Companies may be rushing to explore the adoption of blockchain distributed-ledger technology, but security experts are warning against taking the plunge without a sharp eye on the security risks that come with it.
Those risks arise from the design of some blockchain-based systems, which enable the embedding of executable code and scripts alongside legitimate transactional data. Ethereum, for one, enables the embedding of ‘smart contracts’ that enable the execution of sophisticated business rules – or, potentially, destructive embedded malware.
Abuse of otherwise legitimate blockchain implementations remains a threat against consumers who, a new McAfee analysis warns, are “the easiest targets” for blockchain manipulation.
“Due to a widespread start-up mentality, in which security often takes a backseat to growth, cryptocurrency companies often fall in this category.... Attackers have adopted several methods to target consumers and businesses using well-established techniques” including phishing, ransomware, cryptocurrency miners, cryptojacking, implementation vulnerabilities, and other technologies.
The Iota phishing scam alone netted more than $US4 million ($A5.25m) for its perpetrators, who developed a cryptocurrency ecosystem but logged users’ private seed codes – which were later used to pilfer otherwise-legitimate crypto funds from their wallets.
Cryptojacking attacks, while not always malicious, drain resources and create productivity problems amongst users whose systems can be dramatically slowed down. And combination attacks like Black Ruby, which paired ransomware with the open-source XMRig Monero mining software, add insult to injury.
Reuse of publicly available exploits speeds the creation of new malware for exploiting blockchain, with open-source code speeding the development process and often relying on the fact that a massive proportion of endpoints will have unpatched vulnerabilities that can be exploited.
Other attacks have proven successful by attacking the fundamental blockchain technology although, McAfee notes, “the closer one gets to the core of blockchain technology ,the more difficult it is to succeed with an attack. Generally, these threats are much more like exploits of traditional software and web applications.”
Active tracking and patching of issues by Bitcoin’s maintainers have checked the flow of such attacks, with “the discovery of high-severity vulnerabilities related to core Bitcoin tools... offering consumers a sense of confidence.”
For organisational IT managers, the potential exposure to blockchain-related risk – and the new forms of fraud and cybercriminal activity that they engender – adds pressure to an already-full roster of security challenges.
The relative scarcity of real-world blockchain implementations may be a consolation in the short term: a recent Gartner analysis, for one, found that just 1 percent of CIOs have implemented blockchain within their organisation and just 8 percent were planning or actively experimenting with the technology.
Fully 77 percent of CIOs said they had no interest in what Gartner vice president and fellow David Furlonger called the “massively hyped” technology, and had no plans to look into it.
As blockchain steadily picks up, however, private deployments will need to be constructed and secured with an eye to potential abuses, with underlying code kept current and proactive efforts made to minimise the potential risk of breaches.
Poorly-considered adoption of blockchain could have significant repercussions for the many business processes that are being revisited using the technology – particularly if they can’t build a security skillset in line with their blockchain skills.
"The challenge for CIOs is not just finding and retaining qualified engineers, but finding enough to accommodate growth in resources as blockchain developments grow," said Furlonger in a statement. "Qualified engineers may be cautious due to the historically libertarian and maverick nature of the blockchain developer community.”
“Blockchain technology requires understanding of, at a fundamental level, aspects of security, law, value exchange, decentralized governance, process and commercial architectures. It therefore implies that traditional lines of business and organization silos can no longer operate under their historical structures."