Lumi Wallet: Insecure or Scam ?

Another Cryptocurrency wallet, boasting next generation security has been released. The proprietary, Lumi Wallet has been identified as either a scam or simply an insecure application. In a blog post by wallet developer Daniel Staudigel the security flaws of Lumi Wallet were examined. According to Staudigel:

I know something is off — “truly private” and “web wallet” and “extremely secure” are impossible to have for the same product. If something is a web wallet, it’s definitely not extremely secure (see recent DNS attacks for MyEtherWallet), and it’s highly unlikely to be “truly private” due to technical limitations of the web.

Upon closer examination, we discover Lumi Wallet allows users to generate and recover accounts with a twelve word mnemonic phrase - not good. There is no assurance Lumi Wallet secures the phrase in any way. In fact, we have a strong reason to believe the phrase is neither encrypted nor hashed. When Staudigel made a dummy account, he was able to examine the following input and output from the page that appeared to take the form of a .json file (the following has been loosely copied from the image below).

 email: foo2u@...
mnemonic: melody theory book...


If we consider the unlikely scenario that the mnemonic is actually hashed before being stored, Lumi Wallet already has a pool of hashes to brute force attack. Brute force hashing attacks on single targets, in many cases, are not fruitful. But brute force attacks on groups of targets dramatically increases the probability of reproducing a hash. Consider the following forward computed mnemonic attack:

If we have one user and the seed is in English, using Electrum’s word list, the number of combinations we have to produce is:

$$C = \frac {(2049)!} {(2037)!}$$

or

$$C = ( 2049 ) \times ( 2049 - 1 ) \times ( 2049 - 2 ) \times \dotsc \times ( 2049 - 12)$$

In normal probability calculations, the combinations are not the sample space but in this case they would be and the number of users is the combinations. The following is a step by step example of why this occurs, with an explanation:

• In this case, $$C = 1$$ because there is only one valid mnemonic combination.

• The total of all combinations is our sample space (all possible passowrds) $${\color{Orange} S }$$ , so $${\color{Orange} S } = \frac{(2049)!}{(2037)!}$$

• The number of victims divides $$S$$ so if there is only one, $$S = S / \mathbf{1}$$

The event $$E$$ denotes the occurence of a valid password during a password attack. The probability is given by:

\begin{align*} P(E) &= \frac {1} { \left( \frac {( 2049 ) * ( 2049 - 1 ) * ( 2049 - 2 ) * … * ( 2049 - 12 )} {1} \right) } \\ &= \frac {1} {( 2049 ) \times ( 2049 - 1 ) \times ( 2049 - 2 ) \times \dotsc \times ( 2049 - 12 )} \end{align*}

If there are more than one victim, the equation changes.

• In the case of, say 1000 victims, the probability becomes:

$$P(E) = \frac {1000} {( 2049 ) \times ( 2049 - 1 ) \times ( 2049 - 2 ) \times \dotsc \times ( 2049 - 12 )}$$

which is higher than one victim.

This is why malevolent actors profit so enormously from gaining access to databases with hashed and encrypted data. Hashing against groups of victims yields far more results than single victims.

We hope this explanation makes a strong enough case to always use services and applications that are open source and relay the least amount of data to third parties.