Through a Glass, Darkly: Security, Bitcoin, and the future
Dr Richard Ford, Chief Scientist at Forcepoint, looks at attackers targeting vulnerabilities in cryptocurrencies.
I enjoy so many things about my role as Forcepoint's Chief Scientist, but one of my favorite annual tasks is to assist the research team in trying to peer into the future, and highlight what the next year might bring for Cybersecurity. We recently published our entire 2018 predictions report, but for this article I'd like to talk about one of my favorite predictions: that attackers will target vulnerabilities in systems which implement blockchain technology associated with digital currencies. Given the meteoric rise in the value of these networks (as I write, Bitcoin's price is sitting at record levels) the team thought this one could be big and have implications for how we think about cryptocurrencies in general. I'd like to expand on that prediction here, but as any futurist will tell you, trying to see into the future is a risky business.
Understanding our cryptocurrency prediction requires a little more discussion about the "revolutionary" technology of blockchains, which proponents insist will transform commerce, solve all our cybersecurity woes, and also, I hear, cure the common cold. Alas, the truth as always is much more complex.
Most people don't really understand what blockchains are, most people and they tend to conflate them with digital currencies. That's a mistake, as it's a bit like confusing a cog with a watch: most watches contain cogs, but they are not the same thing. Similarly, most cryptocurrencies are based upon blockchain technology; these blockchains provide a foundational trust mechanism for the currency itself. Essentially, for the purposes of this article, you can think of the blockchain providing a shared, immutable ledger that solves what we call the "double spending" problem: as a cryptocurrency is digital, without some protections there's nothing to stop an attacker from copying a crypto-coin and spending it with you and also with someone else.
Now, all that sounds wonderful, but this is where cold harsh reality sneaks back in: that large pile of value is an attractive target for hackers. Unlike money stored in a bank which is insured, with a cryptocurrency, once it's gone, it's gone: the very decentralization that makes currencies like Bitcoin so attractive can also be a source of risk.
One of the problems we're already seeing in this space is malware that aims to empty the cryptowallet of money holders. This malware leverages the properties of the underlying system to the hilt, as once the money has been moved, it's long gone, not easily traceable, and easy to move time and time again. This attack pushes on what I consider to be one of the weakest parts of the blockchain: the system can't know easily that a block is legitimate at time of entry, but it can tell if the block was altered later. Thus, all that blockchain goodness can't tell that I didn't mean it when I (or a piece of software acting without my permission) move those Bitcoins from my account to yours. A recent example of malware that does exactly this is Quant, which we blogged about in December. It provides attackers with a pre-packaged cryptocurrency stealer, designed to target various cryptowallets. This is part of a larger trend: December also saw the (successful) attack on Nicehash, where attackers allegedly made off with tens of millions of dollars' worth of Bitcoin.
In addition to attacks on cryptowallets via malware or other hacks, these systems are susceptible to all the same types of credential attacks you're familiar with already...worse yet, should you lose your wallet without a backup, you have no way of proving ownership of those assets, and so they are essentially gone forever. A recent example of this is the story of James Howells, an IT worker from Newport, who believes he accidently threw away a hard drive with 7500 bitcoins on it, which are now buried in a landfill. If the drive can't be located, the coins are gone for good – with a price tag of well over $80,000,000 at today's exchange rate. There's no safety net, without compromising some of the properties that make the cryptocurrency valuable in the first place.
This is only the tip of the iceberg. Just as we see attacks on "real" commodities which attempt to manipulate price, there have been reports of DDoS attacks that attempt to drive down the attractiveness of a particular currency. Manipulate the market, make money...and the market itself is incredibly volatile. The coming introduction of a futures market for bitcoin will only exacerbate matters. It's an open question as to how many more thefts or attacks would be required to shake people's faith in the currency.
As if these technical concerns weren't enough, I would argue that cryptocurrencies pose a direct challenge to the status quo for governments. Countries provide services via taxation, and so having a method for anonymously moving large sums of money around is an existential threat to this governing system. Obviously, the amount of the economy using cryptocurrencies right now is tiny, but imagine if it were to grow: anonymous, safe transactions for all. That's a headache for taxation. Historically, such threats are met with legislation, and our track record with attempting to legislate technology is less than stellar. Ill-considered or overly-broad laws could dramatically change the availability and acceptability of cryptocurrencies worldwide, with corresponding impacts on valuation.
Finally, I would be remiss if I didn't point out that the cryptocurrency market is not just one thing right now – it's lots of competing systems and they are not equal. The value held in each of these systems is primarily due to the value placed on the system as a whole. Under the hood, systems like Bitcoin and Ethereum are all about managing trust, and enabling disintermediation of traditional trust brokers. In that sense, they are valuable and revolutionary...but the real value is hard to judge. In the chaos of initial coin offerings, confusion, and hype, it's extraordinarily unclear to me what the "right" price for these resources should be or which system will end up winning. For any particular cryptocurrency that value is clearly not zero, but where it should lie...that's anybody's guess. I'm sure when we look back at these times, the final outcome of cryptocurrencies will appear to have been obvious, but for now, we see the future as if through a glass darkly. We can be sure, however, that it's going to be an interesting ride.