Blockchain-based Technologies – insecure in any Case?


Blockchain image by Davidstankiewicz is licensed under CC SA 4.0
Blockchain image by Davidstankiewicz is licensed under CC SA 4.0
 / 29. August. 2017

Security of Blockchain based technologies is much-praised but one has to separate between concept and implementation. Only the concept is secure [1]. Especially the security quality of the implementations [2] must therefore be rated by identified security vulnerabilities [3].

This applies to Blockchain functions such as smart contracts, dApps, consensus, transactions, block generation and management, as well as hashes, encryption, and random number generators – not just in executable code, but also in design and implementation. Inspecting the source code is not sufficient [4]. Distributed Denial of Service (DDoS) attacks may be successful against implementations [5] and unauthorized disconnections of nodes from the network as well as invalid contents in transactions.

The used hash algorithms have a huge influence on the security level. Bitcoin uses SHA-2 (SHA-256) and therefore complies with the BSI recommendations (only) until the year 2022. If the hash function is broken, a new software version must be deployed to all nodes and a new Blockchain using the new hash function must be created (hard fork). The trustworthy administration (generation, storage, deletion, etc.), in particular of the associated private keys is the responsibility of each of the individual participants. This includes their secrecy, and also the data backup, e.g. for the digital signature. A public key is used in transactions as a recipient address (Bitcoin).

Attacks against Blockchain implementations are known [6], [7]. Two security vulnerabilities were identified in the Android Bitcoin client “Bitcoin Wallet”. In both cases, the random number generator was at fault [8], [9]. Successful attacks allow to cancel an already incurred transaction or the replay of a transaction (double spend) as well as to block foreign transactions.

When an attacker gets control of network parts or gets access to the network owned by individual subscribers, the attacker can present a Blockchain with alternative blocks to them. A solution to this problem must be considered in the implementation. For consensus,a large number of independent participants is required.

The transaction contents and blocks are deliberately readable by everyone. Block-based technologies with encrypted block data are possible; only in this way confidentiality can be achieved.

An entire protection against Denial of Service attacks is hard to achieve and depends on the underlying network infrastructure.

Secure and stable clients are required for all participants.

In a Blockchain, anonymity can’t be achieved without further measures; only pseudonymity can be achieved. The Blockchain and thus all transactions are traceable (e.g., cash flows). If an initiator of a transaction wants to hide his real IP address he has to use a service like TOR. The EU, however, plans an identification of all Blockchain users by law [10].

These examples show that the implementation of the Blockchain method involves challenges, and the level of security depends in particular on the implementation quality/security quality of the components: Sufficient is only a complete Security Testing Process based on ISO 27034 consisting of the following 5 methods:

  • Security Requirements Analysis,
  • Threat Modeling (Analysis of the Security Design)
  • Static Source Code Analysis (Review of the code)
  • Classic Penetration Testing (Identify already public security vulnerabilities)
  • Dynamic Analysis – Fuzzing (Identify Zero-Day-Vulnerabilities)

[1]   Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System.

[2]   Pohl, H. et al.: Sichere Softwareentwicklung nach ISO 27034. KES 24 – 25, 5, 2014

[3]   Common Vulnerabilities and Exposures. Incident CVE-2010-5139 und 11/12 March 2013 Chain Fork Information

[4]   Fefes Blog Mon Jul 3 2017

[5]   Giese, P.: Mysteriöse riesige BTC-Transaktionen verlangsamen Bitcoin-Netzwerk. BTC-Echo 10.3.17

[6]   Karagiannis, K.: Hacking Blockchain.RSA Conference San Francisco 2017

[7]   Blockchain Graveyard

[8]   55 BTC Stolen Through Security Vulnerability in Android Bitcoin Wallets. TradeBlock Aug 11, 2013

[9]   Goodin, D.: Crypto flaws in Blockchain Android app sent bitcoins to the wrong address. 5/29/2015

[10] European Commission: Questions and Answers: Action Plan to strengthen the fight against terrorist financing.

Über den Autor / die Autorin:

Prof. Dr. Hartmut Pohl ist als geschäftsführender Gesellschafter der IT-Sicherheitsberatung zuständig für taktische und strategische Sicherheitsberatung u.a. basierend auf BSI-Grundschutz, ISO 27000-Familie, COBIT, NIST SP 800, ITIL etc. inkl. Forensik