One of the biggest selling points of the blockchain is “security.”
One small problem: blockchain security is only as good as every single device, app, wallet, mining operation, exchange, smart contract, and user connected to it.
As more and more organizations explore ways to use the blockchain, understanding it and the ways in which it's vulnerable is critical.
“The reason the blockchain is being adopted so quickly is this belief that it’s so secure, but the blockchain is as vulnerable as the vulnerabilities that people, programs, vendors, supply chain, partners, etc. bring to it,” says cybersecurity expert and Sensato CEO John Gomez. “Cyber attackers use a lot of the same traditional methods to bypass blockchain security.”
Let’s count a few of the ways attackers can—and have already—found the weak links in the blockchain:
The 51% attack:This one is an actual blockchain attack. While blockchain proponents are fond of saying that such an attack would be too difficult to coordinate, it’s actually already happened. In 2016, attackers used DDoS nodes to enhance network power and gain control of 51% of Ethereum-based cryptocurrencies Krypton and Shift. They used their access to roll back transactions and double-spend the crypto coins.
Vulnerable websites:In 2017, attackers simply found a way into the CoinDash website. They changed the address for interested investors, routing investments to the attacker’s account and netting about $7.4 million in Ethereum tokens. In 2016, the Steemit website was similarly compromised, resulting in losses of about $85,000 in Steem Dollars and the Steem cryptocurrency.
Devices:Transactions on the blockchain require public and private crypto keys. The keys themselves are nearly impossible to crack, but if an attacker can get ahold of them, it’s game over. One of the best ways to get ahold of someone’s blockchain keys? Via whatever digital device they use to transact business on the blockchain. In early 2018, Japan’s Coincheck exchange lost $532 million in NEM coins when an attacker gained access to an employee’s computer, installed malware to steal private keys, and drained accounts.
Humans, of course:Just as they’ve done with other types of digital targets, attackers focus a lot of effort on the human element. In one phishing attack, the attackers created a fake wallet offering on the blockchain. After a period of allowing users to complete successful wallet transactions, the attackers drained all the wallets.
Third-party tools:A lot of new companies have sprouted up to create blockchain offerings. Some are not as secure as you’d hope. One of those was NiceHash, which lost $64 million in Bitcoin during an attack in 2017.
Smart contracts:“The blockchain is no more secure than the humans designing the code,” says Gomez. And humans write the smart contract code. In 2016, attackers exploited a smart contract to steal around $80 million worth of ether from the Decentralized Autonomous Organization (DAO). One study of 19,366 Ethereum smart contracts found that 8,833 were vulnerable to bugs.
In some ways, the blockchain is as secure as its proponents say – the cryptographic keys and the decentralized ledger alone are strong security features – but nothing is 100% secure. Organizations considering a move to the blockchain should first make sure they have a strong cybersecurity program in place and learn about the potential weak links in the blockchain so they can prepare for all eventualities.
Originally developed as the accounting method for the cryptocurrency Bitcoin, the blockchainis a decentralized, digital public ledger of all cryptocurrency (Bitcoin, Ethereum tokens, etc.) transactions.
Cryptocurrency transactions are managed on the blockchain by a global network of individual computers (nodes) rather than a central banking authority. The digital ledger is composed of blocks, recording every transaction on the system through a system of nodes that transmit transaction information. The nodes act as a collaborative verification system – they must agree that the initiating user does have the cryptocurrency before a transaction can be recorded.
Anyone with internet access can buy or sell public blockchain cryptocurrencies.