Ethereum wallet getting hacked

Incicent


Summary

The hack that occurred on 12/05/2016 to steal 7,218 ethers from Patrick only affects miners where:

  • Incoming RPC connections from the Internet on TCP port 8545 are forwarded to the machine running the Ethereum node software geth;
  • geth is running with the parameters --rpc enabled; and
  • The Ethereum Wallet (Mist) is used on the same geth machine and is used to send a transaction, requiring the geth account to be unlocked for a 2 second period.

The hacker sent a continuous stream (every 2 seconds) of sendTransaction(...) request to Patrick's IP address on port 8545, and this request was forwarded to the geth instance. When Patrick used the Ethereum Wallet to send a transaction, the Ethereum Wallet unlocked Patrick's account for 2 seconds and the hacker's transaction succeeded in moving Patrick's ethers to the hacker's account.

For more details see the original Stackexchange post

Advice

This advice covers only a subset of possible attack vectors. For more, see the original Stackexchange post

1. Never turn on RPC on hot wallets. Even with IP and CORS limited to localhost. Just don't.

geth # rpc is disabled by default
eth # rpc is disabled by default
parity # rpc is disabled by default

2. Never turn on IPC on a machine you don't feel you have complete control about the security. Or use parity.

geth --ipcdisable # ipc is enabled by default, turn it off
geth --no-ipc # ipc is enabled by default, turn it off
parity # parity has not ipc (yet)

3. Don't use accounts to store huge amounts of ether. Use multisignature contracts.
4. Don't use online computers to store huge amounts of ether. User air gapped machines or paper wallets.