#RSAC: Hacking Blockchain

#RSAC: Hacking Blockchain

Speaking at RSA Conference 2017 Konstantinos Karagiannis, chief technology officer, Security Consulting, BT Americas said that the internet evolved without security in mind, and now we’re paying the price. However, with nascent blockchain technology, we have the opportunity to get security right through a proactive, deliberate approach.

Blockchain is a technology through which parties exchange data that gets lumped into a block of what Karagiannis explained as “transactions that are computationally impractical to reverse.” That block is identified with a hash which refers logically to the block before it, thus the chain. If a new block is validated by “miners”, it is added to the majority chain, but if an altered block is submitted, the hash gets changed and everything else is rejected. This model is designed to make transactions transparent and trustworthy. 

Karagiannis noted that chains get exponentially harder every four years, thus increasing the value of prior transactions. The best known blockchain to date is the digital currency Bitcoin, which increased in value because it is difficult to make. Yet the blockchain concept lends itself well to other applications, like managing digital assets such as music, confirming identity, proving verifiable data such as titles to a house and smart contracts.

Effective attacks on blockchain began as Bitcoin’s popularity increased. Citing examples such as 1 Return, Mt. Gox and Gatecoin, Karagiannis explained that “Attacks have not been against the concept, but the implementation.” To that point, the Bitcoin wallet site Coinbase is the most heavily insured of all Bitcoin purchase sites, but only for attacks against the back-end blockchain system. If there is a user-specific problem, such as a lost phone or compromised password, it’s the user’s problem. There is no FTIC backing up the investment. Karagiannis claimed Android phones are most susceptible due to poor security updating in all but newest devices.

His bigger concern, however, is if blockchain is being “built on a digital house of cards”, due to the use of public encryption keys that are exposed in transactions and susceptible to cracking by ECC (Error Correction Code) with quantum computing. While his ensuing physics lesson left most heads in the room spinning (including making a case of the use of Lamport signatures to stop gap this vulnerability), his bottom line was that “too many people are adopting block chain and NOT allowing for this issue,” raising the specter of having to start over at some point to get blockchain security right.  

His recommendations?

As soon as possible, organizations should review any blockchain applications in development or use to make sure blockchain is the appropriate technology, considering security, data permanance and other technology alternatives. This should include verifying if the application is an overlay to proven blockchain and protocol, or something new and experimental, which increases risk. 

He also recommended testing the application security, performing ethical hacking engagements to uncover flaws, and choosing vendors that have real blockchain experience, rather than those looking for proving grounds. 
Karagiannis concluded with a request to the broader blockchain community to contribute to the future security of blockchain technology through having developer resources “give something back” and supporting NIST’s call to arms to develop post quantum crypto solutions for PK. 

Source: Information Security Magazine