Why blockchain is only as secure as the software that interacts with it

Chris Wysopal is CTO at Veracode.

Securing the blockchain ecosystem is one of the most challenging cybersecurity problems right now. The blockchain itself might be secure, but that doesn’t mean all the pieces that intersect with it – including wallets, exchanges, miners, smart contracts – are secure, and many aren’t. According to a Carbon Black study, hackers stole $1.1 billion worth of cryptocurrency in the first half of this year.

Although the threat is primarily restricted to the public blockchain right now, the enterprise space will be next. Hackers are focusing their attentions and efforts more on public blockchain than they are enterprise blockchain, and this is largely down to the amount of money that is in public blockchain. What’s more, weaknesses in enterprise blockchain will be detected due to already successful exploits of the public blockchain.

The security learning curve

New technologies mean new threats thus creates a new security learning curve. With any new technology, it takes some time for the risks to emerge and then for an understanding of how to address the risks to develop. We went through this same curve with Wi-Fi, and are still in it with IoT. We’re currently in the early learning stages when it comes to blockchain security and businesses will need to learn fast, because it’s an attractive target. There’s a lot of money involved, and a correspondingly large amount of attacker activity emerging.

Part of the reason that it’s such an attractive target is because, in this new landscape, cyberattackers can eliminate a step to get to payday: They don’t have to worry about how to make money from the data they steal, they simply steal the (virtual) money itself.

The weakest links

Until the entire blockchain system is secure end-to-end, there will be places where attackers can infiltrate. The components interacting with the blockchain are written in code, and most software code has bugs and vulnerabilities. We’ve scanned billions of lines of code at Veracode, and find significant numbers of vulnerabilities year in and year out, in fact, our most recent data set found that 85 percent of apps had at least one vulnerability on initial scan. How can businesses trust all the software interacting with the blockchain is secure? With flaws so common, wallets, smart contracts and exchanges could all be susceptible to hackers.

Exchanges and smart contracts, for instance, have demonstrated significant vulnerabilities recently. Cryptocurrency exchanges are online platforms where users can exchange one cryptocurrency for another cryptocurrency (or for fiat currency). In other words, depending on the exchange, it can function similar to a stock exchange or to a currency exchange (at the airport or bank).

Historical blockchain attacks

According to Reuters, on 28 February 2018, Mt. Gox exchange filed for bankruptcy protection, claiming that it had been hacked, and that it had “lost 750,000 of its users’ bitcoins and 100,000 of its own.” At that time, one BTC was worth around $565, which means that the exchange had suffered a loss of around $480 million. Coincheck suffered an attack because it was storing everything in a hot wallet and using single-factor authentication. This can be compared to a bank storing all its money in one teller’s drawer.

Smart contracts, which digitally facilitate, verify, or enforce the negotiation or performance of a contract, aren’t immune either. We’ve also seen simple programming errors in smart contracts lead to some significant breaches, such as with The DAO, which had a re-entrancy bug in its smart contract which allowed an attacker to drain $50 million worth of Ether. Ultimately, it’s naive to think that just because you’re dealing with the blockchain, your transactions are secure.

Basic security measures

What should blockchain users do to protect themselves? Let’s start with some basic security measures: users should never expose their unique private key, and should enable two-factor authentication to deliver an extra layer of security.

Other common sense measures are not publishing any email addresses or phone numbers online when using exchanges, and crypto traders can also be cautioned against boasting of their cryptocurrency portfolio on the internet.  attacks can be traced back to a bragging post made by the victim on a public message board – attracting the attention of scammers.

Implementing security at code level

Security needs to be implemented from code upwards, it’s essential those creating software that interacts with the blockchain build security into their processes. First, it’s imperative that software has a secure development lifecycle and ecosystem, this can be achieved through introducing security into the development process and vetting inherited code so it’s watertight.

There are also industry-standard best practices – such as using SSL and certificates – that can be utilized across the board to ensure that parties are who they say they are.

There are many useful benefits for blockchain, including better legal contracts, greater visibility in supply chains, and even reducing fraud in voting. However, like any new technology, threat actors are probing for weaknesses that can increase skepticism and slow adoption.

Interested in hearing leading global brands discuss subjects like this in person? Find out more at the Blockchain Expo World Series, Global, Europe and North America.


View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *