Gemini CSO Cem Paya recently highlighted certain vulnerabilities in the SafeNet’s Hardware Security Modules (HSMs) that can risk users’ Bitcoin private keys.
The revelation comes at a time when Bitcoin security has become one of the topmost concerns of leading digital currency corporate houses. According to the available information, a large number of these Bitcoin companies utilize HSM-based models, manufactured by Safenet, to create and destroy private keys without actually revealing them to the attached trusted clients. This simply means that, on papers, a private key inside an HSM model can never be extracted. Mr. Paya, however, doesn’t agree.
In a company blogpost published last week, the Gemini CSO speaks of a design flaw in the SafeNet’s software that can disclose both public and private keys. He particularly addresses the Bitcoin users who are utilizing the SafeNet’s three HSMs, saying that their funds would be always at risk, for their keys would be vulnerable to the aforesaid software bug.
“Bitcoin is the one payment technology where possession of money can be boiled down to pure cryptographic capability: generating a signature with an ECDSA private key is money,” Paya added. “If you lose control of that private key, you lose the ability to spend your funds, plain and simple.”
Although Safenet released a fix for the aforementioned bug last week, it never shied away from calling this vulnerability as ‘high’. In a conversation with CoinDesk, a representative of the company called it a rare vulnerability that could still have been take care of, provided with the company’s several “usage and control policies.”
Paya meanwhile has announced to do a follow up post, in which he will be discussing all the technical details.