/*

Blockchain, the technology underlying cryptocurrencies like Bitcoin, Blockstream, Ethereum, Ripple, is considered a phenomenon by its proponents and is touted as a solution to all of the inefficient information processing systems. Critics, however, remain wary of its applications and socio-economic benefits. Either way, Blockchains and their applications are expected to grow exponentially, thereby urging us to question their security challenges and risks.

Blockchains are in part a computing infrastructure, a transaction platform, a decentralized or distributed accounting ledger, and a peer-to-peer network. They are considered to be reliable, transparent (to an extent), autonomous, and immutable. Blockchain also evokes trust among its users via mass validation and secure authentication, while providing integrity and confidentiality.

In summary, blockchains seem to pose the capabilities that could disrupt the Internet as we know it (IPFS as a replacement for HTTP). However, as with any technology, there are grave challenges and risks associated with it. In part two of our series, we’ll delve into specific security challenges and risks that blockchains face.

In part one, we’ll illustrate the security challenges that plague blockchains. While each specific implementation or use case of a blockchain brings its own security challenges and risk implications, there are, however, some common challenges.

Blockchains and their applications have uncertain legal and compliance requirements due to their distributed nature. No known nation has any defined rules or regulations regarding them. Additionally, current security standards and regulations also seem ambiguous in a blockchain ecosystem and pose a formidable challenge in implementing the same technically. For instance, GDPR (General Data Protection Regulation) requires companies to implement “right to be forgotten” regarding data collected from EU citizens. This, however, can be grueling to implement considering its distributed nature (multiple parties have the data from the ledger and would be difficult to track and delete all concerned data).

Also, security policy implementations such as incident response management, vulnerability management, etc. would be hard to document and implement considering the distributed nature of blockchains. For instance, ensuring timely patching of all instances of the blockchain in a consistent manner would be difficult and poses unique risks to organizations that implement blockchains.

Finally, with increasing range of blockchain offerings, there exists the unique challenge of constructing a detailed threat model on which organizations can perform a risk assessment. The extent to which a compromise can impact the overall blockchain ecosystem is still quite unclear considering it also lacks the clarity of oversight and auditability that most traditional centralized systems offer.

Technical Challenges

  • Blockchain harbors unique operational constraints. For instance, centralized logging and monitoring are essential for enterprise environments but have not been addressed in blockchains.
  • Blockchains have inherent issues pertaining to scalability, latency, storage, and performance in their current form.
  • Blockchains have a large attack surface. Their distributed nature allows confidential information like payment data to be replicated in a number of places, potentially offering hackers more places to get their hands on it.
  • Blockchains have interoperability challenges. Using different distributed ledgers will likely bring the need for data sharing between them. Exchanging data will require translation of formats and protocols, which currently are in the nascent stages.
  • Unlike traditional systems, where a server administrator is capable of tracking attempted break-ins into a customer or user account, in blockchains, a malicious user can try limitlessly to decrypt or try to reproduce a private key associated to a given ledger. Tracking attempted break-ins with blockchain is close to impossible, and one is not aware until after the hacker has succeeded.
  • The veracity of each entry in blockchain rests on who controls the private key for each compromise of the private key can jeopardize portions of the blockchain and the data it holds.
  • Lack of tools to combat illegal activity. Though it might be possible to identify who owns an address used for money laundering, despite attempts at obfuscating the transaction, it is not possible to block these types of transactions in advance.
  • The consensus-based nature of adoption combined with the cross-application and industry aspirations of blockchain technology means protocols may not evolve sufficiently fast or in correlation with more complex business needs.
  • Another challenge that arises with users is that the blockchain network could be more trustworthy than the machine used to access it. Though the record of the transactions would be verifiable, the intent to perform that transaction might not be.
  • Reverting previous actions or fraudulent transactions in a decentralized chain is not easy, and its ramifications are uncertain as well.

Keeping in the mind the challenges that blockchains bode, it is recommended that organizations determine if their application truly requires a blockchain implementation or not. If it does, it is best to follow known security implementation standards for applications and cryptographic implementations. Additionally, ensure to use multiple signatures for authorizing and processing transactions; use standardized libraries for smart contracts (Smart contract security best practices), and use post-quantum crypto such as SPHINCS as a future-proof solution against quantum computing.

References

Vishruta Rudresh

Vishruta Rudresh

Senior Cybersecurity Researcher at Kudelski Security
Vishruta Rudresh is a Senior Cybersecurity Researcher at Kudelski Security focusing on fundamental new approaches to IoT and OT environment security, including but not limited to machine learning, edge device decision making, and low power environment security.She has been working in the Information Technology industry since 2011 specializing in IoT security, malware reverse engineering, system and application administration, incident response, digital forensics and mobile security and has a masters degree in Information Technology-Information Security from Carnegie Mellon University.
Vishruta Rudresh