• United States



Contributing writer

5 ways to hack blockchain in the enterprise

Jul 16, 201810 mins
BlockchainData BreachSecurity

Experts warn of blockchain security risks in non-cryptocurrency use cases.

3 blockchain
Credit: Getty Images

One of the hottest topics in cybersecurity circles is the enterprise blockchain. This is the same technology that underpins cryptocurrencies like Bitcoin. Simply defined, blockchain is a list of transactions or contracts shared with peers and locked down by some clever cryptography. Beyond Bitcoin, it can ensure the integrity of supply chains, manage contracts, or even as serve as a platform for financial transactions.

Its popularity in the cryptocurrency space, use of cryptography, and distributed nature prove to supporters that the blockchain is the solution to many of our current cybersecurity problems. Akamai Technologies, for example, is currently building a blockchain-powered network for online payments. “Blockchain in and of itself is a security technology,” says Andy Champagne, VP and CTO of Akamai Labs. “It is really grounded in security principles.”

News about hacks of Bitcoin exchanges is relevant for open, public networks where anyone can set up a node, but enterprise blockchain projects are different from public networks, Champagne says. “Enterprise blockchain is usually permissioned blockchain,” he says. “There’s a set of nodes, but the nodes are private, and access to the nodes is limited through a set of security perimeters to folks who are part of the institution.”

It’s not just hype, confirmed Andrew Howard, CTO at Kudelski Security. Even if it’s not a panacea, the benefits of blockchain are real, and the technology is here to stay. “The basic concept, hypothetically, is very resistant to attacks,” he says. “In an academic point of view, blockchain makes a lot of sense. They are very difficult to attack if properly implemented.”

While blockchain might be a difficult target for hackers, it’s not invulnerable. Many security experts warn that blockchain implementations bring with them a wide range of dangers that companies need to be aware of.

Crypto crime is big business

There haven’t been any reports yet of cyberattacks against enteprise blockchain projects, but that’s mostly because the technology is still in the development or pilot stages. Attacks on public blockchain projects are common.

According to Carbon Black, hackers have stolen $1.1 billion worth of cryptocurrency in the first half of this year. “The growth of cybercrime has fueled a rise in the number of individuals who can write malicious code, and the dark web gives them the perfect marketplaces to sell them on,” says Rick McElroy, Carbon Black’s security strategist. The expertise the criminals are gaining from these attacks, and the tools that are proliferating in the underground, can be leveraged against enterprise projects.

Most of the cryptocurrency attacks aren’t aimed at the core blockchain technology, McElroy adds. Instead, the criminals go after poorly secured exchanges and individuals and businesses who aren’t adequately protecting their wallets. They also launch man-in-the-middle attacks to divert cryptocurrency transactions into their own wallets.

Many of these issues have to do with end-user security or problems with implementation, not the blockchain encryption protocols themselves, according to a recent McAfee report about blockchain security. Enterprise projects could have implementation issues as well, even if they don’t have the same breadth of publicly exposed attack surface. “For any enterprise looking to adopt blockchain, they should first weigh the benefits and cost of implementation versus the risk of new technology adoption,” says McElroy.

With that in mind, here are the 5 biggest blockchain security risks:

1. Human error when entering blockchain transactions

In some respects, an enterprise blockchain could be even more vulnerable than a public one. One of the advertised benefits of the blockchain is the resilience of a large, distributed, peer-to-peer network. If one node goes down, the system routes around it, so that there is no one point of failure. If one participant tries to sneak an illegitimate transaction onto the ledger, the other members will keep it honest. But what if someone makes an honest error?

“The advantage of being decentralized is that something can’t change without consensus,” says Chet Wisniewski, principal research scientist at Sophos Ltd. “So, when a cryptocurrency exchange makes a mistake, they can’t undo it. There’s no central authority. If you lose the password to your coin wallet, it’s gone forever. In the enterprise space, it’s rare to want things like that.”

In addition, while the blockchain encryption can prevent users from changing the historical ledger, the systems are usually set up so that participants can add new entries. With an enterprise projects, the participants are usually trusted counterparties rather than random members of the public. “But if the trusted party is compromised, then the security of the blockchain disappears,” says Ilia Kolochenko, CEO at High-Tech Bridge SA.

2. The 51 percent attack

Even worse, what happens if the majority of the network is compromised? Then the attackers can do a great deal of damage. That’s the idea behind the 51 percent attack. A malicious actor or group of actors takes over the majority of the nodes in the system and forces everyone to their will.

With Bitcoin, that can be hard to do, since there are so many participants on the network. Smaller cryptocurrencies are vulnerable, such as Bitcoin Gold. In May, attackers made off with $18 million worth of the currency with a 51 percent attack.

Enterprise blockchain projects typically have a much smaller number of participants than a public cryptocurrency platform. “The smaller the network, the fewer the number of nodes it takes to compromise it,” says Rob McNutt, VP of emerging technology at ForeScout. “If a bank is rolling out a blockchain to process transactions, the number of nodes is going to be substantially smaller than a public network, so the number of devices to compromise is much lower.”

Enterprise deployments are likely to be a lot more homogenous, so if a vulnerability is found in one node, it can be used to attack all the other nodes. “In the public domain, people download the different mining software, and the configurations are all different,” McNutt says.

3. Blockchain implementation errors

Another significant source of vulnerabilities for blockchain projects is the fact that the technology is so new and prone to implementation errors. Even the core blockchain encryption technology can be problematic. The algorithms may be mathematically sound, says Wisniewski, but your particular version of the code might not be.

“If you can’t understand the fundamental mathematics, you’ve basically downloaded a box that says ‘magic’ on the outside, and you don’t know what it’s going to do,” Wisniewski says. “We’ve seen so many times in the open-source world where people are relying on third-party libraries for these things, and someone gets into Github and switches out code and nobody notices for six months.”

Then there’s the fact that the blockchain technology is so new, Wisniewski says, “You don’t know which mistakes not to make.” You also need to properly manage all the encryption keys that come with blockchain deployments, he adds. “Most enterprises can’t even manage their website certificates correctly.”

Enterprise blockchains can also be susceptible to many of the same attack vectors as other technology projects. Take phishing and deception, for example, says Chris Wysopal, CTO and cofounder at CA Veracode. He hasn’t seen any attacks of this type against enterprise blockchains yet, he says, but that’s because there are so few in production.

These attacks are common with public projects. “We’ve seen a lot of attacks where people are pretending to be the recipients, intercepting or hacking webpages so they’re intercepting transactions,” he says. “It doesn’t have to be cryptocurrency; it can be any other kind of transaction.”

Enterprises rolling out blockchain projects need to make sure they have all the basics covered, including using the latest, most secure software development and review processes, ensuring that multifactor authentication is in place, and locking down websites to protect against web attacks. “If they’re susceptible to cross-site scripting, it doesn’t matter if you’re private or public,” says Tej Luthra, VP of engineering at Merlin International, a Virginia-based cybersecurity company. “All those attacks that have been prevalent in cybersecurity, blockchain is susceptible to all of that.”

4. Compromised smart contracts

In 2016, the Decentralized Autonomous Organization (DAO) launched a blockchain-based investment fund using the Ethereum platform, a version of blockchain that can store smart contracts and not just simple currency transactions. Hackers were able to use a smart contract to drain $150 million worth of Ether out of the system, according to Gartner.

“The DAO case has become the poster child for remembering that just because something resides on a blockchain, it doesn’t mean it’s inherently secure,” says Andrew Newman, founder and CEO at Reason Software.

These days, everyone wants to use the blockchain. “The thinking goes that by utilizing the peer-to-peer distributed ledger model, then everything else implemented on top of that will be secure as well,” he says. “Obviously, this is an erroneous assumption. Implementations can only be as secure and foolproof as they are written to be.”

Smart contracts are attractive for enterprises. They execute automatically when conditions are met and cannot be repudiated. That also means that it’s extremely difficult to undo problems, fix mistakes and reverse frauds. For example, it’s easy to accidentally write a contract so that its conditions are never fulfilled, or there’s an incorrect delivery address.

If that happens, the money winds up being locked away in the blockchain forever. Again, this is not a theoretical issue. Last fall, someone accidentally locked up multi-party Ethereum contracts, resulting in the loss of more than $300 million worth of currency.

5. Using undetected blockchain vulnerabilities

Today, public cryptocurrency exchanges are the low-hanging fruit of the blockchain ecosystem. The money is plentiful, easy to get to, and the odds of getting caught seem really low. “The criminal fraternity will go after where they have maximum return of investment,” says Raj Samani, VP and CTO at Intel Security.

That’s likely to be the case for the immediate future. “The industry is so new right now, that we don’t even have a platform for finding and reporting vulnerabilities in non-cryptocurrency-related blockchain,” says Steve Povolny, head of advanced threat research at McAfee. About 50 major companies say they are either investing in, acquiring or implementing blockchain technology, he says. “I think we’re not really going to see it hit production for a while.”

That will change as enterprise projects come online that involve either significant amounts of money, pertain to critical infrastructure or business processes, or involve politically or militarily sensitive information. “It’s going to be a huge learning curve for everyone,” says Yo Sub Kwon, founder and CEO at Hosho, a Las Vegas-based startup that specializes in auditing smart contracts. “The big companies that get into [blockchain] first will get to experience it first and learn those lessons.”

Not ready for prime time

Right now, blockchain in the business world is a solution looking for a problem, says James Lerud, head of the behavioral research team at Verodin. “The biggest risks come from the mindset that I have a problem that I want to solve with blockchain, let’s deploy something really quick,” he says. “It’s not a silver bullet.”

Blockchain architecture offers the ability to have trust through consensus without having to rely on a middleman, Lerud says. It can solve a lot of problems, but it doesn’t solve every problem. “This is where enterprises can go wrong when investigating blockchain,” he says. “People are taking it as, ‘Here’s a great solution, let’s find some problems for it.’ It’s a dangerous phase from a technology perspective.”