Could a hacker replace Bitcoin QT in some Linux repository and steal Bitcoins?

3

Bitcoin QT, being a Linux application, is updated regularly when the application in the repository is being updated (For example, apt-get upgrade on Debian).

Theoretically, if a hacker could get into some Linux repository, he could replace the application with a malicious one that steals both the private key and the wallet file and send it to a remote server (effectively stealing all the Bitcoins from most the users). If possible, even through social engineering, the incentive for such hack is enormous.

How likely/unlikely that to happen?

Elad

Posted 2013-12-01T09:56:46.293

Reputation: 133

Answers

2

Software distributors typically have authentication mechanisms to prevent an attacker from inserting malicious versions of their software.

In the case of Debian and its derivatives, there are two steps.

  • The binaries and data for bitcoin-qt are distributed as a .deb file. A cryptographic hash (currently md5, sha1 and sha256) of this file is contained in the Packages list that apt-get uses to determine which packages are available. If an attacker modifies the .deb file, say by breaking into one of the Debian mirror servers, the hash will not match and apt-get will refuse to install the package.

  • The Packages file is also distributed by the same servers, so an attacker could modify it so that the hash listed there matches the malicious .deb. However, the Packages file is accompanied by a signature produced with Debian's master private key, so this signature would not match and apt-get would refuse to proceed.

Thus in order to pull this off, the attacker would not only have to get access to a Debian mirror server, but also to the Debian master signing key, which should be well protected.

Nate Eldredge

Posted 2013-12-01T09:56:46.293

Reputation: 21 420

What if the bitcoin-qt package manager is the attacker?unor 2013-12-04T17:52:52.087

@unor: Then you're in trouble. Part of using a distribution is trusting the people who distribute it.Nate Eldredge 2013-12-04T18:15:17.723

3

You know you don't have to trust the repo. The developers of Bitcoin-QT actually recommend using their binaries rather than the distro's. So you can just keep up to date with those. Official binaries are signed with a Bitcoin-QT developer's PGP keys.

Abdussamad

Posted 2013-12-01T09:56:46.293

Reputation: 1 850

0

You need ONLY private key to steal the money - you don't need wallet.dat file

Yes it's possible to do BUT it's easier and most profitable to break in any exchange or pool site and steal a loot more in one go

user9148

Posted 2013-12-01T09:56:46.293

Reputation: 29

When Bitcoins are in an exchange people usually understand that there is a certain risk. However, I believe that most people assume that their Bitcoins are safe when stored on their local machine.Elad 2013-12-01T12:02:00.040

Asked: 2013-12-01T09:56:46.293

Viewed: 430 times

Active: 2013-12-05T16:12:32.193