Defcon hackers crack physical bitcoin Casascius coins

The Casascius coin was shown to be vulnerable to physical attack at this year's Defcon conference.

AccessTimeIconAug 13, 2013 at 10:53 a.m. UTC
Updated Sep 9, 2021 at 1:25 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

The Casascius coin was shown to be vulnerable to physical attack at this year's Defcon conference, one of the world's largest hacker conventions. Casascius coins are one form of physical bitcoin, being supplied in denominations of 0.5, 1 and 25 BTC. The coins each have a private key printed on them, concealed by a holographic sticker. The Defcon hackers were able to reveal the key and replace the stick with virtually no sign of tampering.

The private key on each Casascius coin relates to the bitcoin address that holds the value of the coin. The implication of having access to this coin is that the balance of the coin's address could be altered. This could either be to increase the value so as to smuggle money – or more likely to remove the BTC value from the coin before passing the coin along to anyone who accepts it as currency.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • According to the Coding in my Sleep blog, the "physical attack" was performed by using a hypodermic needle to inject what was described as a "non-polar solvent" between the coin's holographic sticker and brass surface. The solvent had the effect of neutralising the adhesive, thus allowing the sticker to be non-destructively removed.

    The private key could then be easily read, and the sticker replaced with new adhesive. The only sign of tampering was a small deformation where the needle had stretched the sticker during insertion – a mark which could be mistaken for normal wearing.

    Information security expert Vladimir Marchenko, told us: "From the very beginning, when Casascius coins were announced I was rather skeptical about this project due to information security concerns. It was clear that if one hides a private key in a physical object there might be a cost-effective non-destructive method to discover the key or otherwise 'counterfeit' the coin.

    "Moreover, there is no secret service to go after 'attackers' unlike a case with floating rate notes. With only purely technical measures there will always be a shield-and-sword kind of antagonism, but in this case even temporary advantage of attackers is unacceptable. Today it is chemicals, tomorrow it might be some kind of X-ray analysis detecting traces of metals in the ink used etc. There will inevitably be more and more successful attacks on physical representations of bitcoin that hide the private key inside some physical medium."

    Marchenko went on to outline general concerns with physical representations of digital currencies: "What is even more worrying with such types of 'physical bitcoins' is the unknown 'chain of custody' of a private key before it gets embedded in the coin. We might as well all assume that the manufacturer of the coin is an upstanding gentleman with no intent to keep a database of private keys, but there are no guarantees. The first rule of information security is to not take unknown risks. These coins definitely have lots of novelty value and might be an interesting artefact and have some numismatic value. However, I would strongly advise against using such physical coins as a long term storage medium of any non-trivial amount of bitcoins."

    Marchenko made the case to us that bitcoin should not be made into physical representations as doing so removes many of the benefits of a digital currency. "Bitcoin is designed as an electronic currency and the safest way to use it is to use it electronically and keep bitcoin transactions on the block chain. Private keys are meant to remain private and never be revealed to any third parties. The moment one starts trading private keys, one is voluntarily forfeiting most of the benefits modern cryptography like bitcoin provides. Those Defcon hackers have clearly demonstrated this concept by picking easy targets, like removing a sticker from a piece of plastic. I would be much more impressed if they had successfully attacked SHA256, RIPEMD or ECDSA."

    Image credit: Coding In My Sleep

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.