Kudelski Security hopes the flawed open-source ledger will help users learn about blockchain
Hoping to raise awareness about blockchain vulnerabilities, cybersecurity firm Kudelski Security next week plans to launch the industry’s first “purposefully vulnerable” blockchain – and will demo it at next month’s Black Hat conference.
Kudelski Security’s FumbleChain project is aimed at highlighting vulnerabilities in blockchain ecosystems, according to Nathan Hamiel, head of cybersecurity research at Kudelski.
The flawed blockchain ledger is written in Python 3.0, making it easy for anyone to read and modify its source code, and it’s modular – allowing users to hack and add new challenges to promote continuous learning.
The Kudelski blockchain will be available as both a code download on GitHub and as a demo on the company’s web site, allowing testers to play with its features and learn how it works without having to download code.
“For the most part, blockchains aren’t inherently secure,” Hamiel said. “There’s an entire ecosystem around blockchain, just like there is around traditional applications. Quite often you’ll have vulnerabilities that crop up in places that are rather unexpected. What we wanted to do was create this pre-made blockchain, create this educational framework around it so you can learn more about it and more about blockchain security.”
Open source example
The concept is similar to other open-source projects, such as creating web applications so developers can test their skills attacking them to expose vulnerabilities.
As a write-once, append-many technology, blockchain itself is highly secure, but experts point out the distributed ledger technology does not live in a vacuum. In order to be of use, applications such as cryptocurrencies are embedded into the blockchain – making it vulnerable to certain attack vectors.
At its most basic, the technology is a peer-to-peer-based distributed ledger, or database, organised by a set of protocols combined with a blockchain; in essence, it is a series of encrypted sets of data that record immutable changes over time. While that may be relatively straightforward, how the technology is implemented can lead to a variety of permutations.
“Like most things, the devil is in the details,” said Jack Gold, principal research analyst at J Gold Associates. “Blockchain is a specification more than a technology, and a relatively loose spec at that. …There are various ways to implement it…, so if you implement in a insecure fashion, it can be broken.”
Basket of technologies
James Wester, research director, IDC Worldwide Blockchain Strategies, said he is often tasked with defining blockchain along with a “basket of technologies” that fall under the general heading of “blockchain,” including tokenised assets, cryptocurrencies, crypto wallets, smart contracts, and self-sovereign identity; all of the latter group are applications or architectures that can run on top of a blockchain network, but are not a native part of the technology.
“It’s possible to have relatively smart discussions about the technology without actually knowing some of those differences, so many semi-informed people don’t even bother to learn the terms and technology,” Wester said.
Both public and private blockchains – ones that require pre-approval to join – are natively secure because they are immutable (i.e., each record or block is unchangeable and tied to all others), and adding new blocks requires a consensus among users. (How large that consensus must be depends on the blockchain in use; for some, it’s 50%, for others, it’s more.)
The immutability and consensus requirements of blockchains make them natively more secure than most other networking technologies. But, depending on the architecture and who is running the nodes and where, blockchains are vulnerable to attack, as has been seen time and time again.
While blockchain provides security for the integrity of the data recorded on it, the blockchain alone, without additional technologies or systems, cannot protect against unauthorised access such as a data breach, according to the report from Federal Reserve Bank of Minneapolis.
For example, a recent “51% attack” on the Ethereum Classic token exchange showed why even blockchain is not impermeable to gaming. A 51% attack refers to a bad actor who gains control of the majority of CPUs in a cryptocurrency mining pool. Such attacks are generally limited to smaller blockchains with fewer nodes, because they are more susceptible to a single person seizing control based on a Proof of Work (PoW) consensus mechanism.
Cryptocurrency wallets, which store private keys enabling access to bitcoin and other digital currencies, have also been vulnerable to attacks.
“If you’re a company looking to use blockchain – and not just for crypto currency – the amount of time and effort you put into securing the various components of the ledger and process are key,” Gold said.
Data transparency, or the ability for all parties on a blockchain to view transactions, is part of its appeal because bad actors can quickly be identified if they attempt to add unverified data. That transparency, however, can also be a threat. For example, in a settlement or clearing system for financial institutions where confidentiality may be a key component of security, system data transparency is a security risk, the Federal Reserve report noted.
Blockchain, Hamiel said, is a technology steeped in hype that often leads to contradictory claims: advocates praise it and claim it will change the world while “haters” – no matter what problem blockchain does actually solve – refuse to ever adopt it.
“The truth is somewhere in the middle,” Hamiel said. “There are certainly problems blockchain solves, and I think it’s an interesting area that people have a lot of questions about. People are curious about the technology, but they don’t have a way to easily gain access to information about it without spending a lot of time to learn about it. I’m hoping this solves that.”
IDG News Service