Blockchain technology has significantly changed the way in which traditional networks operate. It is based on the concepts of cryptography, decentralisation and consensus, which have revolutionised record-keeping. Aside from improving the speed and efficiency of transactions, it provides many security benefits through cryptographic validation and improving the transparency of records. The misconception, however, is that it is fully secure by default.
Is it possible to hack the blockchain?
Judging from historical successful cyber attacks on existing blockchains, the answer is yes. This begs the question: given the inherent security principles in the design and operation of the blockchain, what vulnerabilities could exist and how have they been exploited?
Blockchains are classified into various types, distinguished by whether they are open to anyone or restricted to known participants, and whether they are permissioned or not. Permissioned and restricted – or ‘closed blockchains’ – are believed to offer higher levels of security. They provide greater control over who can participate and what activities they can perform. The decision on the type of blockchain to implement is usually a question of the relative importance of security compared with performance of the blockchain.
However, there are some weaknesses that resonate across blockchains. Some relate to the technologies used to implement blockchain, while others are specific to the way in which blockchains operate. The human participants in a blockchain provide an opportunity for spoofing, phishing and other social-engineering tactics widely used by cyber criminals in other areas.
Attackers can send phishing emails or pose as wallet providers to obtain participants’ private encryption keys, allowing criminals to perform illegitimate transactions on the blockchain. Other generic methods of attack involve taking advantage of weak endpoint security to access data stored on participants’ devices (including private keys) and exploiting weak network security to intercept confidential data.
These methods were used by attackers to hack into an employee’s computer at South Korea-based cryptocurrency exchange Bithumb. More than 30,000 customer details were compromised and later used to scam them into providing authentication details to steal cryptocurrency.
Open blockchains offer greater anonymity. Participants are identified by a public address, often consisting of a string of letters and numbers, not easily linked to an identifiable person. This anonymity makes it attractive for cyber criminals, who often request payment in cryptocurrency underpinned by blockchain technology. While blockchain analysis software can help trace wallets and transactions using IP addresses, for example, techniques such as mixing and tumbling can be used to hide the true origin of cryptocurrency, making it much harder to trace ownership.
Smart contracts automatically execute transactions in line with certain conditions but can be exploited to anonymously move funds out of the blockchain. This was the case with the breach of the Decentralised Autonomous Organisation (DAO) in 2016 where more than $60m was stolen.
Another attack that takes advantage of how blockchain networks operate is a 51% attack, where the perpetrator’s aim is to get control of more than half the blockchain network’s mining power, thereby allowing them to control and manipulate the ledger of transactions. This type of attack typically affects blockchains that use the proof-of-work consensus mechanism.
Ongoing security efforts
It is important to remember that security is an ongoing effort, and no technology can ever be fully secure at all times, particularly with the interconnection of various technology components and constant technological advancements.
Blockchain networks can be much more secure than traditional networks and can provide several security benefits. As with any technology, due diligence and care should be taken when developing, managing or participating in a blockchain. Consider secure communication, code security, key management, identity and access management, and consensus management.
As security standards are developed and accepted, they should be implemented to better leverage the security opportunities of blockchain technology.
If you would like an overview of the foundational elements of blockchain technology, take a look at the ICAEW blockchain page at Blockchain and cryptoassets | ICAEW.
Cybercrime Awareness Month 2022
ICAEW marks the global Cyber Security Awareness month with a series of webinars, videos, podcast, a panel discussion and other resources addressing cybercrime and how to protect your business. We will focus on the latest trend as well as supply chain risks and concerns.