Is Blockchain Secure?

reconnaissance

SecurityTrails Blog · Oct 23 · SecurityTrails team

We know how vulnerable we are on the Internet — from the very day it was created, attackers have been trying to compromise the safety of its users and the confidentiality of their data.

As we covered in our blog post about history and future of web exploiting, there would be no Internet without hackers finding vulnerabilities and exploiting them. The way technology progressed, everyday activities as simple as buying groceries were automatized and performed online. This led to the need for safe online financial transactions, without a middleman who could compromise data being shared.

Blockchain technology has been around for many years now, but only during the past couple of years has the public been really intrigued by its potential. With blockchain technology, we were shown the futures of data storage and finance, but blockchain can affect and transform even more industries and services. To better understand the security potential blockchain has, we need to understand what blockchain is, and all the concepts behind it.

The history of Blockchain — and what it really is

Blockchain 1.0

Throughout early 2000s, several attempts at creating money by solving computational puzzles failed due to their lack of decentralization; they were running on centralized backend systems.

Then in 2008, Blockchain was invented when Satoshi Nakamoto, a person or possibly a group of people whose true identity is still unknown, released a whitepaper resolving the problem of placing a third-party institution in the middle of a transaction. The work was titled “Bitcoin: A Peer-to-Peer Electronic Cash System,” and it introduced us to blockchain technology as we know it today.

When the first cryptocurrency — Bitcoin -was invented, there was a significant need for validation of transactions without third-party involvement

When every transaction is made, it needs to be verified. Transactions are verified by using someone’s computational power to solve a complex cryptographic algorithm, which only a powerful computer can solve using plenty of electricity. The transaction is verified once the cryptographic equation is resolved. And since no equation is the same, the network knows that the transaction is valid once it is resolved.

This is what we call Proof-of-Work and the process itself is called “mining.” After transactions — solving the complex equations — miners are rewarded with a new block.

Since it was created as a public transaction ledger for Bitcoin transactions, it’s still difficult for people to differentiate between the two. It wasn’t until few years after Blockchain’s introduction in 2014 that people began seeing blockchain as a technology on which you could build other applications, and not just cryptocurrencies. Today, we have almost every major financial institution investing in blockchain research, and the majority of banks are testing how they can implement blockchain into their services.

“According to the survey, the consumer products & manufacturing industry has been the fastest to adopt blockchain technology. Around 74 percent of respondents from the consumer products & manufacturing industry stated that their company was in either the experimentation or the production phase of blockchain development.”, claims Statista on their Global adoption phase for blockchain by industry 2018.

Global adoption phase for blockchain

Blockchain 2.0 — Ethereum

Approximately four years after the initial release of Bitcoin and Blockchain 1.0 which provided the underlying technology used behind cryptocurrencies, we witnessed the birth of Blockchain 2.0.

Vitalik Buterin, a writer for Bitcoin Magazine, was aware of Bitcoin’s problems, including its lack of scalability, centralized mining community and being overly slow. He worked on creating something to solve these problems and thus, we got Ethereum, the second-generation blockchain system.

The initial blockchain infrastructure was improved and Ethereum offered Smart Contracts – programs inside blockchain that perform an action based on how it was set up by its creators.

Smart contracts can only execute when an action is triggered, managing agreements (contracts) between users and even storing information such as domain registration information about a web application. They help with reducing the cost of verification and fraud protection while also eliminating moral dilemmas about contracts and their transparency.

What was promised with blockchain 2.0 is a faster and more efficient proof-of-stake protocol.

Proof-of-work had its disadvantages: not only were massive amounts of electricity needed, it also wasn’t a fast operation: every transaction took 10 minutes to be verified by the network, and Bitcoin blockchain could only process about 7 transactions per second, which is very low for a global network. This obviously led to transaction fees being higher.

In proof-of-work, miners were rewarded with a new block after each block was verified. Proof-of-stake works by using a randomized system that determines the creator of the next block depending on how much cryptocurrency the user has, or how much he has “staked.” This means that the miners are not actually mining; they aren’t getting block rewards, they’re simply earning the transaction fee. Here, they are called “forgers.”

How do forgers validate transactions?

First, there are minimum requirements of coins they need to have for an opportunity in staking. Those coins are then put in a wallet that freezes them, and the chances of winning the transaction fees are linked to the amount of coins you have.

Buterin also worked on creating a platform where developers would be able to build applications for and on the Blockchain. These apps are called decentralized applications, or dAaps.

DAaps are designed to run on the peer-to-peer network and no single entity controls them as they are deployed on a decentralized ledger. While their backend code is running on a decentralized peer-to-peer network, their frontend code can be written in any language, just like a traditional app. Another difference from traditional apps is that their frontend code is connected to blockchain with smart contracts.

This is where one of the first blockchain dApps came to play — Cryptokitties, opening different markets and opportunities than the previous generation.

With all the promises and improvements Blockchain 2.0 made, there were still problems such as scalability, being expensive to deploy for businesses, and its lack of immunity to outside interferences. This has paved the way for more blockchain extensions and improvements.

Blockchain 3.0

Blockchain 3.0 was set to the solve issues of its predecessors by offering high scalability, interoperability and cost-effectiveness.

The first thing that separated 3.0 from the others is the concept of the Directed Acyclic Graph, or DAG.

DAG is a directed graph structure that doesn’t have directed cycles, meaning it goes in only one direction, just as with smart contracts.

All applications on DAG are processed on a single block and this leads to all transactions occurring simultaneously, allowing quicker processing time.

After Blockchain 2.0, Blockchain 3.0 wasn’t only set to offer new capabilities, but also to work on creating new markets — meeting demands to include large enterprises.

What 3.0 brought us:

  • M2M blockchain applications – machine-to-machine communication and transmission of data which can be performed both wireless and wired, in contrast to the standard IoT.
  • Layer 2 Services – programming solutions that operate on top of existing blockchains to provide instant, cheap transactions.

We have yet to see what the new technologies being developed will bring us, but offering new capabilities and uses for different markets is certain.

Learn more about newcomers in Blockchain 3.0 technology.

With the ongoing progress of blockchain technology, industries are going into phases of experimentation and finding new ways to implement it. Nobody can be sure of all the new blockchain implementations we’ll see in 2019.

How does blockchain work?

Blockchain is an open, decentralized, transparent ledger that records transactions between two parties, without the need for authentication from a third-party institution. Since it stores data about every transaction that took place, this ledger, a digital file, has a record of the amount of cryptocurrency everyone has. Blockchain makes sure that one piece of data can only have one owner, and that data can’t be copied, only distributed.

Having no middleman during these transactions, it effectively cuts down on costs that are present when we have, for example, banks involved in transactions.

It’s an always-growing list of records, and in blockchain, those records are called blocks. Each of those blocks is timestamped and linked to the previous block. Those blocks are connected together using cryptography, connected with chains, and that allows users to only edit the parts of blockchain that they own — for which they have a private key.

In order to perform a transaction, you need to have a program that will allow you to store and exchange coins — a wallet, and since only you are able to spend those coins, the wallet is protected by pairing of the private and public key. When you combine public and private key, you are generating a digital signature that is used for verifying ownership.

What also makes blockchain secure is that it is a distributed ledger, meaning that components of that system are located on different networks and that storages for the stored data are not connected to the same processor. For this reason, the records can’t be retroactively changed without changing the all other blocks.

Blockchain is decentralized, meaning that storing data in their peer-to-peer network ensures that no data can be held at one centralized institution.

Decentralization means that when a digital file is transferred, it travels across a network of private computers that are there for data storing and data processing. Each of these computers is called a node, and each of them has the copy of that digital file.

Let’s see this in an example:

You want to send your friend X amount of bitcoin. You send a message to the network that your balance needs to be X amount less, and your friend’s that much higher. Each of the nodes will receive the message, check the digital copy they have and update it based on the transaction, sending the message to the next node.

The reliability of blockchain is in eliminating chances for fraudulent transactions being accepted. Hashing is the process in which, through a mathematical algorithm, input of any length is transformed into cryptographic output. For hashing to be useful it needs to be impossible to have the same hash value for different outputs, that the same input will provide the same hash value and that every, even the slightest, change on the input will change the hash.

The question of trust in blockchain security

The security of blockchain depends on things we previously mentioned: the storing of data in blockchain is protected by complex mathematical rules that are extremely hard for attackers to break, there is a unique cryptographic hash for each block and they are protected by consensus protocols.

This is what is said to make blockchain immutable. But the real question is, can anything be truly, and fully, immutable?

The straight answer to that is No.

When talking about the security of blockchain, it is important to know that there are private and public blockchains. Bitcoin, for example, is a public blockchain. Differences between public and private blockchains affect the security both provide.

Public blockchains are joined by people connected to public Internet and anyone can join. Private ones, on the other hand, need to grant access to individuals or organizations to join.

Anonymity is an important aspect of public blockchains, whereas identity is used as means of authentication in the private ones.

Breaking security in blockchain can mean that someone would have to compromise 51% of nodes in the network, which is much harder to do in a larger network such as a public blockchain. On the other hand, ways and routes of distributing information through a private blockchain are more controlled, so it can be a better solution for enterprises.

A bad side to private blockchains is that there is a possibility of not creating an adequately secure infrastructure, and your blockchain and its security does depend on it.

Can blockchain be hacked?

We’ve covered how cryptojacking campaigns target vulnerable websites and steal users’ CPU power, but what about blockchain?

Blockchain is dependent on the cryptography behind it; we have seen that previously impossible-to-break algorithms were broken, so what can guarantee those behind blockchain will not be broken as well? Libraries and algorithms can be attacked and possibly broken.

Wallets, in which users store their coins, can be hacked as well, just as we’ve seen in the incident where the “unhackable” BitFi crypto wallet, as claimed by John McAfee himself, was hacked.

One of the most direct methods of hacking blockchain is to steal private keys. Even if it sound far easier to lose a physical key, people can get reckless and losing few lines of code can happen.

While most blockchain implementations are done thoroughly, there is no way to guarantee its safety. Using blockchain platforms and having developers customize it and write their own smart contracts leaves room for potential mistakes, bugs, software vulnerabilities, and furthermore, security breaches.

The real danger that threatens blockchain are the users themselves. The compromised security of applications, wallets and exchanges can lead to people losing millions, as we learned from the Mt. Gox incident.

Threats to the security of blockchain and its infrastructure are being resolved and worked on constantly – but one thing that can’t be resolved in the same way is perfecting the human responsibility of keeping it safe. Falling for phishing scams, not using strong enough passwords and the incompetence of critical people who work in exchanges and maintain wallets will remain the leading threats to blockchain and its security.

Summary

Blockchain is, no doubt, created as a secure, simple (Occam’s razor) and hard-to-break technology. With newer generations of blockchain coming out faster than ever, we can be sure that there will be more attention paid to possible defects and the implementation of best security practices. Practices regarding private keys and data sharing will also be needed for future generations.

Strong infrastructure, data-privacy compliances and cybersecurity need to be kept in mind when developing improvements to the blockchain we know today.

The education and precaution of people involved in blockchain are also crucial in ensuring a secure environment for everyone.


SecurityTrails has set a goal to offer an API that will not only allow you to access the wealth of cybersecurity data we have, but to also leverage on our API and build your own products.

Sign up for your API key today!