Two years ago, when “Michael,” a cryptocurrency holder, contacted Joe Grand for help in recovering about $2 million worth of Bitcoin stored in encrypted format on his computer, Grand turned him down.
Michael, located in Europe, requested anonymity. He stored his cryptocurrency in a password-protected digital wallet. He used the RoboForm password manager to generate a password and stored it in a file encrypted with TrueCrypt. At some point, the file became corrupted, and Michael lost access to the 20-character password he had generated to protect his 43.6 BTC (valued at $5,300 in 2013). Michael used the RoboForm password manager to generate the password but did not store it in the manager. He was concerned that someone might hack into his computer to obtain the password.
“At the time, I was really paranoid about my security,” he said with a laugh.
Grand, a renowned hardware hacker, had previously helped another cryptocurrency wallet holder recover access to $2 million worth of cryptocurrency that he thought was lost forever because he forgot the PIN for his Trezor wallet in 2022. Since then, dozens of people have contacted Grand, also known as the hacker alias “Kingpin,” hoping that he would help them recover their wealth. However, for various reasons, Grand turned down most requests.
Grand is an electrical engineer who has been cracking computer hardware since he was 10 years old and co-hosted the Discovery Channel’s “Prototype This” program in 2008. He now consults for companies building complex digital systems, helping them understand how hardware hackers like himself could potentially compromise their systems. In 2022, he used sophisticated hardware techniques to crack the Trezor wallet, forcing the USB-style wallet to reveal its password.
But since Michael stored his cryptocurrency in a software-based wallet, Grand’s hardware skills were of no use this time. He considered brute-forcing Michael’s password—writing a script to automatically guess hundreds of millions of possible passwords to find the correct one—but considered it impractical. He briefly considered that there might be a flaw in the way RoboForm password manager generated passwords that could make it easier to guess the password. However, Grand was unsure if such a vulnerability existed.
Michael contacted several experts in cryptanalysis, who all told him there was “no chance” of recovering his funds. But last June, he contacted Grand again, hoping to convince him to help, and this time, Grand agreed to try. He collaborated with his friend Bruno, who also specializes in cracking digital wallets in Germany.
Grand and Bruno spent months reverse-engineering the RoboForm program version they believed Michael used in 2013. They discovered a significant flaw in the pseudo-random number generator used to generate passwords, making the generated random numbers less random. RoboForm foolishly tied the generated random password to the date and time on the user’s computer—it determined the date and time of the computer and then generated a predictable password. If you knew the date, time, and other parameters, you could calculate any password generated on a past date and time.
If Michael knew the date or approximate time range when he generated the password in 2013 and the parameters he used to generate the password (such as the number of characters in the password, including uppercase and lowercase letters, numbers, and special characters), it would narrow down the possible password guesses to a manageable number. Then they could trick RoboForm into checking the computer’s date and time to make it believe the current date was a day in 2013 when Michael generated the password. RoboForm would spit out the same password generated in those days in 2013.
There was one problem: Michael couldn’t remember the exact time he created the password.
According to the log records of his software wallet, Michael first transferred Bitcoin into his wallet on April 14, 2013. But he didn’t remember if he generated the password on the same day or at some time before or after. Therefore, after examining the parameters for other passwords Michael generated using RoboForm, Grand and Bruno configured RoboForm to generate a 20-character password containing uppercase and lowercase letters, numbers, and eight special characters, with a time range from March 1 to April 20, 2013. But they still didn’t generate the correct password. So Grand and Bruno extended the time range to April 20 to June 1, 2013, using the same parameters. Still no success.
Michael said they kept coming back to ask if he was sure about the parameters he used. He stuck to his answer.
“They really pissed me off because who knows what I did 10 years ago,” he recalled. He found other passwords he generated with RoboForm in 2013, two of which did not use special characters, so Grand and Bruno made adjustments. In November last year, they contacted Michael and arranged a face-to-face meeting. “I thought, ‘Oh God, they’re going to ask me about setting the parameters again.'”
Instead, they told him they had finally found the correct password—without special characters. The password was generated on May 15, 2013, at 4:10:40 p.m. Greenwich Mean Time.
“In the end, we were lucky to choose the right parameters and time range. If any of them were wrong, we would have… continued to guess blindly,” Grand said in an email to WIRED. “Precomputing all possible passwords would have taken significantly longer.”
Grand and Bruno made a video explaining the technical details in more detail.
RoboForm was developed by Siber Systems in the United States and is one of the earliest password managers on the market, with over 6 million users worldwide. According to the company’s report, Siber seems to have fixed the RoboForm password manager in 2015. After a brief review, Grand and Bruno did not find evidence that the 2015 version of RoboForm used the computer’s time in the pseudo-random number generator, leading them to believe that Siber removed this feature to fix the vulnerability. However, Grand stated that a more in-depth examination is needed to confirm this.
Siber Systems confirmed to WIRED that they did indeed fix this issue in RoboForm version 7.9.14 released on June 10, 2015, but the spokesperson did not answer questions about the fix. The changelog on the company’s website only mentions that Siber programmers made changes to “increase the randomness of generated passwords” but did not specify how. Siber spokesperson Simon Davis stated, “RoboForm 7 was discontinued in 2017.”
Grand said that without knowing how Siber fixed the issue, attackers may still be able to generate passwords from versions of RoboForm that were released before the fix in 2015. He also is unsure if the current version contains this issue.
“Without knowing how they actually improved password generation in recent versions, I’m still not sure if it’s trustworthy,” he said. “I’m not sure if RoboForm knows how severe this particular vulnerability is.”
Customers may still be using passwords generated from versions before the fix. Siber apparently did not notify customers that they should generate new passwords for important accounts or data when they released the fixed version 7.9.14 in 2015. The company did not respond to this issue.
If Siber did not notify customers, people like Michael who generated passwords with RoboForm before 2015 and are still using those passwords could be at risk of having easily generated passwords by hackers.
“We know most people won’t change passwords without being prompted,” Grand said. “I have 935 passwords in my password manager (not RoboForm), of which 220 were generated in 2015 or earlier, and most of them are for websites I still use.”
According to the way the company fixed the issue in 2015, even newer passwords may have vulnerabilities.
Last November, Grand and Bruno deducted a certain percentage of Bitcoin from Michael’s account as payment for their work and then handed over the password. At that time, Bitcoin was priced at $38,000 per coin. Michael waited for the price to rise to $62,000 per coin and sold some. He now has 30 BTC, valued at $3 million, and is waiting for the price to rise to $100,000 per coin.
Michael said he was lucky to have forgotten the password years ago because otherwise, he would have sold the Bitcoin at $40,000 per coin and missed out on a greater fortune.
“Forgetting the password turned out to be a good thing economically.”