Can Blockchain be Hacked?
Blockchain May Not be as Secure as Once Thought
As a security researcher who has been in the technology industry for over a decade and has uncovered billions of exposed records online, I often get asked how safe is blockchain and can it be hacked? The answer may not be so simple. As the popularity and use of blockchain technology grows so does the number of potential vulnerabilities and cyber criminals who are looking for ways to scam blockchain users. Blockchains were once believed to be unhackable but blockchains are not invincible to getting hacked or other suffering critical exploits. In 2019, the value of both cryptocurrency theft and blockchain fraud was an astounding $4.5 billion dollars according to Gadget.co.za. This has led many investors, companies, organizations, and members of the security community to take a hard look at how safe is blockchain and what are the real risks?
I have spent years finding vulnerabilities in databases, system networks, and data breaches from human errors. It was not that long ago that security experts were telling us how secure cloud storage was. We learned rather quickly that for all of the benefits of using the cloud there were also serious security risks and an ever evolving threat landscape. It feels like a game of cat and mouse when it comes to data protection and technology, but the question everyone is asking right now is if blockchain is really safe and secure or can blockchain be hacked?
These days you can’t turn on your TV, radio, or read the news without hearing about crypto currencies and non-fungible tokens (NFT). The headlines show how much interest there is in the value of crypto currencies and the unique ability to own a one-of-a-kind NFT. The purpose of this article is to focus on the security, threats, vulnerabilities, and to discuss if blockchain can be hacked, so I will not dive too deep on what is blockchain or how it works.
Here are the basics: the Blockchain technology concept was created in 1991 by two researchers who wanted to create a process where document timestamps could be unique and not be changed or manipulated. Blockchain can best be described as a type of database that stores data in blocks that are chained together and connected in a chronological order. At the present time there are four types of blockchain networks: public, private, consortium, and hybrid blockchains. The transaction records are decentralized with no single authority and designed to ensure security, transparency and stored in a way that the data can not be changed or altered.
Is Blockchain Safe?
Blockchain does have real risks and is not immune to hacking. There are other ways to obtain information and data that do not require hacking the blockchain. Some threats require a high level of technical skills and a little luck, while other risks are low-tech and can be implemented by common cyber criminals or other malicious actors. What makes blockchain unique is that once a transaction is completed it can not be undone or changed. Unlike a bank transfer that can sometimes be reversed, once a cryptocurrency is stolen it is usually gone forever. Blocks can not be changed or edited so literally developers would have to rewrite history and then create a fork to a new chain of blocks.
Here are a few ways that blockchain vulnerabilities and human error can pose a serious threat.
Outside Vendors and Third Party Applications are a Security Risk
3rd party vendor risks are a common problem not just in the blockchain sphere. In cloud storage environments I often see vulnerable middleware that serves as “software glue” between applications that may not be fully compatible and they need software that acts as a bridge. This middleware can sometimes create a backdoor into the network or leak data. Similarly, a third-party application for blockchain-based platforms and apps such as payment platforms or wallets could also create the same type of security risk. Vendor-related blockchain applications or platforms add another layer of potential security and privacy risks where data could be intercepted or exposed during the transfer of information. When it comes to 3rd party applications, the less points of contact between how data is collected and processed the better. I would advise anyone who uses a 3rd party vendor for their blockchain-based platforms and applications to understand the risks and ensure they are taking proper security precautions.
Endpoints Create a Security Risk
Blockchain is the most secure solution of data management, but it is not immune to cyberattacks or hacking. The concept of a decentralized ledger where the data is spread across many locations makes this information highly secure because it would be nearly impossible to attack all of the locations at once. Like most security threats once humans are involved there is a much higher risk for errors. The most vulnerable part of the blockchain structure is that there is an endpoint where humans can interact and access data.
With the decentralized ledger and no central authority users must be able to have access to the blockchain from anywhere. This creates an endpoint where a user, company, or organization accesses the data contained in the blockchain of their network. The real threat is outside of the blockchain where hackers can try to obtain administrative credentials or security keys. Once they have this information they do not need to hack the blockchain they can simply access the data with full administrative permissions. It is important to have an endpoint security solution on each and every device that has access to the blockchain. This may require using a 3rd party vendor and doing the necessary homework to find the right cybersecurity solution for you.
Public and Private Encryption Keys
Endpoint security is a major risk in the blockchain and public or private keys can help ensure the data remains secure. Exposing these keys or making them weak and easy to guess defeats the purpose of enhanced security measures. Users must have the correct keys to access the blockchain associated with those specific machines or data. If hackers or cybercriminals obtain the keys of the blockchain system they can access, edit, or even delete the sensitive data that is collected or stored in the blocks.
One of the main targets for hackers and cyber criminals has been the cryptocurrency exchanges that trade and hold cryptocurrencies. Back in Feb 2019 the cryptocurrency exchange platform Coinbase experienced an attack that shocked the crypto world and exposed a massive vulnerability that allowed hackers to steal just over $1 million dollars. Cyber criminals were able to gain control of a portion of Coinbase’s network and rewrite the transaction history. One source claimed that the hacker called the domain registry and pretended to be the owner of the site and then redirected the domain to another server controlled by the hacker. The site had a keylogging script that captured the private keys users typed into the site, allowing funds from the victims’ accounts.
Once they altered the history of the transactions it allowed them to spend the same cryptocurrency multiple times. This method is called “Double Spending”. According to Wikipedia: “Double-spending is a potential flaw in a digital cash scheme in which the same single digital token can be spent more than once. Unlike physical cash, a digital token consists of a digital file that can be duplicated or falsified”
Infamous case of the Decentralized Autonomous Organization (DAO). Created in 2016 using the blockchain system called Ethereum. Hackers quickly discovered an exploit that allowed them to keep requesting funds multiple times from the same accounts. There was a logging error that did not tell the system that the money had already been taken. In total the hackers stole an estimated $60 million in cryptocurrency.
To trade cryptocurrency usually requires running a software client that could also have vulnerabilities. There have been multiple instances of client software having critical bugs that were fixed in secret before they could be exploited. One vulnerability was a bug with Bitcoin Core software that could have allowed a hacker to mint more bitcoins than the system should allow.
Social Engineering and Crypto Theft
Social engineering is one of the biggest cybersecurity threats we face today and there is no sign things will get better in the near future because it involves humans tricking humans. Theft of cryptocurrency does not always happen because some genius figured out a way to hack into the blockchain and transfer all of the coins to another wallet. It usually happens via social engineering and these criminals make a living at trying to trick people into providing personal information, cryptocurrency keys, or other credentials. Cyber criminals play the long game and try to build trust with their victims.
Many new investors see the rise in Bitcoin or other cryptocurrencies and want to get in on the action. There is a sense of urgency as the prices rise and fall and this creates a perfect opportunity to prey on the emotions of a potential victim. They may not understand the technical aspects of how blockchain works and foolishly believe that simply owning cryptocurrency is 100% secure and they have nothing to worry about. The complex and advanced technology can be a gift and a curse to both novice and experienced investors who could be tricked into providing wallet access to a cyber criminal. The encrypted transactions are secure and use the distributed ledger technology. The danger is adding in the human element and using social engineering to gain the trust of the victim to provide wallet access information. Once money is stolen it can be extremely difficult to recover. There are cryptocurrency and funds recovery companies who claim to help victims of fraud and scams by monitoring and tracking bitcoin transactions. It is unclear just how effective these companies are given the anonymous design of crypto.
Phishing is still a problem
By now we have all experienced a phishing attempt and the reason that scammers still use this method is because it is successful. Criminals will send fake emails and try to trick or socially engineer victims to share their wallet key credentials. Many experts recommend storing cryptocurrency offline when possible and ensure that it is encrypted.
Man in the Middle Attack
The MITM attack is where a malicious actor gains access to the communication between two parties and then uses the information they exchange. It is possible that hackers can intercept real-time data as it’s being routed through the internet service provider or compromised email accounts or servers. These methods have been used for years in other attacks but the same methods also apply to cryptocurrency transactions. Researchers discovered a vulnerability in a hardware crypto wallet application that could have potentially allowed hackers to change the destination address of cryptocurrency transactions and then funnel those coins into their own wallet.
The 51% Attack Method
The concept of this attack is that a group could band together and try to gain control of more than 50% of a network’s mining power. Once they accomplish this they would potentially have control over the ledger and the recording of new blocks. In 2018, attackers used the 51% method stealing an estimated $20 million from smaller coins such as Verge, Monacoin, Bitcoin Gold, among others. The method was successful and was blamed on poor security practices by the exchanges. This method also exposed a massive flaw in what has often been described as a hack proof system.
I included regulations because they are a risk to how cryptocurrencies currently operate. India and China have both taken moves against crypto and coin mining. The United States has also started exploring ways to regulate cryptocurrencies and put identity requirements on transactions that would eliminate the anonymous nature of cryptocurrency. A top White House cybersecurity advisor claims that crypto’s role in ransomware attacks, sanctions evasion and terrorist financing require tougher regulation. This could include eliminating unhosted wallets and require “know your customer” rules similar to how banks operate. Finally, the IRS and other tax authorities around the world are eager to take a share of your earnings or crypto profits.
Blockchain is Good but not Perfect
In the past many have claimed that the blockchain is technology “unhackable” and this is wrong. As technology changes and criminals use more creative ways to try and hack blockchains or other scams, we see more vulnerabilities appear. It is unclear just how these weaknesses with blockchain security will affect the future of digital assets. One thing we can all agree on is that hackers are always looking for vulnerabilities and weaknesses in the blockchain technology.
There is a lot of interest in blockchain security and using artificial intelligence to prevent hacking. AI could be the solution to quickly monitor transactions or identify suspicious activity that could indicate a blockchain hack in progress. Once the AI identifies an attack it could trigger a localized kill switch or isolate the attack.
Blockchain technology has been praised for security but it is also still vulnerable and not the bulletproof solution many claimed it to be. The combination of software bugs, complex coding algorithms, scams and social engineering all put blockchains at risk.