The Antbleed Backdoor

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

The patch was introduced here (pastebin) and can be seen in the source: here (github)

How bad is it?


At worst, this firmware backdoor allows Bitmain to shut off a large section of the global hashrate (estimated to be at up to 70% of all mining equipment). It can also be used to directly target specific machines or customers. Standard inbound firewall rules will not protect against this because the Antminer makes outbound connections.

Even without Bitmain being malicious, the API is unauthenticated and would allow any MITM, DNS or domain hijack to shutdown Antminers globally. Additionally the domain in question DNS is hosted by Cloudflare making it trivially subjected to government orders and state control.

Am I Vulnerable?


All recent S9 hardware is affected, except possibly very early generation S9s. Additionally, L3, T9 and R4 series hardware are likely to be affected as well. The commit date for the backdoor kill switch is July 11th, 2016, if your firmware claims to be after this date that is a good indication that your Bitmain hardware is affected.

You can check if your Antminer is vulnerable to this attack by SSHing to the Antminer, and changing the /etc/hosts file on the device to include:

139.59.36.141 auth.minerlink.com

This will cause the Antminer to connect to our test server, which is running this code, instead of the default Bitmain servers. If your miner is vulnerable it will cease mining within 11 minutes, or you can reboot your miner and the connection will be made on startup.

How Can I Protect Myself?


The easiest way to make sure your Antminer is not vulnerable to this backdoor is to add the following to your /etc/hosts on the device to

127.0.0.1 auth.minerlink.com

This will cause the Antminer to connect to your own local machine bypassing the check-in with Bitmain without interrupting normal mining behavior.

Is This Just A User Feature?


No. The domain and port are hard coded in the source files, theres no way to change them without recompling and loading new firmware. There is no way a user could make use of it in any realistic way.