Hacking bitcoin and blockchain
- 12 December, 2017 22:45
It is hard to turn on the television or read a tech blog without getting inundated with stories about bitcoin or blockchain. The biggest reason bitcoin is so popular is its nearly 2,000 percent increase in price over the last year, which made its underlying blockchain technology popular as well, even though blockchain is probably the better long-term bet.
What is blockchain?
Blockchain is a digital log file, cryptographically protected, that secures online transactions. First conceptualized in 1991, bitcoin was the first application to put a distributed, public blockchain into practice. A block is a digital recording of a transaction record, and whatever the blockchain participants agree is needed to validate the transaction. Usually it contains transaction data such as price, action (buy, sell, transfer, etc.), and a timestamp. Every transaction (or series of transactions) creates a block. Each future block contains a cryptographic hash of the previous block (these days the hash is usually SHA-256). In this way, each transaction block is cryptographically locked to the previous block.
If that blockchain is publicly distributed, like bitcoin is, then each participant can verify any transaction in the blockchain. You may not know how much money or wealth a participant has, unless that is included in the transaction record, but you can see the value exchanged between two participants and be able to verify its validity. Any participant can prove the ownership of a particular blockchain account by presenting cryptographic proof that would be very hard to fake (i.e., non-trivial in crypto-speak), but is easy to verify by all participants. The way blockchaining works can be likened to public/private key cryptography, where each participant has a private key that can create signed content that can be easily verified by all the other participants using a related public key.
You can have public, private, and hybrid blockchains, just like in cloud computing. You can create your own, use other blockchains from larger groups with shared interests, or even participate in a public global blockchain, like bitcoin. Although this is a relatively newer functionality, private blockchains can participate with public blockchains, and vice-versa.
Bitcoin to blockchain
Most people’s first introduction to blockchain was bitcoin, the popular cryptocurrency created by a person or group with the nom de plume “Satoshi Nakamoto” in 2008 (I’ll use the pronoun of “he” when referring to Nakamoto even though I believe it was probably a group and not an individual). Nakamoto didn’t invent the concept of blockchain, but he did introduce the concept of distributed blockchaining for decentralized ledgering and verification of transactions around digital currencies. This solved the inherent “double spending” problem of decentralized digital currencies without trusted third parties.
Nakamoto published a paper on metzdowd.com’s The Cryptography Mailing list in October 2008 called Bitcoin: A Peer-to-Peer Electronic Cash System. In 2009, he generated the first block of blockchain and software that anyone could download and cryptographically generate (i.e., mine) a bitcoin. The author of this article downloaded the software during the first few days and quickly generated three bitcoins.
Although the hype and promise of the eventual value of bitcoin was present from the beginning, the first “official” transaction valued 10,000 bitcoins for about $20 in pizza. Today, bitcoins are worth substantially more, over US$16,000 at this writing, with regular, huge volatility swings. The substantial, rapid price increase has gotten the attention of investors and financial sector corporate CEOs, although not usually with affirmation. Many investors are likening bitcoin’s price increases to the famous Dutch tulip bubble in the 1600s, with some investors getting very rich while naysayers stay on the sidelines watching their friends get rich.
The way bitcoin, the software, and the distributed network is created, each slew of newly generated bitcoins makes it incrementally harder to generate the next bitcoin. So, what used to take part of day with one computer now takes thousands of specialized, hardware-specific “miner” computers combined into aggregated networks weeks to months to generate. Today, it takes so much electrical energy to generate bitcoins that the measures are compared to total global electricity use on a regular basis.
By design, it takes not only a huge amount of computing power to create a bitcoin, but also, even though not in the same realm of effort, a lot of computational effort to create and validate a bitcoin transaction. Further, each transaction adds to the size of the blockchain, which continuously grows over time (bitcoin’s blockchain is well over 100 GB), which must be generated and distributed to all participating parties to remain valid. Eventually, a maximum of 21 million bitcoins will be mined by 2140. This self-induced crypto-scarcity is part of what is fueling bitcoin's stratospheric price rise.
Read this discussion, “Cryptocurrencies are a new asset class that enable decentralized applications” to get an expert’s opinion of what bitcoin really is and is really good for.
Bitcoin may be a bubble, but blockchain isn’t
While investors and financial experts fight over the value of bitcoins, no one is arguing over the value and legitimacy of blockchain. The world’s biggest firms have created teams and sometimes entire new divisions dedicated to blockchain. You can create and use blockchains in the cloud or within your own private business.
Companies promoting blockchain see a day when nearly every financial transaction is backed by a blockchain. Blockchaining can make very complex financial transactions solvable in seconds. One multi-national bank blockchain leader (Credit Suisse on CNBC television) said that the average leveraged buyout deal takes a month to finish financially. Using blockchains, he estimated the closing would take a few seconds. He told viewers to imagine how much more efficient blockchaining could make every complex transaction, freeing up workers and capital to be more productive.
Nearly every industry heavy with financial transactions, is rushing to find out how to implement blockchain within their businesses and industries. You name the sector, and blockchain is the hot topic. Computer industry cloud giants, like Microsoft and Amazon now offer myriad blockchain services.
Do a simple internet search on blockchain and you’ll be amazed at the millions of information links and services popping up since 2016. Bitcoin may be in a bubble, but blockchain is on its nascent rise and here to stay.
Hacking bitcoin and blockchains
Early on, many bitcoin and blockchain enthusiasts wondered if the inherent crypto nature of both was sound enough to withstand constant hacking. It didn’t take long to get an answer. Like everything else of value running on computers, bitcoin, other cryptocurrencies, and blockchains have come under frequent successful attacks. Hundreds of millions of dollars have been stolen, people have been cheated, and blockchains ripped off. Here are some of the hacks:
Bitcoin miner malware
Each mined bitcoin makes future bitcoins harder to create. It takes lots of electricity to run and cool the specialized “miner” computers. Electricity is the number one operational cost to a bitcoin miner. For that reason, many bitcoin miners “borrow” resources to mine bitcoins, either at their employer’s locations, or by spreading bitcoin-mining malware. Today, many of the biggest malware botnets are simply to mine bitcoin. Although their intent isn’t the worst, it’s still unauthorized use of a computer or device (they often hijack online video camera equipment and routers), and it costs the victim money. It also slows down the hijacked computers. You stop bitcoin miners like you do any other malware program.
Stolen value stores
Crypto-currencies often store their value in file stores known as wallets. Wallets can be compromised, manipulated, stolen and transferred, just like any other store of value on a computer. Worse yet, people often forget their protective PIN/passwords, or lose the hard drive where the store is located, and often that means the value store is forever inaccessible. Ransomware can cause the same issue. With a regular bank account, you can just use another computer to access your online account where your value sits untouched. Not so with wallets.
Most experts recommend keeping your value in an offline wallet that can’t be accessed by malware or hackers. This can also make it harder to use that value. The offline nature can add days of waiting to use or update the value store. If you use an online wallet, protect it with multi-factor authentication if possible.
There are crypto-currency trojans that sit monitoring your computer waiting for what looks like the format of a crypto-currency account number. When it spots one, it comes awake and replaces the intended account you are transferring value to with their account number. Unless you are very aware of the switch, it will be game over if you hit the Send button.
“In theory, there is no difference between theory and practice. In practice, there is." No one knows who first said this, but it first appeared in print in the 1986 book, Pascal: An Introduction to the Art and Science of Programming by Walter J. Savitch.
Like any crypto implementation, the cryptologic algorithm is almost always far more sound than the program that implements it. In general, blockchaining suffers from any vulnerability or weakness that you might subscribe to any cryptographic solution. A programming bug or lack of good private key security (or bitcoin wallets) can bring the whole thing down. Although this isn’t readily apparent, before you use a crypto-currency or get involved in a blockchain project, make sure the software programmers are applying secure development lifecycle (SDL) processes to minimize bugs.
There have been instances where hackers manipulated the crypto-currency software to steal value. In at least one recent case, the hackers made a coding mistake that not only didn’t allow them to steal any value, but sadly, corrupted everyone’s wallet beyond recovery. The thief didn’t get any money, but everyone was robbed nevertheless.
Known plaintext crib attacks
Good crypto makes the resulting cryptotext look like random gibberish. Theoretically, a crypto-attacker should not be able to figure out what the original plaintext looked like. With any blockchain technology, however, the format of the blocks is fairly well known or easy to figure out. Certain letters, characters, or numbers are always in the same places in every block. This allows crypto-attackers to “crib” a partial representation of the plaintext in every crypto protected block. Plus, every block is a function of the previous block. This weakens the overall protection of the underlying encryption cipher. If the cipher isn’t weak, it isn’t a huge problem, but it does give attackers a starting edge.
Many security experts wonder if SHA-256, which contains the same mathematical weaknesses as its shorter, very much related SHA-1 precedent, is a concern for bitcoin and blockchain (both usually use SHA-256). The answer is not right now. SHA-256 is strong enough for the foreseeable future. More importantly, since most of the world’s financial transactions and HTTPS transactions are protected by SHA-256, when someone breaks it, we’ll have far bigger things to worry about than just bitcoin and blockchains. Although if you’re planning to make a crypto-currency or blockchain, start planning for “crypto-agility,” which is the ability to replace ciphers and keep the underlying program.
Sites get hacked
One of the most common hacking threads surrounding bitcoin, but can be applied to any blockchain project, is how often the centralized website controlling it gets hacked. It’s very common, including one that last week that netted hackers $70 million in bitcoin. Far too many crypto-currency sites managing tens to hundreds of millions of dollars have been successfully hacked. When that happens, the bitcoin value people have built often disappears into the ether. Make sure to back up your value into an offline location.
Some of the biggest hacks have been ascribed to unscrupulous operators who run away with millions in ill-gotten gains. Make sure if you do business with a crypto-currency web site that the site is well secured and trustworthy. The FDIC is not going to bail you out if you lose your deposits, at least not yet.
Large, public blockchains are inherently more secure
One key concept to understand regarding blockchain security is that public, distributed blockchains are inherently more secure than private blockchains. To compromise a blockchain, an attacker must compromise over 50 percent of the participants or blocks, and do so faster than new blocks are created.
Because of that, large, public blockchains are inherently more secure than smaller, private blockchains. Small blockchains can be faster and easier to compromise, especially if all the related “secrets” are stored in one place or company. In fact, many security experts question if single-company blockchains are even needed. They say that blockchain's advantages only occur when they are distributed past a single security boundary. Still, you’re likely to see many private, small blockchains, simply because blockchains have the potential so solve complex financial transactions in seconds, and because smaller blockchains are likely to become components of far larger hybrid and public blockchains.
Every security professional should understand blockchaining and what it means to their current and future career. Even though they are based on very secure crypto, they are going to be hacked just like everything else.