Author | KIM ZETTER
Compilation | Wu Talks Blockchain
Two years ago, when “Michael,” a cryptocurrency holder, contacted Joe Grand for help recovering about $2 million in Bitcoin he had stored in an encrypted format on his computer, Grand turned him down.
Michael is located in Europe and requested to remain anonymous. He stored his cryptocurrency in a password-protected digital wallet. He used RoboForm Password Manager to generate a password and stored that password in a file encrypted with TrueCrypt. At some point, the file became corrupted and Michael lost access to the 20-digit password he had generated to protect 43.6 BTC (worth $5,300 in 2013). Michael generated the password using RoboForm Password Manager but did not store it in the manager. He was worried that someone could hack into his computer and gain access to the password.
“At the time, I was really paranoid about my safety,” he said with a laugh.
Grand is a well-known hardware hacker who in 2022 helped another crypto wallet holder recover access to $2 million in cryptocurrency that he thought was lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand, hoping he can help them recover their wealth. But Grand, also known as the hacker "Kingpin," has rejected most requests for various reasons.
Grand, an electrical engineer who has been hacking computer hardware since age 10, co-hosted the Discovery Channel's Prototype This in 2008. He now consults with companies that build complex digital systems, helping them understand how hardware hackers like him could potentially compromise their systems. He used sophisticated hardware techniques to hack a Trezor wallet in 2022, forcing the USB-based wallet to reveal its password.
But Michael stores his cryptocurrencies in a software-based wallet, which means Grand's hardware skills are useless this time. He considered brute-forcing Michael's passwords—writing a script to automatically guess millions of possible passwords to find the right one—but decided that was not feasible. He briefly considered that the RoboForm password manager Michael used to generate passwords might have a vulnerability in the way it generated passwords, making it easier for him to guess them. However, Grand wasn't sure such a vulnerability existed.
Michael contacted several people who specialized in cryptography, and they all told him there was “no chance” of getting his funds back. But last June, he contacted Grand again, hoping to convince him to help, and this time Grand agreed to try, teaming up with his friend Bruno, who was also working on digital wallet cracking in Germany.
Grand and Bruno spent months reverse engineering the version of RoboForm they believed Michael was using in 2013 and discovered that the pseudo-random number generator used to generate passwords did have a major vulnerability that made the random numbers not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer - it determined the date and time of the computer and then generated predictable passwords. If you know the date, time and other parameters, you can calculate any password generated at a certain date and time in the past.
If Michael knows the date or approximate time range when he generated his password in 2013, as well as the parameters he used to generate it (such as the number of characters in the password, including uppercase and lowercase letters, numbers, and special characters), this will narrow the possible password guesses to a manageable number. They can then hijack RoboForm's function of checking the computer's date and time to make it believe that the current date is the day in 2013 when Michael generated his password. RoboForm will spit out the same password that was generated on that day in 2013.
There was one problem: Michael couldn't remember exactly when he created his password.
According to the logs from his software wallet, Michael first transferred Bitcoin to his wallet on April 14, 2013. But he could not remember if he generated a password on the same day, or sometime before or after. So, after looking at the parameters of other passwords he had generated using RoboForm, Grand and Bruno configured RoboForm to generate a 20-digit password containing uppercase and lowercase letters, numbers, and eight special characters for the time period from March 1 to April 20, 2013. But it still did not generate a correct password. So Grand and Bruno extended the time period to April 20 to June 1, 2013, using the same parameters. Still no success.
Michael said they kept coming back to him asking if he was sure about the parameters he was using. He stood by his answer.
“They were really annoying me, because who knows what I did 10 years ago,” he recalls. He found other passwords he’d generated with RoboForm in 2013, two of which didn’t use special characters, so Grand and Bruno adjusted them. Last November, they reached out to Michael to schedule a face-to-face meeting. “I thought, ‘Oh my God, they’re asking me to set up my parameters again.’ ”
Instead, they told him they had finally found the correct password - with no special characters. The password was generated on May 15, 2013, at 4:10:40 pm GMT.
"Ultimately, we were lucky to pick the right parameters and time frame. If any of them were wrong, we would...continue to blindly speculate," Grand said in an email to WIRED. "Precomputing all possible passwords would take significantly longer."
Grand and Bruno made a video explaining the technical details in more detail.
RoboForm, developed by US-based Siber Systems, is one of the earliest password managers on the market and currently has more than 6 million users worldwide. According to company reports, Siber appears to have fixed the RoboForm password manager in 2015. Grand and Bruno briefly checked and did not find that the pseudo-random number generator in the 2015 version used the computer time, which led them to believe that Siber removed this feature to fix the vulnerability, but Grand said that a deeper inspection was needed to be sure.
Siber Systems confirmed to WIRED that they did fix the issue in RoboForm version 7.9.14, released on June 10, 2015, but a spokesperson did not respond to questions about how the fix was implemented. In the change log on the company's website, it is mentioned only that Siber programmers made changes to "increase the randomness of generated passwords," but it does not specify how. Siber spokesperson Simon Davis said, "RoboForm 7 was discontinued in 2017."
Grand said that without knowing how Siber fixed the issue, attackers may still be able to regenerate passwords generated by RoboForm versions before the 2015 fix. He also said he was unsure whether the current version contained the issue.
“Until it’s clear how they’ve actually improved password generation in recent versions, I’m still not sure it can be trusted,” he said. “I’m not sure RoboForm knows how serious this particular weakness is.”
Customers may still be using passwords generated before the fix. Siber appears to have never informed customers that they should generate new passwords for important accounts or data when it released fix version 7.9.14 in 2015. The company did not respond to questions about the issue.
If Siber hadn't notified its customers, this would mean that people like Michael who used RoboForm to generate passwords before 2015 and were still using them could have passwords that were easily regenerated by hackers.
“We know that most people don’t change their passwords without being prompted,” Grand said. “I have 935 passwords in my non-RoboForm password manager, 220 of which were generated in 2015 or earlier, and most of them are for sites I still use.”
Depending on how the company fixed the problem in 2015, newer passwords may also be vulnerable.
Last November, Grand and Bruno deducted a percentage of Bitcoin from Michael's account as payment for their work and then gave him the password. At that time, the price of Bitcoin was $38,000 per coin. Michael waited for the price to rise to $62,000 per coin and sold some of it. He now has 30 BTC, worth $3 million, and is waiting for the price to rise to $100,000 per coin.
Michael said he was lucky to have lost his password years ago because otherwise he would have sold his Bitcoin at $40,000 a piece and missed out on a much bigger fortune.
“Forgetting your password is a good thing financially.”
