Blockchain only as strong as its weakest link

The blockchain might be secure, but is all the software interacting with it? In many cases, no. We’ve seen in an increase in cyberattacks due to vulnerabilities in the software side of the blockchain, from wallets to smart contracts to exchanges.

lock, chain, blocks and binary code

Securing the blockchain ecosystem is the most challenging cybersecurity problem right now. The blockchain itself might be secure, but that doesn’t mean that all the pieces that intersect with it – wallets, exchanges, miners, smart contracts – are secure. And many aren’t. According to a recent study by Carbon Black, hackers have stolen $1.1 billion worth of cryptocurrency in the first half of this year. 

Although the threat is primarily restricted to the public blockchain right now, the enterprise space will be next. There’s so much money to be made targeting public blockchain that enterprise blockchain is unexplored territory for hackers right now. Weaknesses in enterprise blockchain will be found due to already successful exploits of the public blockchain.

The security learning curve

New tech means new threats and a new security learning curve. With any new technology, it takes some time for the risks to emerge and then for an understanding of how to address the risks to develop. We went through this same curve with wifi, and are still in it with IoT. We’re currently in the early learning stages when it comes to blockchain security. And we’ll need to learn fast, because it’s an attractive target. There’s a lot of money involved, and a correspondingly large amount of attacker activity emerging.

Part of the reason that it’s such an attractive target is because, in this new landscape, cyberattackers can eliminate a step to get to payday: They don’t have to worry about how to make money from the data they steal. They simply steal the (virtual) money itself.

The weakest links

Until the entire blockchain system is secure end-to-end, there will be places where attackers can get in. The components interacting with the blockchain are written in code, and most software code has bugs and vulnerabilities. We’ve scanned billions of lines of code at CA Veracode, and find significant numbers of vulnerabilities year in and year out. Our most recent data set found that 77 percent of apps had at least one vulnerability on initial scan. With stats like that, do you trust that all the software interacting with the blockchain is secure? The wallets, the smart contracts, the exchanges?

Let’s look at exchanges and smart contracts for example. Cryptocurrency exchanges are online platforms where users can exchange one cryptocurrency for another cryptocurrency (or for fiat currency). In other words, depending on the exchange, it can function similar to a stock exchange or to a currency exchange (at the airport or bank).

There have been some significant breaches of exchanges in recent years:

  • Gox lost $480 million in Bitcoin
  • In 2016, Bitfinex suffered a multi-signature wallet hack and lost $72 million
  • Nicehash lost $63 million after an attacker stole credentials through a phishing attack
  • Coincheck suffered an attack because it was storing everything in a hot wallet and using single-factor authentication. (This is like a bank storing all their money in one teller’s drawer).

Smart contracts, which digitally facilitate, verify, or enforce the negotiation or performance of a contract, aren’t immune either. We’ve also seen simple programming errors in smart contracts lead to some significant breaches:

  • DAO had a bug in its smart contract. A reentrancy bug allowed an attacker to drain $50 million worth of Ether.
  • Parity wallet access-control problems led to $30 million breach.

Ultimately, it’s naive to think that just because you’re dealing with the blockchain, your transactions are secure.

What should blockchain users do to protect themselves? Start with some basic security measures:

  • Don’t expose your private key
  • Use two-factor authentication
  • Don’t publish any email addresses or phone numbers online when using exchanges
  • Don’t brag about your crypto fortune online

Implementing security at code level

We need those creating software that interacts with the blockchain to build security into their processes. They need to consider:

  • A good software development life cycle/ecosystem - add security into the development process and vet inherited code
  • Using two-factor authentication and hardware wallets
  • Adhering to standard best practices – using SSL and certificates to ensure that parties are who they say they are

There are many useful benefits for blockchain, including better legal contracts, greater visibility in supply chains, and even less fraud in voting. But like any new technology, threat actors are probing for weaknesses that can increase skepticism and slow adoption.


Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)