Blockchain-based Technologies – insecure in any Case?

bei

Blockchain image by Davidstankiewicz is licensed under CC SA 4.0
Blockchain image by Davidstankiewicz is licensed under CC SA 4.0
 / 29. August. 2017

Security of Blockchain based technologies is much-praised but one has to separate between concept and implementation. Only the concept is secure [1]. Especially the security quality of the implementations [2] must therefore be rated by identified security vulnerabilities [3].

This applies to Blockchain functions such as smart contracts, dApps, consensus, transactions, block generation and management, as well as hashes, encryption, and random number generators – not just in executable code, but also in design and implementation. Inspecting the source code is not sufficient [4]. Distributed Denial of Service (DDoS) attacks may be successful against implementations [5] and unauthorized disconnections of nodes from the network as well as invalid contents in transactions.

The used hash algorithms have a huge influence on the security level. Bitcoin uses SHA-2 (SHA-256) and therefore complies with the BSI recommendations (only) until the year 2022. If the hash function is broken, a new software version must be deployed to all nodes and a new Blockchain using the new hash function must be created (hard fork). The trustworthy administration (generation, storage, deletion, etc.), in particular of the associated private keys is the responsibility of each of the individual participants. This includes their secrecy, and also the data backup, e.g. for the digital signature. A public key is used in transactions as a recipient address (Bitcoin).

Attacks against Blockchain implementations are known [6], [7]. Two security vulnerabilities were identified in the Android Bitcoin client “Bitcoin Wallet”. In both cases, the random number generator was at fault [8], [9]. Successful attacks allow to cancel an already incurred transaction or the replay of a transaction (double spend) as well as to block foreign transactions.

When an attacker gets control of network parts or gets access to the network owned by individual subscribers, the attacker can present a Blockchain with alternative blocks to them. A solution to this problem must be considered in the implementation. For consensus,a large number of independent participants is required.

The transaction contents and blocks are deliberately readable by everyone. Block-based technologies with encrypted block data are possible; only in this way confidentiality can be achieved.

An entire protection against Denial of Service attacks is hard to achieve and depends on the underlying network infrastructure.

Secure and stable clients are required for all participants.

In a Blockchain, anonymity can’t be achieved without further measures; only pseudonymity can be achieved. The Blockchain and thus all transactions are traceable (e.g., cash flows). If an initiator of a transaction wants to hide his real IP address he has to use a service like TOR. The EU, however, plans an identification of all Blockchain users by law [10].

These examples show that the implementation of the Blockchain method involves challenges, and the level of security depends in particular on the implementation quality/security quality of the components: Sufficient is only a complete Security Testing Process based on ISO 27034 consisting of the following 5 methods:

  • Security Requirements Analysis,
  • Threat Modeling (Analysis of the Security Design)
  • Static Source Code Analysis (Review of the code)
  • Classic Penetration Testing (Identify already public security vulnerabilities)
  • Dynamic Analysis – Fuzzing (Identify Zero-Day-Vulnerabilities)

[1]   Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf

[2]   Pohl, H. et al.: Sichere Softwareentwicklung nach ISO 27034. KES 24 – 25, 5, 2014

[3]   Common Vulnerabilities and Exposures. Incident CVE-2010-5139 https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2010-5139 und
Bitcoin.org: 11/12 March 2013 Chain Fork Information https://bitcoin.org/en/alert/2013-03-11-chain-fork

[4]   Fefes Blog Mon Jul 3 2017 https://blog.fefe.de/?ts=a7a45c1a

[5]   Giese, P.: Mysteriöse riesige BTC-Transaktionen verlangsamen Bitcoin-Netzwerk. BTC-Echo 10.3.17 https://www.btc-echo.de/mysterioese-riesige-btc-transaktionen-verlangsamen-bitcoin-netzwerk/

[6]   Karagiannis, K.: Hacking Blockchain.RSA Conference San Francisco 2017 http://bit.ly/2oKP62s

[7]   Blockchain Graveyard https://magoo.github.io/Blockchain-Graveyard/

[8]   55 BTC Stolen Through Security Vulnerability in Android Bitcoin Wallets. TradeBlock Aug 11, 2013 https://tradeblock.com/blog/security-vulnerability-in-all-android-bitcoin-wallets

[9]   Goodin, D.: Crypto flaws in Blockchain Android app sent bitcoins to the wrong address. 5/29/2015 https://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-sent-bitcoins-to-the-wrong-address

[10] European Commission: Questions and Answers: Action Plan to strengthen the fight against terrorist financing. http://europa.eu/rapid/press-release_MEMO-16-209_de.htm

The Author: Prof. Dr. Hartmut Pohl is the CEO of the IT Security Consulting Company softScheck GmbH, Cologne / Sankt Augustin, Germany offering tactical and strategic security. Based on BSI base protection, ISO 27xxx family, COBIT, NIST SP 800, ITIL etc. incl. Forensics and identifies especially until now unknown Zero-Day-Vulnerabilities. softScheck accepts digital currencies.

Previous articleVon Passwort-Hacks bis hin zum Missbrauch digitaler Daten: Es ist höchste Zeit zum Handeln
Next articleRevolutioniert Blockchain das Bezahlen der Zukunft ?