Get Hacked and Find Out!
Can Bitcoin be hacked? Any software can be hacked, but that isn’t necessarily a bad thing. Hacks make cryptocurrency more secure. After all, anything that doesn’t kill you makes you stronger, right?
Bitcoin Security: Bubble Boy and the Sewer Rat
Andreas Antonopoulos presents a lecture called “Bitcoin Security: Bubble Boy and the Sewer Rat.” In this lecture, he explores centralized systems as a “bubble boy”–a system created to be secure by isolating it from external forces. Eventually, the bubble bursts, exposing the system, and living in isolation prevented that system from building an immunity to attacks.
On the other hand, Andreas argues that open blockchains like Bitcoin are “sewer rats.” They live in the wild subject to untold hostile forces. Consequently, they build immune systems by necessity. Hacks happen, but the solutions serve to harden the system against future attacks.
As Andreas says at the end of the talk:
“All forms of cryptography can be broken. All forms of cryptography are eventually broken. That is a truism… including that currently behind Bitcoin, yes. The question again is time scale… We expect cryptography to be broken. We expect every system and subsystem within Bitcoin eventually to be weakened. What we need to do is 1) make sure that any such weaknesses are not systemic and complete. Then [2)] identify the weaknesses early enough to start addressing them so they don’t become systemic. The best way you do that is by existing in an open, collaborative environment where you learn about those weaknesses.”
Open up Your Code and Let the Sun Shine In
Like many cryptocurrency projects, Bitcoin serves as an open source project. And in open source projects, anyone can view the code. Just download the code and study it to find out if Bitcoin can be hacked! With a multitude of eyes looking at the code, the problems reveal themselves more readily, and programmers resolve the issues as people identify them.
In fact, intent alone differentiates a security vulnerability from a bug. A user hits a sequence of keys that crashes an application. A hacker hits the same sequence of keys to crash the application. The user accidentally encountered a bug. The hacker exploited the bug to disrupt the system. Bitcoin runs as software, all software contains bugs, and hackers exploit bugs.
Recently, a developer working on Bitcoin for the Digital Currency Initiative at the MIT Media Lab discovered a vulnerability in Bitcoin Cash. The Bitcoin and Bitcoin Cash communities generally get along about as well as the Road Runner and Wile E. Coyote, and with about the same results.
This vulnerability if exploited could have potentially destroyed Bitcoin Cash as a payment system from that point onward. The programmer acted honorably and, privately informed the Bitcoin Cash project of the flaw. They fixed the bug before anyone exploited it, and publicly disclosed the fix on May 7, 2018.
Smart Contracts (Or Not so Smart)
From a security perspective, smart contracts present one of the greatest challenges of blockchain. Smart contracts are pieces of executable code to manage transactions, and they live on the blockchain. Since they live on the blockchain, they live forever. And since they live forever, any bugs or security vulnerabilities they contain also live forever.
Poorly designed and implemented code in a smart contract can lead to enormous financial losses. The infamous DAO hack resulted from a poorly coded smart contract.
Hackers love complex code because bugs live there. Conversely, security loves simplicity. The Bitcoin community designed the Bitcoin Script language to be simple and limited purposely as a security measure.
Alternatively, Ethereum strives to provide a decentralized programming platform, so they designed the Solidity programming language to be Turing Complete, which is to say capable of all the complexity a computer offers.
Capture The Flag (CTF) adventures turn security research into a game, and Security Innovation provides one for free on blockchain smart contracts called Blockchain CTF. The goal of the games consists of finding all the security flaws in the given code.
On July 27, 2018, the ICO for the Ethereum project known as KICKICO lost $7.7 million to a hack. Hackers obtained the project’s private key and exploited a smart contract. To be fair, this sounds like the fault lay in protecting the private key rather than in the smart contract itself.
Throw It Against the Wallet and See If It Sticks
Wallets own the responsibility of managing private keys since they provide storage for your private keys. Use an online wallet, and your private data lives on someone else’s server, subject to their vulnerabilities. But if you use a wallet on your hard drive, that drive might die. Offline hardware wallets provide the best security.
Against the Wallet
Storing crypto in online wallets invites attacks.
One way hackers do this is first, they obtain your email address and phone number, information readily available for most people. Next, they initiate a password reset for your account. Then they exploit vulnerabilities in the Signaling System 7 (SS7) telephony protocol.
Major cell phone companies such as AT&T and Verizon use this protocol. Using this protocol, the hackers intercept the authorization token the company sends to the victim’s account.
Having accomplished this, the hackers now access the two-factor authentication codes sent to the victim’s phone. With this, they access the user’s account on a system like Coinbase and access the victim’s funds.
What goes around comes around and ironically some crypto flaws bite back at the hackers.
Researchers from a number of universities including Princeton, Carnegie Mellon, Boston University, and MIT discovered a privacy defect in Monero. Contrary to Monero’s purpose, this flaw allowed someone to see the details of transactions and identify who made those transactions.
Since blockchain data is permanent, utilizing a flaw like this enables investigators to uncover all the information of past transactions. Imagine a thief robbed you believing his deeds remained hidden, then you saw him exposed by a software bug!
Final Thoughts – Can Bitcoin Be Hacked?
Software never ends, bugs infest software, and security vulnerabilities define a certain class of bug. Some hacks derive from cleverly manipulating the code. But some hacks disregard technology altogether.
In December of 2017, NiceHash suspended operations due to a hack that cost $64 million. NiceHash claimed the attack to be “highly professional” and included “sophisticated social engineering.”
Social engineering means nothing more than old-fashioned con artist shenanigans. Hackers use social engineering to convince people to give up their passwords, provide access, or give up other useful information.
Can Bitcoin be hacked? Let me count the ways. But every flaw discovered and fixed strengthens the system for the better.
This article by Wilton Thornburg was previously published on Coincentral.com
About the Author:
Wilton Thornburg is a software engineer, currently based in the greater Boston area.