Talk of blockchain technology often comes with a promise of better data management and security. History has shown, however, that full-proof cybersecurity is elusive, and new technologies always bring new security needs to focus on. In this regard, blockchain technology is no different.
What is blockchain?
Before going any further, let’s take a moment to briefly review what a blockchain is. A blockchain is a distributed ledger that is secured by cryptography. Each block contains a cryptographic hash of the previous block, timestamp, and transaction data. The blockchain is managed usually by a peer-to-peer network that uses a common protocol for communicating between nodes and validating new blocks.
Modifying existing blocks would require altering other blocks, which would require a network majority. This makes the blockchain more resistant to fraud, and a highly effective means to store data.
The most famous uses of blockchain technology are tied to cryptocurrencies like Bitcoin. In the last decade since Bitcoin first appeared, several other use cases for blockchain technology have emerged. Unsurprisingly, this has been accompanied with increased attention from attackers on everything from cryptojacking, to attacks against currency exchanges and smart contracts.
Recent cryptojacking attacks
In September, a hacker exploited a smart contract run on the EOS blockchain by betting company DEOSGames. EOS is a cryptocurrency created by Block.one. The attacker in this case stole more than $24,000. In the infamous attack on The DAO, a decentralized autonomous organization that was launched in 2016 as a venture capitalist fund for the crypto industry. The DAO existed essentially as a smart contract on the Ethereum blockchain. Shortly after it launched in 2016, an attacker exploited an issue in The DAO code and attempted to steal $50 million in the cryptocurrency Ether. The attack also led the Ethereum community to controversially hard-fork the Ethereum blockchain to restore the stolen funds to the original contract.
Bitcoin’s inflation bug recently caused some fallout as well. Though the issue was patched by Bitcoin, another cryptocurrency called Pigeoncoin that utilized some of Bitcoin’s public code was vulnerable to attack. Hackers successfully exploited the issue to print 235 million Pigeoncoins valued at approximately $15,000. As adoption of blockchain technology continues, it is imperative that companies keep security as part of the conversation – not just in terms of the security that blockchain solutions can provide, but also in terms of how to make sure the technology is implemented and used securely.
Security issues with blockchain
While blockchain technology can bolster data integrity, there are several ways for attackers to compromise blockchain solutions, starting with the individual nodes of the blockchain. Nodes are systems that are part of the distributed network supporting the blockchain. The possibility of misconfigurations leading to compromises is real. In May, threat intelligence firm GreyNoise warned anyone running an EOS node that an IP address had been spotted “sweeping the Internet for unauthenticated EOS RPC daemons on TCP/8888, specifically the /v1/wallet/list_keys endpoint.”
For enterprises considering private blockchain solutions — blockchains where access to the network is controlled and permission is needed to join — protecting private access keys is another aspect of security that cannot be ignored. With the keys an attacker could access the blockchain and potentially take unauthorized actions.
In other cases, social engineering can be the culprit. According to EY Research: Initial Coin Offerings report, phishing is the most common form of funds theft during initial coin offerings (ICOs), with scammers either requesting a funds transfer to their wallet or steal private keys to investors’ wallets.
As many of the successful attacks that have been perpetuated show, while the concept of a blockchain seems to offer some inherent security via increased data integrity, other security holes can be opened by coding mistakes, configuration issues, or failing to protect sensitive key data. In addition, it is important for companies to remember that solutions such as user monitoring, patch management, and key management to protect the individual nodes from security threats. Following best practices while coding can reduce the likelihood of vulnerabilities in smart contracts that can endanger blockchain projects.
When weighing the adoption of blockchain solutions, organizations should ask themselves:
- What problem are we trying to solve with a blockchain solution?
- Are we creating our own solution or leveraging an existing product/technology already built?
- What information will be stored on the blockchain? Is it sensitive? If so, does the chosen solution encrypt data at rest?
- Who needs access to this data? What access control mechanisms are in place?
Before adopting blockchain solutions, enterprises need to examine their own readiness level. As history has shown, where legitimate developers go, cybercriminals will follow.