There has been a flood of blockchain news in recent months, and there is no shortage of hype. The price of bitcoin has caused a stir in traditional media, but there has also been an increase in the compensation for blockchain-based smart contracts. It’s an exciting time for the blockchain, with the rise of Bitcoin, Ethereum and other blockchain technologies such as Ethereum Classic and Bitcoin Cash. Interest in blockchain technology has also increased in other areas, such as the use of travel compensation and the development of smart contracts based on blockchain.
If a central bank is involved, it makes sense that other banks show a high level of interest. Research by the Cambridge Centre for Alternative Finance shows that 67% of central banks currently use the blockchain, but this is not typical for this period.
Now that technology is mature, the financial services industry seems to be thinking more holistically about how to secure the blockchain’s distributed ledger design. To keep this article brief (and perhaps a little more readable), we will look at the principles of security in blockchain as technology, especially in the business context, but not delve too deeply.
One challenge we have seen is that a number of voices have argued that the blockchain does not need much security, because it is designed to provide security. These voices indicate that this is an approved distributed ledger, that access is limited, and that the consensual nature of the distributed ledger provides immunity from corruption by individual nodes. Moreover, the whole idea of a distributed register is to ensure that if one copy of the register fails or is damaged, other registers offer a way to restore the truth.
In this environment, security is seen as a cost that blockchain eliminates, and the decentralised hack suggests that even implementations based on blockchain concepts such as Ethereum are potentially less error-prone than IT in the past. Looking at the problems that Parity had in 2014, when $280 million was potentially destroyed and then $30 million stolen in June, it becomes clear that the level of security in blockchains and cryptocurrencies is enormously important.
I would suggest that the design of the most famous implementation, Bitcoin, protects the reputation of the blockchain, although so far only comparatively limited value has been stored on it outside of Bitcoin. Of course this tends to make value, and the added security of a blockchain even more important than the value of any other technology.
With the development of blockchain implementation and the rapid increase in the value of implementation, as is happening now it is becoming more aggressively targeted at vulnerabilities. This does not mean that security is superfluous, but it is real, and as a result blockchain implementations will be more aggressive in targeting vulnerabilities and rapidly increase the value of those implementations – which is happening now.
The problem has two elements, and both have their roots in the development of blockchain as a technology and its use in a number of applications.
First, hackers are ingenious and creative people, and they like challenges, so in today’s world we have many opportunities to steal data and money. Secondly, what is safe today may not be so safe tomorrow, but just because we cannot imagine the threat today does not mean that smart teenagers and organised crime gangs do not see the possibilities of attack.
Blockchain is one of the best ways to manage a ledger where participants cannot fully trust each other, but the irreversibility of a blockchain is a major obstacle to its use in many applications, such as financial transactions. Since data is transmitted and distributed via the blockchain, this provides a very effective way to demonstrate the truth. We have a decentralised register, which is another good way for us to make our registry system more resilient. What do you think we should be thinking about when securing blockchains?
The great thing about blockchains is that they are irrevocable, but the challenge is what happens when bad data is shared. Where data first enters the blockchain tends to be less focused, and challenges focus more on what happened when it was shared than on the actual data itself.
If it is possible to decrypt the blockchain, its immutable and irrevocable character will be called into question and its integrity will be called into question. Decrypting corrupted or compromised data from a blockchain system is not a trivial task.
It is very difficult to change a distributed register after the data has been distributed, but that does not mean that there is no reason to believe that similar principles could not be used to target endpoints in the implementation of blockchain technology or a company. We have already seen this kind of attack on mobile bitcoin wallets, so physical devices can be a simple point of attack, and I suggest that securing the endpoint from which data enters the blockchain is crucial. If the hackers “only intention is to steal the value of the register, it is possible, if the endpoint could theoretically be controlled long enough, to seriously damage any blockchain implementation that depends on it. At this point, the immutability of the blockchain can act as the rightful owner and alter its value.
The motives of the hackers are manifold, and the direct motives are not only one-sided, but also beyond.
Theoretically, distributed ledger technology provides protection against ransomware, and that can be very powerful. If a register is encrypted or otherwise removed from the network, it would not be necessary to create a new register on a shared list with other users on the network. In practice, this seems to be a very difficult task in a business environment, not to mention the legal and regulatory issues that would have to be resolved before a redesigned register goes into production, presumably also to investigate and remedy how the original register was compromised.
Although the hackers’ motives are varied, and disruption and destruction may have been their goal more than theft, many believe they were trying to steal the registry.
Yet prevention is a better cure – anything and everything to secure the register, and a distributed register increases resilience. Looking at current cyber threats, one of the most common threats to blockchain technology, which relies on distributed ledger technologies, is network disruption. The way a blockchain works is that you add and distribute transactions. As more blocks are built on top of it, transactions become harder to rewrite and cause network disruption.
While DDoS is not one of the most sophisticated cyber threats, it is a distributed network, and that is probably its greatest threat. A hacker who cannot penetrate transaction cryptography and access the register could have a huge impact on a blockchain-based system. It is vital to protect the network from interference and ensure that all nodes have access to it.
Identity authentication is a big issue, and a recent example is the DAO hack, which focused on a time of high demand for ticket sales. With a lottery that could take place in the coming weeks, the impact on the blockchain settlement network could be significant. As with the DAO hacks, it can be quite dangerous to attack the soft areas of blockchain implementation, such as the actual blockchain itself.
The $500,000 attack on Enigma was carried out by an attack on the company’s website and Slack channel. There was a fake message posted by the attacker, a modified company website and a fake email pointing to his own crypto wallet. This could have been prevented by protecting endpoints, but it still feels like a major blow to blockchain security and its use in the real world.
We have looked at some of the above areas, but there are many more that can be explored, and I am sure there will be more in the near future.
In short, distributed ledgers and blockchain projects need a different attitude to risk, and good design is crucial. So be aware that you may not be able to prevent old forms of attack against new systems from being effective, but you can at least limit them.