Author: Kim Zetter
Two years ago when “Michael”, an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down.
Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about €4,000, or $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.
“At [that] time, I was really paranoid with my security,” he laughs.
Grand is a renowned hardware hacker who, in 2022, aided another cryptowallet owner reclaim $2 million worth of cryptocurrency after forgetting the PIN for his Trezor wallet. Grand, aka “Kingpin”, has declined most requests for assistance since then, despite numerous requests.
Grand is an electrical engineer who began hacking computing hardware at the age of ten. In 2008, he cohosted the Discovery Channel’s show, Prototype This. At present, Grand consults with organizations that create intricate digital systems to enrich their understanding of how hackers like him could potentially subvert their systems. In 2022, he infiltrated the Trezor wallet using sophisticated hardware methods that enabled the USB-style wallet to disclose its password.
Conversely, Michael stored his cryptocurrency in a software-based wallet, making Grand’s hardware skills irrelevant in this situation. Grand contemplated brute-forcing Michael’s password—designing a script to automatically guess myriads of potential passwords until the right one is identified. However, he concluded this method would not be viable. He briefly speculated whether RoboForm password manager, used by Michael, might have a flaw in password generation, making it easier to guess. But Grand was skeptical about the existence of such a flaw.
Michael sought help from several specialists in cryptography, only to receive rejections stating there was “no chance” to retrieve his funds. In June, Michael approached Grand again, hoping to persuade him to assist, and Grand agreed, teaming up with a friend named Bruno in Germany who also hacks digital wallets.
By Aarian Marshall
By Joe Ray
By Carlton Reid
By Justin Pot
Grand and Bruno invested several months reverse engineering the version of the RoboForm software they hypothesized Michael utilized in 2013, identifying a sizable defect in the pseudo-random number generator responsible for password creation. This flaw rendered the generator’s random character selection predictable as the passwords it produced were dependant on the user’s computer’s date and time. Therefore, if an observer were aware of the date and time along with other parameters, they could calculate any password that would have been generated at a certain point in the past.
Assuming Michael could recall the interval in 2013 when he generated his password and the parameters used, such as number of characters, utilization of upper- and lower-case letters, numbers, and special characters, this knowledge could reduce potential password guesses to a feasible amount. With this information, they could manipulate the RoboForm function that checks the computer’s date and time to operate retroactively, misleading it to believe the current date was a day in the 2013 timeframe when Michael generated his password. This would cause RoboForm to reproduce the same passwords it generated within those particular 2013 dates.
They did, however, encounter an issue: Michael was unable to recall the exact period in which he created the password.
Software wallet logs showed that Michael made his initial bitcoin transfer to his software wallet on April 14, 2013. Nevertheless, he was unsure whether he generated the password on the same day, or during a window of time before or after. Using his behavior as a guide, Grand and Bruno set up RoboForm to create 20-character passwords constituted of a mixture of upper- and lower-case letters, numbers, and eight unique characters from March 1 to April 20, 2013.
It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20 to June 1, 2013, using the same parameters. Still no luck.
Michael says they kept coming back to him, asking if he was sure about the parameters he’d used. He stuck to his first answer.
“They really annoyed me, because who knows what I did 10 years ago,” he recalls. He found other passwords he generated with RoboForm in 2013, and two of them did not use special characters, so Grand and Bruno adjusted. Last November, they reached out to Michael to set up a meeting in person. “I thought, ‘Oh my God, they will ask me again for the settings.”
Instead, they revealed that they had finally found the correct password—no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.
“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”
By Aarian Marshall
By Joe Ray
By Carlton Reid
By Justin Pot
Grand and Bruno created a video to explain the technical details more thoroughly.
RoboForm, made by US-based Siber Systems, was one of the first password managers on the market, and currently has more than 6 million users worldwide, according to a company report. In 2015, Siber seemed to fix the RoboForm password manager. In a cursory glance, Grand and Bruno couldn’t find any sign that the pseudo-random number generator in the 2015 version used the computer’s time, which makes them think they removed it to fix the flaw, though Grand says they would need to examine it more thoroughly to be certain.
Siber Systems confirmed to WIRED that it did fix the issue with version 7.9.14 of RoboForm, released June 10, 2015, but a spokesperson wouldn’t answer questions about how it did so. In a changelog on the company’s website, it mentions only that Siber programmers made changes to “increase randomness of generated passwords,” but it doesn’t say how they did this. Siber spokesman Simon Davis says that “RoboForm 7 was discontinued in 2017.”
Grand states that, without understanding how Siber resolved the problem, it might still be possible for hackers to recreate passwords crafted by RoboForm versions released before the 2015 correction. He remains uncertain whether the issue persists in latest versions.
Grand suggests, “Even with the updates, I am unsure if I would trust it without knowing how they actually reinforced the password generation in the newer versions. I am doubtful whether RoboForm comprehended the severity of this specific flaw.”
Clients might still be utilizing passwords created by the software prior to the rectification. It seems Siber did not notify its customers when it launched the corrected version 7.9.14 in 2015 urging them to create new passwords for crucial accounts or data. The company has not responded to any queries regarding this.
If Siber neglected to inform their customers, it implies that any users who were using RoboForm to generate passwords before 2015—and continue using those passwords—may have susceptible passwords that could be regenerated by hackers.
“We know that most people don’t change passwords unless they’re prompted to do so,” Grand says. “Out of 935 passwords in my password manager (not RoboForm), 220 of them are from 2015 and earlier, and most of them are [for] sites I still use.”
Depending on what the company did to fix the issue in 2015, newer passwords may also be vulnerable.
Last November, Grand and Bruno deducted a percentage of bitcoins from Michael’s account for the work they did, then gave him the password to access the rest. The bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin.
Michael says he was lucky that he lost the password years ago because, otherwise, he would have sold off the bitcoin when it was worth $40,000 a coin and missed out on a greater fortune.
“That I lost the password was financially a good thing.”