Blockchain’s short history has already proven that assumptions about its infallible security, based on the collective computing power of the masses, are misguided. The collapse of Mt. Gox, a Japanese cryptocurrency exchange that lost $450 million worth of bitcoin in thefts between 2011 and 2014, is just one of several examples that add up to an estimated $3.55 billion lost in blockchain security incidents between 2011 and 2018.
However, many of these more costly security breaches occurred not because of blockchain technology’s failings, but because of keys or passwords or other sensitive information exposed through the sloppy security practices of people developing and using blockchain applications. In short: weak secondary systems and human error, not the underlying tech, are often the problem.
“The platforms we use to interact with blockchains, the platforms on which we keep the keys to high value crypto-assets, are nowhere near secure enough,” says Emin Gün Sirer, an associate professor in computer science at Cornell University with expertise in developing cryptocurrency protocols and investigating blockchain security flaws. “As a consequence, the greatest security threat involves targeted attacks on clients, as well as shared platforms such as exchanges.”
Many hackers and scammers have found easy marks among blockchain users because of the “start-up mentality in which security often takes a backseat to growth,” according to McAfee, the U.S.-based global security company.
The Weakest Link in Blockchain
Most attackers find it easiest to exploit the operational security failings of humans and organizations rather than directly attack blockchain technology. Dutch and Singaporean researchers found that such “opsec” incidents represent two thirds of publicly disclosed security breaches in their survey of blockchain security incidents.
Many of these cases sound like familiar versions of traditional computer security breaches. In one case, a hacker gained access to an employee’s computer and used malware to steal private keys from digital wallets. That allowed the hackers to make off with more than $500 million in NEM coins from the Tokyo-based cryptocurrency exchange Coincheck during an incident disclosed in January 2018.
In another case from 2017, a scammer set up a cryptocurrency wallet service for unwitting customers and waited patiently for people to sign up over several months before finally making off with $4 million from customers’ wallets.
“Consider the growth in miner malware, or malicious software that targets cryptocurrency wallets,” says Raj Samani, chief scientist at McAfee. “In part, the growth of marketplaces providing such products has meant that anybody can now target cryptocurrencies.”
Criminals have also cashed in on blockchain technology in other ways. For example, “cryptojacking” schemes involve hackers using traditional malware techniques to hijack victims’ computers for the purpose of mining cryptocurrencies. And it’s become common for criminals to demand ransomware payments in the form of cryptocurrencies in an attempt to further hide their identities.
The 51% Attack: A Primer
This isn’t to say that blockchains themselves have no security vulnerabilities.
“Blockchains are certainly an overhyped area, with narratives far ahead of the actual technology,” says Sirer, who notes that much of his research has gone into calling out “myths that are pervasively perpetrated by the crypto community.”
Blockchain security rests upon several key assumptions. One is that many individuals and groups are collectively using their computing power to process the growing blockchain digital ledger that contains each and every record (or “block”) of past transactions. For popular blockchains such as bitcoin, the presence of so many contributors—known as miners—supposedly enhances security by ensuring that no one entity controls the majority of the computer power being used to process each transaction.
But if a single entity or several groups acting together controlled more than 50 percent of the blockchain network processing, they could hijack the main blockchain for their own nefarious purposes by processing blocks faster than anyone else, according to the McAfee Blockchain Threat report. Such a “majority attack,” also known as a “51 percent attack,” would effectively allow the group controlling the majority of the network’s computing power to create a manipulated version of the blockchain ledger that is accepted as the valid ledger of all past transactions.
The computing power necessary to pull off a majority attack is usually considered impractical for a network with a large number of miners like bitcoin. But smaller cryptocurrencies such as Krypton and Shift have fallen prey to majority attacks carried out by an anonymous group known as 51 Crew, which demanded ransom payments based on their threat of hijacking the blockchain platforms. Organizations that want to use blockchain internally to manage their inventory or data could also be vulnerable to such majority attacks, McAfee researchers warned.
The reality is that even popular blockchain platforms may lack the necessary amount of decentralization to be truly secured, Sirer says. He and his colleagues have pointed out that “just a handful of mining consortia account for over 50 percent of the blocks in bitcoin and Ethereum.” “None of the existing coins offer any meaningful amount of decentralization,” he says.
Attackers may not even need majority control of a blockchain platform’s network to compromise the technology. Sirer coauthored a 2013 paper that detailed the much-theorized possibility of a “selfish mining” attack that could compromise a blockchain network with control of just 33 percent of the network’s total computing power.
For ordinary folks just wanting to open a wallet or buy some cryptocurrency, McAfee’s Samani recommends following a straightforward security guide provided by Jennifer Leigh, a former poker player turned cryptocurrency trader.
Blockchain platforms will also need baked-in methods for dealing with the theft of customer keys. Sirer’s Cornell group has developed vaults—which are already being adopted by second-generation blockchain platforms—that enable key thefts to be rolled back without affecting the finality of actual payments.
On the server and exchange side, Sirer expects that in the next few years, truly decentralized cryptocurrency exchanges with tighter security protocols will emerge to “address the ongoing dumpster fire of exchange failures.”
Whether they want to or not, Sirer says, many more individuals and businesses will need to learn about blockchain’s security advantages and risks sooner rather than later. “Every technological company will have to use blockchains within 10 years,” he says. “It will be an extinction-level event for many businesses.”