Sometimes it seems as if everyone has bought into the hype: Industries as far-flung as real estate and diamond sales1 have embraced blockchain without entirely knowing what it is or how its most vaunted features might fail or have unintended consequences. Blockchain assures users that once information has been stored, it can never be deleted or falsified. This means that when people in finance, say, pore over the history of a transaction, they feel content in the knowledge that illegalities have nowhere to hide. It means that people in the supply chain of a product trust that they can check its provenance without fear that misinformation has been slipped in along the way. In essence, blockchain promises not just complete data security but also something more intangible: that we will never be conned. Is it really so important that we understand what’s under the hood?
The truth is that blockchain is not as secure as it is believed to be, and its features can rebound in unfortunate ways. In research I conducted with Jae Lee, described in detail in his graduate thesis2 and a forthcoming paper for the Cybersecurity at MIT Sloan (CAMS) initiative, we cataloged 72 breaches reported between 2011 and 2018. These breaches cost users a grand total of more than $2 billion. Many of these breaches were possible because blockchain is actually vulnerable in some of the same ways that conventional, centralized record-keeping systems are. The rest are even more troubling, because bad actors were able to exploit the very features that make blockchain revolutionary: transparency, distributed control, anonymity, and immutability. In this article, we will look closely at both categories of vulnerabilities so that organizations can weigh the risks and decide whether to make use of blockchain.
Old-Fashioned Chinks in Blockchain’s Armor
Blockchain is widely viewed as unbreakable because advanced cryptographic techniques are used to encode the data and ensure that it is not altered. But there are vulnerabilities to be exploited. Let’s focus first on the ones that have long been present in more conventional systems as well.
Private keys. Much like traditional passwords, private keys must be written down, whether on paper or in a digital wallet, because they are such large numbers. Once they’re written down, of course, they can be found.
1. C. Mims, “Why Blockchain Will Survive, Even if Bitcoin Doesn’t,” The Wall Street Journal, March 11, 2018, www.wsj.com.
2. J.H. Lee, “Systematic Approach to Analyzing Security and Vulnerabilities of Blockchain Systems,” working paper 2019-05, MIT Sloan School of Management, Cambridge, Massachusetts, February 2019.
3. J. Young, “Bitcoin Researcher Has Bitcoins Stolen From Private Key on Shirt,” Bitcoin Magazine, Nov. 13, 2015, https://bitcoinmagazine.com.
4. A. Feinberg, “A TV Anchor Tries to Gift Bitcoin On Air, Is Immediately Robbed,” Gizmodo, Dec. 23, 2013, https://gizmodo.com.
5. W. Suberg, “Bitfinex Hack: U.S. Regulation ‘Prevented Cold Storage Use,’” Bitcoin.com, Aug. 3, 2016, https://news.bitcoin.com.
6. M. Jarzemsky and M. Driscoll, “New Circuit Breakers Would Have Halted ‘Flash Crash,’” The Wall Street Journal, June 1, 2012, https://blogs.wsj.com.
7. C. Cimpanu, “Cryptocurrency Startup Hacks Itself Before Hacker Gets a Chance to Steal Users Funds,” ZDNet, June 6, 2019, www.zdnet.com.
8. In reality, blockchain systems provide pseudonymity rather than anonymity. That is because nodes (users) in a blockchain system are disguised but still need to fully or partially identify themselves to interact outside the system — for instance, when they register in a cryptocurrency exchange. Princeton University researchers found that 53 out of 130 web merchants that accept cryptocurrency have routinely leaked end users’ identifiable data in the form of a cookie (also known as a session ID).
9. M. Kan, “Cryptocurrency Exchange Locked Out of Funds After CEO’s Death,” PCMag.com, Feb. 1, 2019, www.pcmag.com.
10. N. Eriksson, “10 Dramatic Stories of People Who Lost Their Bitcoin Private Keys,” Coinnounce, Feb. 12, 2019, https://coinnounce.com.
11. “Child Abuse Images Hidden in Cryptocurrency Blockchain,” BBC News, Feb. 6, 2019, www.bbc.com.
12. S. Madnick, “How Companies Can Create a Cybersafe Culture at Work,” The Wall Street Journal, May 29, 2018, www.wsj.com.
13. S. Levy and G. Barber, “The Ambitious Plan Behind Facebook’s Cryptocurrency, Libra,” Wired, June 18, 2019, www.wired.com.
14. E. Griffith, “187 Things the Blockchain Is Supposed to Fix,” Wired, May 25, 2018, www.wired.com.
This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.