miscommunication this update was added only briefly after publication.)

Update 

It should be noted that if you own an affected machine, a fix is available on antbleed.com as well.

Update

Bitmain has issued an official press release commenting on the issue. In it, the company acknowledges the existence of the feature, stating:

"This feature was intended to allow the owners of Antminer to remotely shut down their miners that may have been stolen or hijacked by their hosting service provider, and to also provide law enforcement agencies with more tracking information in such cases. We never intended to use this feature on any Antminer without authorization from its owner."

This story will be updated as more news becomes available.

The identity of our source is known to us and considered to be reliable.