Ten minutes. That’s how much time it took for the Defcon researchers Stits and Datagram to break the system of a Casascius Bitcoin for the first time. However, at the conference, the experts said that with a little practice they could recover the private key of a Casascius unit in just one or two minutes.
For the people that still don’t know what the Casascius are, these physical Bitcoins have a little card embedded inside, which contains a digital currency wallet linked to an account with the same value as the one engraved in the coin. The devices are protected by a layer of holograms and an 8-digit code and it was supposed to be very difficult to tamper with one of these, but this year’s Defcon conference showed the contrary.
Want to know how Stits and Datagram did it? Take a look.
First, they used a hypodermic needle to inject tiny amounts of a “non-polar solvent” (the name the researchers gave to the substance used without disclosing its real name) between the holographic security sticker and the coin itself.
After the solvent almost dissolved the adhesive, they peeled back the holographic foil and gained easy access to the private key beneath it.
Then, they quickly replaced the sticker and a new adhesive was placed. In the end, the “new” coin only had an almost invisible mark where the needle was initially inserted.
After the demonstration, the researchers suggested some safety improvements that could benefit the Casascius coins: multiple layers of holo foil, scored stickers or even melting the edges of the plastic and brass together were some of the advices Stits and Datagram gave to the Casascius’ team.
Next challenge for the researchers? Try the same in the more expensive coins.