27 March 2019

The growing pains of blockchain cybersecurity

Crypto users and investors are anxious that blockchains are hackable, but despite the fears, the crypto industry marches forth with many struggles ahead.

Blockchains have come to the fore, claiming to wield airtight security and reliability for cryptocurrency users. However, the recent spate of public attacks against several different blockchains has raised the issue of cybersecurity and reminded giddy crypto pioneers that just like with the regular Internet, flawless security is impossible.

It would seem that the best users can hope for is for apparent risks to be mitigated – up to a point. That particular point, or threshold, may only be human error because despite the most ingenious security measures combined with the most efficient platform methodology – cybersecurity is only as good as the individual holding the keys.

The same could be said for offline security measures. Your residence could have the most advanced motion detectors, reinforced doors, locks and windows, not to mention a guard dog. But if the homeowner loses his keys, allows them to be copied, or a nefarious burglar steals them – heisting the family jewels becomes a case of walking in through the front door and back out again.


Racking up the evidence


Given the wide disparity of cyber-security infrastructure between consumers, vendors, business and service providers, high-profile data breaches occur with consistent regularity.

The reality is that as soon as a single weak point can be exploited (typically by ingenious hackers), the entire system becomes susceptible as a result. The other problem is that not all agents in any inter-connected system have the same level of security which effectively means hackers can arbitrage security deficiencies and infect the entire system.

The current internet infrastructure is arguably not up to the challenge of preventing sophisticated cyber-attacks. Take the examples of Equifax, WannaCry, Bitfinex and the Decentralized Autonomous Organization (DAO) – each of these attacks did not come about as a result of vulnerabilities in the architecture itself, but rather, the ways the architecture was implemented by a particular company or individual.

The good news is that it wasn’t the infrastructure itself that was the problem, but the security methodology that was being implemented. The bad news is that regardless of the cyber-security measures being implemented, there will always be an exploit lurking about for hackers to exploit.

In the case of Bitfinex in 2016, a cryptocurrency trading platform first founded by Raphael Nicolle, its hacking resulted in the theft of US$60 million worth of Bitcoin.


Attack formation


Since the birth of blockchain technology and cryptocurrencies, various methods of attack have been developed in a bid to tap the millions of dollars being exchanged between users.

Understandably, due to blockchain technology being a new phenomenon, it has various teething issues which developers seek to gradually eradicate over time (much like all other new fintech developments).

Here are just a handful of exploits that have been developed and how they operate:

Sybil Attack

The so-called Sybil attack was named in honour of the book ‘Sybil’ by Flora Schreiber which delved into the treatment of a patient with multiple personality disorder. 

In the world of cryptocurrencies, a Sybil attack involves a large number of nodes on a single network that is owned by the same party (hence the connection to the book), in an attempt to disrupt network activity. The two prime methods of disruption are by flooding the network with bad transactions or manipulating how valid transactions are relayed.

Computer science experts claim that Sybil attacks are theoretical (thus far) and may never actually materialise because one of the fundamental design concepts that underpin cryptocurrencies is integrating defence mechanisms which prevent this particular form of breach.

Bitcoin prevents Sybil attacks via what’s known as a “proof-of-work algorithm”, requiring nodes to spend resources (in the form of energy) to receive coins, thereby making owning the vast majority of nodes rather expensive. Different projects handle Sybil-resistance differently, but nearly all handle it. 

For now, Sybil attacks are merely a speck on the radar, but over time, they could hit much closer to home – especially with many crypto setups now sprawling their way to market and inducing many entrepreneurs to cut corners on security, in order to encourage greater participation in their shiny new crypto-coins.

Routing attack

Routing attacks work by intercepting internet traffic sent between autonomous systems and top-level nodes that form the architecture of the Internet. These nodes work upon a hierarchical structure which means that if hackers can infiltrate just one or two nodes at the top-end, they could proliferate a variety of mechanisms to intercept the traffic being sent to the rest of the system. The end result is a plethora of malfeasance, and yes you’ve guessed it, lots of stolen coins.

Routing attacks are seen on a regular basis throughout the Internet and are now being customised to undermine blockchains and cryptocurrency traffic in general.

According to research done by ETHZurich, 13 internet service providers (ISPs) host 30% of the Bitcoin network, while only 3 ISPs route 60% of all transaction traffic for the network. This could potentially become a major focal point for hackers if an ISP were to be compromised or corrupted.

Direct Denial of Service

A Direct Denial of Service (DDoS) attack is an attempt by nefarious users to effectively cripple servers, websites and even Bitcoin nodes, by flooding it with high volumes of requests and internet traffic.

In the case of a standard website, a DDoS attack prevents legitimate requests from receiving the resources they need. In the case of a Bitcoin node, this entails huge volumes of small or invalid transactions being sent to flood the network and prevent legitimate transactions from being processed.

DDoS attacks are extremely common on the Internet and pretty much every large company or government department has had to deal with such attacks over the past decade. Hackers seem to favour large entities when looking for exploits, presumably because of the potential for more loot (or more extensive disruption) if their exploit succeeds.

This method of attack has become so widely-used that experts say that it is now relatively easy to purchase a DDoS attack from any number of disreputable “hackers” or firms out there scuttling about to serve the highest bidder.

Bottlenecks

In June 2015, Coinwallet.eu conducted a stress test of the Bitcoin network by sending thousands of transactions throughout the network to highlight the point that block sizes should be increased. At the time, Coinwallet’s developers were adamant that spam attacks were a straightforward method of clogging up an entire network and effectively shutting down any cryptocurrency.

Around a month later, in what was dubbed a “flood attack”, 80,000 micro-transactions were simultaneously sent on the Bitcoin network to create a burdensome backlog that threatened to grind Bitcoin to a halt, and potentially, create a panic amongst its skittish users.

The Bitcoin network was effectively rescued, only after the intervention of F2Pool, one of the world’s largest mining pools at the time. The company was forced to dedicate an entire block to combining all outstanding spam transactions before finally clearing them and restoring the Bitcoin network back to working order.

51% or “majority attack”

Considering that the security of a blockchain is directly linked to the amount of computing power that creates the blockchain itself, there always exists the risk of a someone gaining control over the majority of a network’s hash power. In theory, this would allow the attacker to mine blocks faster than the rest of the network combined, and by extension, would open the door to what’s known as “double-spending”.

Double-spending is a method of defrauding a cryptocurrency that involves submitting transactions to the blockchain, receiving the product or service that was paid for, and subsequently using the majority hash power to fork the blockchain at a point prior to the transaction. In essence, double-spending erases transactions from the chain history, allowing the attacker to transact with the same coins for a second time.

In simple terms, it’s a bit like paying for multiple products with a cheque will only be cashed once. The most detrimental aspect of such an attack is less so the stability of the blockchain architecture, and more so, the impact on the broader confidence amongst other users. A bit like what a rumour of counterfeit fiat currency could do in the modern-day economy.


The real threat


Blockchain technology has arrived and it has brought cryptocurrencies with it. Crypto-led services can potentially transform how we do business while empowering the creation of a wide range of improvements to society. Blockchains aim to put the power back in the hands of end-users, not the hands of exploitable data-sharing platforms.

However, regardless of how powerful blockchains may be, they are not immune to attack. Any technology has weak points and attack vectors, and blockchains are no exception.

The unavoidable problem in cyber-security (and crypto hacking in particular) is that the security of any cryptocurrency is only as good as the person wielding the keys. Even the best protection mechanism can be rendered worthless by a non-vigilant user which possibly underscores a fundamental truth of human nature: people aren’t so great at paying attention or being vigilant, especially when they wallow in a false sense of security.

Reusing passwords, falling victim to phishing scams, careless website operators and negligent exchange employees continue to be the most dangerous points of failure when it comes to the health of the crypto economy.

The various forms of crypto hacking are being actively mitigated by a community of developers that far outnumbers the number of side-lined hackers working in the opposite direction.

With both sides of the cyber-security struggle developing bigger and better weapons, the war between developers and hackers rages on and is unlikely to present a clear winner anytime soon.


Written by George Tchetvertakov in collaboration with Dr Demetrios Zamboglou
Published by The Daily Hodl