When blockchain technology was first brought to the public’s attention, it was lauded on many fronts as “unhackable.” While there are many benefits to blockchain worth noting already, we probably still haven’t seen what its ultimate potential will be. One thing is certain though: It is not unhackable. That reality has been illustrated with increasing clarity to the tune of around $2 billion in cryptocurrency stolen by hackers since 2017.
Recent attacks have seen a shift in focus from public networks, such as the Bitcoin and Ethereum blockchains, to private networks built for the use of large corporations. In theory, the latter should be a more difficult target for a hacker due to their nature as smaller ecosystems where everyone knows one another and intruders have a harder time hiding.
Related: Crypto Exchange Hacks in Review
The reality has been a different matter. As more private enterprise blockchain networks come online, cybercriminals have focused intently on proving that the technology is, in fact, quite hackable. Here’s what they’re doing and how to keep them from getting into yours.
Before we dive into the particulars of recent attacks on private blockchain networks, let’s make sure our terminology is straight. A blockchain simply means a decentralized cryptographic database that exists on linked computers called nodes. Each node keeps an up-to-date copy of the entire database. All nodes have to verify and approve a transaction before it is added to the database.
Thanks to a design based on cryptography, economics and game theory, node owners have a financial incentive through a process called mining to play a straight game rather than try to subvert the system. A correctly designed blockchain database is easy to verify and add transactions to but hard and, more importantly, expensive in computing resources to defraud.
Companies engaged in a variety of activities such as cross-border transactions, digital record storage, and tracking goods and information have had their eye on blockchain for a while now. Blockchain application-building has been a high priority project for some truly massive operations, such as Fidelity Investments and the New York Stock Exchange to name a couple.
What sometimes goes overlooked in the rush to take advantage of the allure of blockchain security and ease of use is that they are essentially trying to tame a Wild West technology and make it play nice in the most corporate of environments.
Easing into the real world
While it is true that one would be hard pressed to recall a single private blockchain network hack that resulted in a real loss, there are reasons for this, and these reasons are in the process of changing. First of all, enterprise-level blockchain apps have been under feverish development the past few years, and only now are a few starting to be rolled out for public use.
In some cases, blockchain has allowed developers to put a new twist on an old idea. The Ethereum-backed security app called Orchid is in the process of taking the traditional idea of a virtual private network, throwing it on top of a blockchain and presto, you’re looking at the next generation of privacy technology.
Expect to see an increasing pace of familiar products and services receiving a similar blockchain boost.
To the average hacker, there was previously nothing on these networks worth stealing, but that is changing. New apps are moving from the research and development stage into production, which means there is now a profit motive. Like detestable flies, hackers are attracted to this new prey. They see it as both a challenge to their skills and an opportunity for easy money.
As time has passed, a few strategies have arisen that allow the unhackable blockchain protocol to be penetrated.
Control 51% and you control the game
The 51% Rule is an inherent drawback to most blockchain networks. The feature that allows this kind of attack is based on the proof-of-work concept in which a transaction must be approved by a majority of nodes, or 51%, in order to be approved and added to the database. If a single entity, in this case an entity with a propensity toward fraud, could somehow summon the computing resources that gave it control of 51% of the nodes, then it’s simply a matter of sending payments and then creating an alternate version of the database in which the payments did not happen.
This type of divergence is called a “fork” in blockchain terminology. Continuing with our assumption that a single hacker controls a majority of the nodes, they could designate the fork as the legitimate database version and continue to spend the same cryptocurrency again and again. As mentioned, collecting together the computing power needed to take over a major currency such as Bitcoin (BTC) or Ether (ETC) works out to a cost of thousands of dollars per hour, according to the site Crypto51.
However, if a hacker decides to go after a smaller, more lightly traded coin, the cost to take over the network drops considerably.
Corporate insider attacks
When it comes to private networks of the kind currently being deployed by major corporations, the most severe danger posed is from those already within the system. In other words, employees, vendors or others that have been invited to the network immediately have access to all the confidential data stored there. This is one design flaw when compared with public networks that needs to change.
On the public side, such as with Bitcoin, developers deploy zero-trust and other security tools to keep sensitive data from falling into the wrong hands and often off the chain entirely. As with traditional private networks, too many companies delving into their first blockchain project think that the main threat is from the outside. Their energy and focus go toward keeping outsiders on the outside, forgetting that insiders can be a threat too.
Philosophical action tip for blockchain design: Trust no one, especially those on the inside. A disgruntled ex-employee with an ax to grind and knowledge of where the nodes are could sell out your network to the highest dark web bidder. One denial-of-service attack and it’s all over. Design for safety from the outside and inside.
Perhaps the biggest danger posed to private blockchain networks is the fact that they don’t have a dedicated community full of members from all over the world that spend their days and nights testing, tweaking and improving the network. By its very nature of being smaller and private, there is no equivalent process in place for vigorous testing. There’s no easy solution here. It’s hard for a single company to generate the same kind of enthusiasm and support as a massively popular cryptocurrency such as Bitcoin.
One current approach is to take advantage of a company such as Kaspersky, which has developed a process for conducting blockchain security audits. Since Kaspersky is Russian-owned, some companies are understandably cautious about letting it take a look behind the curtain, but the idea is still sound. As time goes on and more corporate blockchains come online, expect the auditing and support industry to become more robust.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Sam Bocetta is a freelance journalist specializing in United States diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense and cryptography. Previously, Sam was a contractor for the U.S. Department of Defense, working in partnership with architects and developers to mitigate controls for vulnerabilities identified across applications.
Joseph Spezzano received a Masters Degree in computer science from The University of Massachusetts. Joseph has been working as a full-time blockchain programmer for the past 5 years. In his spare time, Joseph enjoys writing for CryptocurrencyInvestments.com and traveling.