By some estimates, blockchain technology companies can expect revenue to top $6 billion by 2020. That’s the good news. The bad news is that actual earnings may be impacted, or even crippled, if blockchain security vulnerabilities remain a sidenote to the conversation on distributed ledger technology (DLT).
Listen to the audio version of this article:
Security vulnerabilities? What security vulnerabilities?
The notion that blockchain security is even an issue at all comes as a surprise for some. And therein lies the danger. While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized data bases are not.
Yes, blockchain is eons beyond competing database architectures in terms of keeping data secure, but that is not the end of the story. Blockchain security risks do exists, and they must be recognized and mitigated if blockchain is keep its promise to transform how data is stored and acted upon.
As more governmental, industrial, and commercial sectors adopt shared distributed ledger technology (DSLT), the need to address these issues sooner rather than later becomes paramount. Key to action, though, is creating awareness, which is the purpose of this post.
1. Endpoint Vulnerabilities
One of the most likely vulnerabilities with DLT originates outside the blockchain itself. Termed “endpoint vulnerabilities,” these issues nonetheless reflect on the security of blockchain technology as a whole and so they must be addressed.
Endpoints, just as you might expect, are the spaces where humans and blockchains meet. For the most part, endpoints are the computers that individuals and businesses use to access blockchain-based services. Whether providers of such services are financial institutions, industries, or cryptocurrencies, the use of a blockchain begins with information being inputted into a computer and ends with information being outputted from a computer. It is during the process of accessing the blockchain that the data on the chain is most vulnerable.
The reason comes down to the credentials that are required to access a shared distributed ledger, and how those credentials can be exposed by security weaknesses at the endpoints. While there are blockchain limitations, this is more of a limitation of the user, as we shall see.
Public and Private Key Security
Access to a blockchain requires both a public and a private key. Keys are cryptic strings of characters of sufficient length to make the odds of guessing them truly astronomical. Since it is essentially impossible to access data within a blockchain without the right combination of public and private keys, this represents the strength — and the weakness — of blockchain technology. Without the right keys, no hacker will be able to access your data ever. On the other hand, all a hacker needs is the right keys to access your data and do with it what they will. In the world of the blockchain, possession of keys and ownership of content are totally synonymous.
Since hackers know there is no use in trying to guess anyone’s keys, they focus a great deal of their time on stealing them. The best chance of obtaining keys is to attack the weakest point in the entire system, the personal computer or mobile device.
The same security vulnerabilities that make computers, Android, and Windows mobile devices susceptible to malware also makes them targets of blockchain hackers. Anytime blockchain keys are entered, displayed, or stored unencrypted on such devices, the prying eyes of hackers can capture them. Unfortunately, most of us make the hacker’s job far easier than it needs to be by failing to adequately protect our devices.
The following simple steps are highly effective at keeping hackers from stealing your blockchain keys:
- Use a good antivirus for Windows and Android devices, and make sure you keep both AV and operating systems updated.
- Run anti-malware scans regularly.
- Never store your blockchain keys in a text file, Word Document, or other file where they can be easily read by unauthorized person. If you must store your keys on your device, use a reputable encryption application to keep them safe.
- Never include either of your keys in the body of any email to anyone for any purpose. If you must share via email, use the email feature of your blockchain wallet.
Just as keeping all the rest of your data safe from hackers requires a common sense approach, it is easy to keep your blockchain keys from leaving your computer or mobile device by taking a few simple steps.
2. Vendor Risks
A distributed ledger is of no value unless we can move information into and out of it. As DLT gains more adoption, the market for 3rd-party solutions will experience tremendous growth. We can expect to see 3rd-party development within the blockchain ecosystem within these top six areas:
- Blockchain integration platforms
- Payment processors
- Blockchain payment platforms
- Smart contracts
The requirement for DLT solutions has created burgeoning new markets for blockchain development. It has also created the potential for surface exposure through vendor risks. Organizations wishing to deploy 3rd-party blockchain apps and platforms must be aware that the security of their blockchains is no greater than the trustworthiness of their vendor.
Weak security on their own systems, flawed code, and even personnel vulnerabilities can expose their clients’ blockchain credentials and data to unauthorized persons.
The threat from vendors is especially true when the product involves smart contracts. Since an organization’s entire operation can, to a greater or lesser degree, reside as a smart contract on a blockchain, a vulnerability here can be catastrophic.
Avoiding vendor-related blockchain weaknesses requires a thorough vetting of every vendor who would contribute to your blockchain ecosystem. Experience and reputation are the key factors that should help you separate those who can help build your business from those who could bring it crashing down.
3. Untested at Full Scale
One of the key blockchain security concerns is one that many in the industry would prefer to not think about: what happens at full scale?
DLT architectures are inherently scaleable. In fact, every time any change whatsoever is made to the blockchain, it scales up. After a certain number of changes, it scales up by one data block. To date, there have been no significant security issues arising from the organic expansion of blockchains. However, the Financial Stability Oversight Council (FSOC), a US government organization, isn’t so sure that will remain the case.
According to the FCOS, the growth of blockchains poses at least two risks that are associated directly with the blockchain:
- Since the blockchains of today are as large as they have ever been, we are approaching unknown territory with every gigabyte of expansion. The limited experience of the DLT industry means limited experience identifying and responding to problems. As with every technology, from airplanes to autonomous cars, experience comes at a price. The price for a blockchain security failure has not yet been high enough to require a major change to the system, which is both good and bad.
- The FCOS is also concerned that blockchains could be susceptible to fraud, if a significant number of participants conspire against the rest of the participants. Known as a majority attack, or as the 51% problem, this theoretical threat could materialize, considering that a large number of mining farms are built in nations where electrical power is cheap, and oversight questionable.
The blockchain security challenges exposed by the FCOS are valid. As for the danger of the unknown, the only solution is for every participant in the blockchain ecosystem to exercise best practices in all regards when developing or using distributed ledger technology. Mistakes are inevitable, and for those who make them the price will be high. However, the only way to gain experience with DLT is to forge ahead, albeit as wisely as possible.
Keeping the consensus architecture from being corrupted is probably not as hard as it might seem. Well-designed smart contracts are more than capable of preventing such collusions from occurring.
4. Lack of Standards and Regulation
According to Forbes, among many others, one of the primary blockchain security issues is the lack of regulation and standards.
The mere mention of either regulations or standards puts blockchain purists on high alert. Isn’t blockchain the antithesis of governance and compliance?
If you are talking about Bitcoin and cryptocurrencies, a valid argument can be made that they should continue to enjoy the anonymity that fueled the very growth of blockchain. While some — especially government regulators and legacy financial institutions — will argue that even cryptocurrencies must be regulated, a sizeable number of participants will staunchly oppose such notions.
However, the anti-authoritarian approach has no place in most of the sectors where blockchain innovation is the greatest.
If we refer back to the second vulnerability discussed in this post, Vendor Risks, it becomes difficult to see how any of the 6 applications mentioned could not benefit from some level of standardization, if not regulation.
The lack of standard protocols means blockchain developers cannot easily benefit from the mistakes of others. With each company, each consortium, and each product operating by a different set of rules, the risks that come from nonstandard technology of any sort are present.
Further, at some point, chains may need to be integrated. Lack of standardization can mean new security risks as diverse technologies are merged.
The solution to the question of standards and regulations is more complex than that of most of the technical issues. However, these questions will eventually resolve themselves. Similar to many other technologies, evolution will ultimately bring about the following arrangement:
- Forced regulation and standards where it makes sense.
- Self-imposed regulation and standardization among consortiums in areas where innovation is necessary.
- No regulation or standardization for blockchains built in-house and only used internally within the organization.
5. Untested Code
Despite the nearly 8-year history of Bitcoin, blockchains not dedicated to cryptocurrencies are still heavily experimental. As such, some DLT creators are tempted to deploy insufficiently-tested code on live blockchains. One now-infamous example is that of The DAO attack.
Here’s the background.
A “DAO” is a Decentralized Autonomous Organization built on the blockchain, which exists for the purpose of executing code for venture capital smart contracts. You might say a DAO is a crowdsourced venture capital fund built and existing entirely on a blockchain. There are many DAOs, each built to host and execute smart contracts for specific organizations. A more in-depth explanation of what a DAO is can be found here.
One such DAO, known as “The DAO,” was founded 2016 by members of the Ethereum team. During its creation period, The DAO made crowdfunding history by raising $150 million. Shortly thereafter, The DAO made history, again, by being the first DAO to be hacked.
During the crowdsale, many members of the Ethereum community expressed concerns that the DAO code was susceptible to attack. Subsequently, one of the DAO found a “recursive bug” but erroneously believed that no DAO funds were at risk. A hacker proved him wrong.
The hack resulted from the attacker exploiting two vulnerabilities in The DAO code. The hacker knew that the code was designed to allow both a split, and a transfer of tokens between accounts. The hacker also realized that the code would not update account balances fast enough to prevent transferring the same tokens more than once.
The result? The hacker executed a split function, creating a “child DAO” account, and made repeated transfer requests from their first account in rapid succession. Since the code did not decrement the original account balances after each transfer, there was nothing to stop the same tokens from being replicated about 40 times each, without the original tokens being destroyed.
After transferring $55 million worth of Ether, the hacker ended the attack for reasons still unknown to the rest of us.
In the end, The DAO was devalued by a third, and blockchain technology became the subject of articles such as this.
There are at least two good solutions to this type of exploit:
- Heavy peer-review of code before deployment.
- Smart contract testing performed by independent testing facilities.
Either of these actions would have identified the flaws that resulted in The DAO hack. Either will also prevent similar and worse scenarios of future innovators.
How Ignite Can Help
Blockchain technology has proven itself robust and secure. This does not mean that there are not blockchain technology problems that can affect the security of the entire ecosystem.
Obviously, there are.
Navigating the highly complex world of blockchain development requires a thorough understanding of the security issues and how to mitigate them. Ignite stands ready as your technology partner as you add blockchain integration to your verticals.
Why not contact us today for a no-cost consultation?