Backdoor Exploit Discovered in Popular Bitcoin Mining Equipment

BitMain is one of the leading Bitcoin mining equipment manufacturers in the world. The company’s AntMiner range of specialized hardware mining equipment makes up for over 70 percent of all the mining hardware, which could be at risk following the discovery of Antbleed security flaw.
Antminer S9

An anonymous researcher raised a storm in mayningovom community spread through Twitter about backdoor Antbleed, detected in the equipment companies Bitmain, which is the world's largest supplier of equipment for mining cryptocurrency.

It turned out that the backdoor appeared in the firmware code in July 2016, and researchers have been trying to inform Bitmain about the issue in September 2016, through the GitHub repository company, however this application ignored up until an unknown well-wisher is not attracted to the problem of public and media attention .

The official website of Antbleed explained that Bitmain device, please contact auth.minerlink.com, once in 1-11 minutes, and the domain is owned by Bitmain . During each communication equipment transmits to the address provided a serial number, MAC-address and IP-address.

Bitmain can use the data to check the lists of sales and a report on the supply by identifying the device and associating it with a particular user. In turn, the piece of code above actually means that if the answer to the inquiry device will answer "False", the miner will cease its work and will be disabled.

An anonymous researcher notes that the device will be able to save not inbound-rules for the firewall, as Antbleed works through outbound-connections. It has been reported that the backdoor was discovered in the S9 Series devices and earlier versions S9s. Antbleed also likely present in the L3 models, T9 and R4, although this is only an assumption of an unknown researcher.


To find a job Antbleed check your device, the researcher proposed to modify the file / etc / hosts, add a line 139.59.36.141 auth.minerlink.com. This will cause the device to connect to the test server researcher, is running this code , other than the code Bitmain servers - if the device is vulnerable, mining will stop at 11 minutes.

Protect against Antbleed researcher offers a proven and simple way: once again change the / etc / hosts, auth.minerlink.com redirecting to localhost (127.0.0.1 auth.minerlink.com).

Needless to say that after the publication of this information, all the miners were indignant over the world. In fact, the backdoor allows the company to track Bitmain and disable their device and is analogous to a fairly rigid DRM-free. Worse, any attacker who carry out attacks man-in-the-middle or DNS, can also activate the backdoor, because no authentication mechanism Antbleed does not provide.

As a result, the company was forced to Bitmain justified and urgently to the official explanation. Yesterday, April 27, 2017, representatives of Bitmain published a detailed post in the blog, which explained that Antbleed - this is not the backdoor, and the company is not trying to control the user device. According to the company, this feature has been added to the code to device owners themselves can control the equipment remotely, and had a chance to disable a miner, if that is stolen or hacked. A similar function is now equipped with almost all modern smart phones. Antbleed also allows law enforcement agencies to provide more data if it is suddenly needed.

The developers admit that Antbleed never brought to mind: the development function was started with the release of Antminer S7 and should have been completed to the exit Antminer S9. However, due to some "technical problems," the plan was not implemented, and even test server was shut down in December 2016. The fact that the "backdoor" still is present in the firmware of devices - it is a bug and someone's oversight. The company reports that the problem affects the following models:


  • Antminer S9 
  • Antminer R4 
  • Antminer T9 
  • Antminer L3 
  • Antminer L3 +

Experts Bitmain apologized to users and published a new firmware on their site for all of these devices, in which the "backdoor" no longer exists.
Next Post Previous Post