On July 9, crypto-currency exchange Bancor announced that hackers had compromised one of the company’s digital wallets, using the keys to steal about $23.5 million in Ethereum and other digital currencies.
The compromise is the latest digital theft of crypto-currencies based on digital tamperproof ledgers, known as blockchains. In Bancor’s case, however, the company had a built-in failsafe to claw back approximately $10 million of its own coin—a smart token known as BNT—limiting the damage.
“The tokens that were frozen were BNT tokens stolen during the breach,” the company said in a statement. “We firmly believe that this ability is a preventative measure essential to most tokens and necessary to protect the network and token holders in a state of emergency.”
The incident shows both the security risks and promises of blockchain technologies. The combination of the decentralized nature of the blockchain, along with the ability for anyone with access to a particular wallet to issue transactions on behalf of the owner, means that compromises tend to be big and expensive.
However, the core capabilities of blockchain—decentralized databases, proof of work or state, and tamper resistance—can give applications that use blockchain technology a security advantage.
“I think there is a misconception that blockchain automatically equals security,” Michael Julian, director of information security for blockchain security group Hosho, told eWEEK. “Blockchain can be secure, but it has to be done right.”
Here are five ways that blockchain, if set up and maintained properly, can add security to applications.
1. Better internet of things (IoT) networks
The number of interconnected, but limited, computing devices has skyrocketed. In the consumer realm, these networked devices are collectively known as the internet of things (IoT), while similar technology used by manufacturers and other production operations are known as industrial control networks.
To secure such networks, companies need to create a central database of all authorized devices, continuously updating the registration as new devices are added and old devices retired. Putting the registration functions into the blockchain makes it easier for network administrators to add a variety of trusted devices—such as wireless routers—to the network.
“The blockchain contains a directory service that has all the devices that are allowed on the network,” Roman Arutyunov, co-founder and vice president of products with Xage, a provider of blockchain security for industrial IoT. “If the device is not registered, it is not authenticated and that [decision] can happen at the edge of the network.”
2. Security log database
A blockchain-based system could also be used to track and verify security information from network devices. By using the blockchain, devices could automatically add their logging information to a blockchain in a way that is resilient to being modified or deleted, which allows for more reliable logging.
Such a system could allow devices to simply add specific events to an automatically updated log shared between devices and systems.
“You could have the data logged to a blockchain rather than to a large centralized database, then you have an immutable ledger of everything that has happened,” Jason Schwerberg, director of engineering at Hosho, told eWEEK.
3. Securing the supply chain
In January, IBM and shipping conglomerate Maersk established a joint venture for finding ways of applying blockchain technology to the global supply chain and shipping business. With more than $4 trillion in goods shipped every year, nearly $180 billion could be saved each year with a more efficient and secure process for tracking goods, IBM estimated.
Rather than the inconsistent organization of today’s ecosystem for tracking trade, a blockchain-based system would allow multiple agencies and organizations to work with a single source of supply-chain information, allowing for better assessment of risk and more trusted information.
A variety of other industries are looking at similar applications. Computers and devices shipped into sensitive applications could have bill-of-materials that collect all the supply chain details for each component.
“Being able to understand where each component is coming from is important,” said Xage’s Arutyunov. “Because multiple parties are involved, the records have to be highly tamperproof.”
4. Emergency measures implemented through blockchains
Crypto-currencies and smart contracts that rely on consensus proof-of-work to add transactions to the blockchain can be compromised in a number of ways. The most straightforward attack is the “51 percent” attack, where an attacker controls more than half of the power of the network, which would allow for a denial-of-service attack or the ability to double-spend coins.
Adding security features to claw back malicious transactions—as Bancor did—can help prevent attacks and aid companies in recovering from attacks. But this tactic sacrifices the decentralization around which many blockchain technologies are founded. Bancor, for example, apparently intends to only use the technology during its initial three-year pilot, but argued that all blockchains might need such an emergency switch.
“We hope to never have to use this security feature again, and while we were compelled to use it this time, we see a growing need for evolving governance models to allow different configurations of permissions to act on a community’s behalf,” Guy Benartzi, co-founder of Bancor, said in a statement. “We look forward to continuing the dialogue on how to best implement diverse governance models for a variety of situations that may arise.”
5. Domain-name protection
In April, attackers used the internet system to announce new network routes, known as the border gateway protocol or BGP, to intercept DNS requests for MyEtherWallet.com, a popular digital wallet for storing the information necessary to perform transaction in the Etherium crypto-currency and redirect those requests to a server in Russia.
Much of the internet’s security relies on the DNS system working correctly. Blockchain could help with that, said Hosho’s Julian. Rather than work through a registrar, people could get verified as the owner of a domain and get a private key that would then confirm them as the owner.
“You could improve the security of the domain-name system massively,” said Hosho’s Julian. “The decentralized nature of the blockchain would make it reliable, and without a private key—or multiple private keys—no changes could be made.”
Overall, blockchain can improve security in many applications by storing data in a tamperproof, public ledger. Yet, developers have to be careful, because vulnerabilities can easily creep into the design and into the coding, said Hosho’s Julian.
“If it involves a computer, there is probably a vulnerability,” he said. “So make sure you plug those holes and realize that security is a moving target.”
Editor’s Note: This article was updated to correct the spelling of Roman Arutyunov’s name and to clarify the description of his company Xage.