Enterprise Blockchains: Walled Off Yet Vulnerable
How do you hack an enterprise blockchain? We may find out soon enough.
Enterprise blockchain products have been designed mostly as private networks, limited to authorized parties. This is supposed to make them more efficient than public chains like Bitcoin and Ethereum because fewer computers have to reach agreement on who owns what, and in a sense safer because the participants know each other.
These products apply technology originally developed for the Wild West of cryptocurrency to a range of unglamorous corporate activities, including cross-border transactions, storing records, and tracking goods and information. Their promise has attracted some of the world’s largest corporations and software vendors.
But like any software, they can in theory be hacked, although how to prevent that hacking isn’t as well documented.
“I can’t recall a single major company announcing a loss of any kind from a hack on a private blockchain,” says Paul Brody, global blockchain lead at consulting giant EY.
That may change in the near future as companies start bringing these gated systems out of the lab and into real-world use.
“Big companies have been working on blockchain apps for a couple years now,” said Pavel Pokrovsky, the blockchain lead at Kaspersky, the Moscow-based anti-virus software vendor. “Soon, they will start pushing those apps into production and might face new challenges in managing their risks. As more such solutions get deployed, attacks on them might become more frequent.”
One problem is that private, permissioned systems are most vulnerable to insider threats, both Pokrovsky and Brody said.
“Insider risk is particularly high in private blockchains because the work that is usually done to secure information within the private network is very low compared to public networks,” said EY’s Brody, who has been a rare voice among the Big Four professional-services firms in stumping for open systems. “On public networks, we make extensive use of zero-knowledge proofs and other tools to keep sensitive data off-chain.”
Only one or two of EY’s corporate clients went to such lengths with private networks, he said. “As a result, if you can gain access to the network or you already have it as an insider, nearly all the critical data is actually visible to all the members.”
In general, Pokrovsky said, the most common type of attack that can theoretically be employed against an enterprise blockchain network is a denial of service attack. This is different from a DDoS, or distributed denial of service, where a company’s servers are inundated with useless requests that overwhelm them.
Denial of service, on the other hand, is a focused attack that uses knowledge – perhaps an ex-employee - rather than electronic muscle power.
“Let’s say an employee of a company gets fired and he’s angry at his ex-employer. He goes to the dark web and sells his knowledge of the vulnerabilities in the system to hackers,” Pokrovsky said.
In the case of enterprise blockchains, an attacker would need to know the addresses of the nodes and what can put them offline.
“An attacker can overwhelm the node’s data storage capacity, flood it with useless calculations,” Pokrovsky said. “For example, one of our clients’ nodes could not process very large numbers, say, 12 zeroes and more. They would just freeze.”
The cure for that kind of attack is proper filtering of the data entering the nodes, he said: “It’s a very widespread mistake, not filtering the incoming data.”
Exploiting such a vulnerability is easy when you know where the nodes are and, unlike DDoS, it does not require buying traffic in the form of bots that flood your target with garbage traffic, or deploying a lot of hardware to attack the server.
“You just write a simple script and send it to the nodes,” Pokrovsky said. Then the nodes go offline. This can be utilized for criminal purposes from sabotaging a competitor to terrorist attacks, Pokrovsky said.
The situation can be exacerbated by the fact that the most convenient way to set up nodes for a private blockchain is to use cloud infrastructure so companies don’t have to figure out how to set up a physical node in their office.
“Most private blockchains have very few nodes and, in many cases, they all reside inside a single cloud infrastructure, creating a single point of failure,” Brody said. “That also means that far from being immutable stores of information, they are in fact easy to erase or shut down.”
The risks can vary. For example, Masterchain, the enterprise blockchain for banks developed under the auspices of Russia’s central bank, is a fork, or modified copy, of the Ethereum blockchain, which uses a proof-of-work consensus mechanism. Taking down nodes on such a network would lead to the consensus re-distributing among the remaining nodes, which would continue to validate transactions.
However, if it turns out all the remaining nodes are controlled by the central bank, the network participants might argue, the transactions recorded while everyone else was down are not legitimate, Pokrovsky said.
“DDoS is an attack easy and cheap to organize, but it’s also easy to prevent, and services like Cloudflare can identify and effectively prevent it. But the denial of service is not identifiable by the filters such services use,” Pokrovsky said, adding that sometimes attackers don’t even need an insider to locate the nodes – it’s possible to find such information via open source intelligence methods.
“It’s very hard to fix such vulnerabilities as the attack is happening, when everything’s crashed, everyone’s running around and everything is on fire,” he said – it’s better to try to predict such situations in a testing environment.
If a blockchain uses smart contracts, they can be attacked as well, Pokrovsky said.
“For the enterprise blockchains, the typical attack is when a contract contains variables that can turn out different for each node, for example, timestamps or random numbers,” he said. “In this case, every node would execute the smart contract with a different result and the transaction will not be recorded into the blockchain as a result.”
If a smart contract refers to documents, there is another possible way to attack it: inserting malicious code into the document.
“It’s the same as the SQL injection attack and to prevent it you need to filter the incoming data and limit the use of external data by the smart contract,” Pokrovsky said.
The fact that most private blockchains don’t enjoy the attention of a broad blockchain community is also a weakness, Brody said.
“Perhaps the biggest risk posed by private blockchains is the risk of complacency,” he said. “Open source code that isn’t widely used and doesn’t have a vigilant community testing and inspecting it is far less secure and reliable than systems like Bitcoin and Ethereum, which are continuously hardened by nearly constant attack and public inspection.”
With an eye perhaps toward broadening its revenue stream, Kaspersky moved into blockchain-oriented research and consulting in 2018, first focusing on public blockchains including Bitcoin and Ethereum.
Kaspersky has been working with crypto exchanges and completed a security audit for the trading software company Merkeleon in October 2018.
In October 2019, Kaspersky started working with enterprise blockchains, too. Pokrovsky told CoinDesk the company audited a number of such systems, only two of which he could name publicly: Russia-based blockchain startup Insolar and Waves, which has been re-focusing from public to private blockchains since last year.
Kaspersky software has been listed among the top 10 antivirus products globally by PC Magazine in March but it has been banned from being installed on U.S. government computers since 2017 as part of the U.S. response to Russian meddling in the 2016 presidential election. That ban caused sales to plunge in the U.S. and Europe but they have expanded in Russia as well as Africa. Kaspersky reported 4 percent revenue growth in 2018.
Kaspersky’s Waves audit took three months, from November 2019 to the end of January 2020. “The task was to check the security of the nodes, network infrastructure and nodes’ web interfaces,” Pokrovsky said.
The security firm ran what it calls “grey box” testing, in which the tester does not have access to the blockchain platform’s full code, but does have administrator-level access to the system. This kind of testing would show possible insider threats, like an ex-employee going rogue.
After the testing is over, Kaspersky presents the client with the list of vulnerabilities and the client fixes them. Then the testing is run again.
Pokrovsky would not disclose what weaknesses had to be “fixed” on Waves’ blockchain. (Waves confirmed it hired Kaspersky.)