Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Hardware
Merits 6 from 4 users
Re: Avalon Nano 3 [unofficial thread]
by
jeyzeus
on 09/07/2024, 16:54:07 UTC
⭐ Merited by philipma1957 (3) ,vapourminer (1) ,NotFuzzyWarm (1) ,hawer357 (1)
To all the people that acted like it was "just me" here's the official word from Canaan:

We sincerely thank you for your feedback regarding the relevant security issues. Your feedback will help make the Avalon Nano 3 better and better. We apologize for the problem that occurred. Upon seeing your tweet, we immediately gathered our R&D Team to analyze and evaluate the relevant issues.

1. We discovered that the Nano's web backend had an issue where the login username and password were not verified. Malicious trojans in the local network could exploit this vulnerability to submit mining pool configuration information through a POST command to http://<yourIP>/get_home.cgi without logging in, thus stealing hash power. We have started developing the necessary firmware and expect to fix this vulnerability and release the new firmware by July 19.

2. The Nano's design purpose is relatively simple. It runs on a real-time operating system (FreeRTOS), which is not a complex professional network device and is only suitable for secure home intranets. We recommend enabling the router's firewall and not mapping the Nano host to a public IP address to prevent external hackers from directly accessing the Nano. It is also necessary to regularly check for malicious programs in the home network environment. In safe network environments without trojans, such as non-hotel or library public networks, the Nano is secure.

3. In the design of Nano, we respect users' privacy and will never set any backdoor programs. Canaan's products and services are always subject to local and international regulations regarding cybersecurity and data privacy. Canaan remains transparent by disclosing our source codes and encourages industry monitoring of potential vulnerabilities. We are committed to continually improving our products and services.

4. Starting in December, we will gradually open-source the relevant programs and release open-source firmware to ensure that all programs have better security and are compilable.

5. We appreciate every customer's understanding and support. The sales of Nano 3 have far exceeded our expectations, which is due to our customers' high expectations and recognition of us. We are very sorry for the issues that have arisen. Therefore, we will launch a compensation plan together with the release of the new firmware.

tl;dr they're releasing a new firmware for this within 1-2 weeks. after December, they plan on open sourcing the relevant firmware.

There's a vulnerability in the miner that can allow a trojan to override the the mining pool info without the proper credentials