Monero: Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity

Summary:

We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction privacy, as well as enabling linking of stealth addresses.
If a user connects their Monero wallet to a remote node, the required leakage in commu- nication patterns and timing is observable by a malicious (yet passive) remote node provider, or by a passive network adversary that monitors the encrypted traffic between a wallet and a trusted node. Even if the wallet and node are both hosted locally and trusted, side-channel leakage can be observed by an active remote attacker with a P2P connection to the node.

Releases Affected:

• Current release (v0.14.1.0) and previous ones of the main Monero node and wallet implementations

Steps To Reproduce:

The attached report (which we also sent to [email protected] and [email protected] via PGP) explains the different vulnerabilities and how they can be exploited.

Supporting Material/References:

[list any additional material (e.g. screenshots, logs, etc.)]

• Vulnerability disclose report

Housekeeping

1. Be sure to read our policy before submitting
2. Provide an XMR address within the report if you wish to receive bounty (assuming that the report is valid)
   • PoC within a report will most likely result in more bounty than not

XMR address: 45jPGGu9QPYSoNgZPuVpbaMcvrKEJ8TGMd4bPc9VVFKWKqmmfUuzEHDi6sremu2H2idVgySvCmam48RvhKCPRDtBTPj2be3

Impact

A remote attacker (either in control of a public node, or a network adversary monitoring communication to a remote node, or even a remote P2P participant connected to a wallet’s local node) can infer when the wallet is the payee of a transaction added to the mempool or mined in a block.