Blockchain Security vs. Media Hype

Blockchain Security vs. Media Hype

May 17, 2019 Eric Jeffery
Blockchain Security

Beware of the media hype, blockchain is secure. Blockchain does not get hacked as the media reports. As I’ve written previously, Bitcoin does not equal blockchain and just because a crypto currency exchange suffers a breach and crypto gets stolen, does not mean that blockchain is insecure. Time and time again headlines tell horror stories where millions of dollars are stolen because a blockchain was hacked. This is blatantly false, technologically incorrect, and a complete disservice by media organizations to both cryptocurrency exchanges and blockchain technologists and supporters. Authors owe it to the public to differentiate clearly between breaches, thefts and hacks in Bitcoin, crypto currencies, or blockchain.

Most cryptocurrencies, including the most popular brand’s Bitcoin and Ethereum, use public blockchain technology as the underlying means for creating additional coins and fostering all transactions involving each cyber currency. Both currently utilize a “mining” method known as proof of work. This means that large numbers of computers compete to solve complex mathematical problems and the winning system receives cryptocurrency as a reward. Having large numbers of disparate systems trying to solve the problem at the same time creates security via distributed processing and control among other key mechanisms. Laymen and experts alike must understand that cryptocurrency is NOT blockchain and that a weakness in crypto currency implementations do not mean that blockchainslack security.

While criminals routinely target cryptocurrencies directly or via exchanges, the breaches most often discussed involve failures with implementation, weak keys, bugs, and user error, not a built-in failure of the blockchain technology itself. “[A]ttacks did not result from the vulnerabilities in the blockchain itself, but the ways it was implemented by a particular company or initiative”[.  Cybercriminals target cryptocurrency due to valuation and liquidity benefits which have nothing to do with blockchain, it has to do with cryptocurrency.  Failures of blockchain implementations are not weaknesses in the underlying technology.

An article published in Forbes at the start of 2019 states “Blockchain is …. just as hackable as any other piece of software – even more so because no one’s in charge of keeping it safe!”.  The article refers to the infamous Mt. Gox hack, which was not a hack of blockchain at all, it involved credential theft from an auditor and then the theft of private keys from “hot wallets” that stored this critical information online. The author later states “Blockchain is highly susceptible to being hacked in a wide variety of ways“ and then lists three bullets with no evidence of this claim. This article, in a highly acclaimed business journal, epitomizes the media hype insecurity that does not exist.

Hackernoon wrote an article entitled “Learn Blockchain’s Top 25 Hacks in History” and described flaws with blockchain design and implementation, poor security mechanisms of individual exchanges and users, as well as bugs in code. The article fails to directly mention insecurity in blockchain itself.  This article is a good example of detail and a thought-out thesis although 23 of the 25 examples have nothing to do with blockchain and the other two only hint at cursory possibilities of blockchain insecurity.  Had the headline read “Learn Crypto Currencies Top 25 Hacks in History” it would have been accurate.  Hyperbole by authors, bloggers,and journalists does a disservice to their readers perpetuating bad information and continuing a false narrative.

Coin Telegraph mentioned the “Blockchain Bandit” in the headline of their article discussing these Ethereum thefts. While they didn’t create that moniker, their using it exacerbates misinformation. This “bandit” utilized weaknesses in both Ethereum implementations related to a Remote Procedure Call (RPC) and weak key usage. The RPC penetration involved poor design and implementation by certain users, and it’s clearly stated that one should “never, ever allow access to the HTTP RPC API via the internet.” In addition to the RPC breach, the “bandit” identified and took advantage of weak keys in the Ethereum blockchain, “It is worth stressing that those keys were generated due to a faulty code and faulty random number generators.[16]” Both implementation failures lead to the Ethereum theft. Neither impacted the Ethereum blockchain nor do they impugn the viability of security inside of the Ethereum blockchain implementation.

Coin Desk perpetuated the same falsehood with an article discussing “Blockchains 2017 Disasters” published at the end of that year. As with Hacknoon, this author listed seven (7) examples of hacks that he inferred show the weaknesses inside of blockchain.  As shown above, this author also confuses blockchain implementations with the underlying technology. In this post the examples involved a software bug and numerous faulty implementations including email and slack channel hacks. As a matter of fact, in fiveof the seven examples, the word blockchain wasn’t even listed. In the other two, neither blockchain mention had anything to do with the hacks.  While there is validity in pointing out failed blockchain solutions, it is not appropriate to blame the core technology, primarily in the headline. 

Yes, cryptocurrency exchanges experience breaches. Yes, human error creates bugs in certain blockchain implementations.  Yes, poor blockchain solutions, including certain cryptocurrency deployments, create weaknesses in the final product.  These facts do not mean that blockchain is inherently insecure. “Blockchain, the ledger technology upon which bitcoin is based, is very safe and secure.[”  For media outlets to routinely overreact and blame the underlying cryptocurrency technology does a disservice to blockchain implementations that impact the world and provide massive benefits in distributionbanking, and food safety.  Every article mentioned here and many not listed all comingle cryptocurrency and blockchain, none of them talked about any other blockchain deployment.  As I’ve published here before, Bitcoin does not equal blockchain and people need to look beyond the hype of cryptocurrency and see the real value blockchain solutions provide and deliver. Beware of the headlines, read deeper and understand the truth, not what an author wants to trick you into clicking on.

Disclaimer: “The comments and statements in this article are my own and don’t necessarily represent IBM’s positions, strategies or opinions.”

Related posts

Add a comment