Cyber Threats on Blockchain

What is Blockchain?

Blockchain is a decentralised ledger, or list, of chronological transactions stored in a distributed network of connected computers or nodes. Each new set of transactions, called “block”, is recorded and cryptographically linked to the previous block, forming a chain. It works like a database (ledger) with some additional features as follows:

Decentralisation – the power of control and decision-making is transferred from the centralised authority to a distributed network;

Transparency – every transaction is visible to all authorised parties with access to the network;

Immutability – the data in a blockchain remains unchanged and protected from any modifications;

Consensus – the validating nodes agree on a common set of validated transactions before being added into the blockchain;

Traceability - records in the blockchain are in chronological order to enable traceability of the records.

Depending on the specific application requirement, a blockchain can be (i) public (permissionless) where everyone can participate and join the network, or (ii) private (permissioned) where only a group of users or computers can join the blockchain network.

Illustration of the mechanism behind blockchains

Application of Blockchain in Hong Kong

This emerging technology has attracted much attention in recent years and there are already quite some applications around the globe. In particular, there are some use cases in Hong Kong to enhance efficiency and the workflow in various business areas:

Trade finance platform - Participants and their trading partners can conduct trades and trade financing through sharing of information in secure, efficient and user-friendly ways.

Motor Insurance Authentication System – The system provides real-time authentication of motor insurance documents for multiple stakeholders including policyholders, insurance companies and government departments.

Property valuation service – Banks can leverage the data traceability and data accuracy of blockchain technology to streamline the validation process of valuation results in a cost-effective way, while property surveyors can digitalise the workflow and go paperless.

Property agency service – A property agency has launched a real estate secondary market blockchain platform with an aim to bring about digitisation in the industry and provide convenience for customers.

Blockcerts platform – A tertiary education institute has launched a Blockcerts platform, a trust-free, user-friendly verification system for documents such as graduation diplomas and academic transcripts, to promote a paperless and sustainable campus, and tackle the problem of fake diplomas.

Blockchain enhances data integrity and availability

This nascent technology also helps reduce security threats from the traditional CIA (confidentiality, integrity and availability) security model perspective, except confidentiality:

Ensure data integrity - Each “block” is tagged with a hash of the prior block. The hash is a fixed-length encrypted code generated based on the transaction data, and the blocks and their associated hashes are stored across the nodes. Tampering even a single transaction data in the middle of the blockchain means intensive re-calculation of the hash for subsequent blocks to cheat other nodes in the network. Based on the agreed consensus mechanism, any changes in the data or hash in a node will be discovered by the rest of the nodes. As such, any attempts to manipulate data in the blockchain will be very difficult.

Illustration of how blocks are added to the network

Illustration of how blocks are added to the network

Enhance availability - Multiple copies of blockchain are stored in different nodes. In case a node is down, copies of the chain in the rest of the nodes are still available. This avoids single point of failure and mitigates the threats of disruption of operation by DDoS attack.

Other than enhanced security in integrity and availability, blockchain also provides features like transparency and pseudonymity:

Transparency and Pseudonymity - The decentralised ledger in this technology also makes it transparent to every member in the distributed network. Every transaction is visible to others with access to the network. Each node/user has an alphanumeric address for identification and they can choose to be anonymous to each other.

Cyber Threats on Blockchain

While blockchain technology produces a tamper-proof transaction ledger, it should be noted that blockchain is not immune to all cyber attacks. Thorough governance, access control, system design, security controls, best practices and procedures in traditional systems should also be taken into account carefully when implementing blockchain applications. Some potential cyber threats or issues may be:

Lack of proper governance - There should be proper governance and well-defined business requirements for a blockchain, e.g. what are the relevant regulatory requirements and how to meet those requirements, should the blockchain be permissionless or permissioned, which parties should have access control/privilege to the blockchain if permission is required, which parties should decide to change the code of the blockchain system, etc. Governance risks arise primarily from the blockchain’s intrinsic decentralisation feature which requires strong controls over decision criteria, governing policies, identity and access management. If proper governance or business requirement is not clear enough or in place, attackers may gain excessive access privileges to the blockchain and this may result in data loss, service disruption and denied access.

Risk of untested codes and smart contracts - Smart contracts are programs including both data and codes in a blockchain that are executed automatically when certain conditions are met. If smart contracts are not tested thoroughly and properly, errors or vulnerabilities may be introduced which may in turn lead to validation of incorrect contracts or transactions.

Loss of private key – the blockchain architecture adopts public-key cryptography where a user’s private key, which is used to read the encrypted data in a blockchain, cannot be recovered if it is lost. Furthermore, if an attacker steals the user’s private key, the attacker can tamper this user’s account and it is difficult to trace or recover the modified blockchain information.

Endpoint vulnerability – the endpoint device used by a user to access the records of a blockchain system could be the target of an attacker. If the endpoint device is compromised, the user’s private key and the data inside the blockchain system would be at risk.

Security Considerations for Implementing Blockchain

Below are some but not an exhausted list of security measures and controls to mitigate the risks in blockchain projects/systems.

Governance – Define and put in place proper security governance to ensure the project/system is in compliance with regulatory and business requirements.

Enforcing identity and access control – Define policies to ensure the right level of access is given to the right entity for the right use. Audit logs and access processes should be put in place for alerting abnormal activities.

Applying secure coding practices – For the development of smart contracts, apply secure coding practices such as preventing integer overflow, avoiding memory leakage and not reading uninitialised memory. Conduct security audits by a qualified third party before adopting the smart contracts.

Enforcing hardware security module (HSM) – As a physical computing device that securely generates, protects and stores digital keys, HSM is a viable option to address the risk of losing the keys.

Securing endpoints – Protect endpoints from malware infection and other cyber attacks. It is also important to raise the security awareness among the developers and users as well.

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before downloading and using them.