IBM Security team X-Force Red has announced the launch of a new blockchain security testing service to help businesses identify weaknesses in solutions that incorporate blockchain technology. The new service, called X-Force Red Blockchain Testing, evaluates both the backend processes used to manage blockchain networks and the actual ledger environment to identify exploitable vulnerabilities, covering the whole implementation.
Worldwide spending on blockchain solutions is forecasted to reach US$9.7 billion by 2021, according to a recent report by the International Data Corporation, indicating that blockchain implementations will likely grow exponentially in the years to come. According to IBM, establishing hardened industry standards will be a critical next phase in enabling the widespread enterprise adoption of blockchain.
“While blockchain is a breakthrough for protecting the integrity of data, that does not mean the solutions that leverage it are immune from attackers, which is why security testing is essential during development and after deployment,” said Charles Henderson, global head of IBM X-Force Red.
During a typical blockchain testing engagement, the X-Force Red team, which is comprised of hackers, would break into blockchain networks using the same tools, techniques, practices and mindsets as criminals would use, and assess:
- Identity and access: X-Force Red will evaluate how permissions to access/add info to the blockchain are administered including password policies, susceptibility to brute force attacks, and the implementation of 2-factor authentication;
- Public Key Infrastructure (PKI): ensure the secure creation, management, and distribution of digital certificates and keys associated with a blockchain network;
- Smart contract flaws: perform penetration testing to ensure that smart contracts have no exploitable flaws; and
- Software supply chain attacks: common libraries and component dependency hacking can be tested during design and implementation to ensure secure dependency signatures and a trust build pipeline.
While the basic concept of blockchain, hypothetically, is very resistant to attacks, it is not invulnerable. Many security experts warn that blockchain implementations bring with them a wide range of dangers that companies need to be aware of.
So far, no report of cyberattacks against enterprises blockchain has been made partly because the technology is still in the development or pilot stages. But attacks on public blockchain projects and cryptocurrency exchanges are common.
In January, Ethereum Classic, the original version of the Ethereum network, came under attack. An unknown perpetrator essentially rolled back and altered transactions on the network, stealing around US$1.1 million worth of the cryptocurrency in a so-called 51% attack.
In total, hackers have stolen nearly US$2 billion worth of cryptocurrencies since the beginning of 2017, mostly from exchanges.
“The growth of cybercrime has fueled a rise in the number of individuals who can write malicious code, and the dark web gives them the perfect marketplaces to sell them on,” said Rick McElroy, a security strategist at Carbon Black. The expertise the criminals are gaining from these attacks, and the tools that are proliferating in the underground, can be leveraged against enterprise projects, he added.
Attackers began springing 51% attacks in 2018, targeting smaller coins such as Verge, Monacoin, and Bitcoin Gold, and stealing an estimated US$20 million in total.
David Vorick, co-founder of blockchain-based file storage platform Sia, expects 51% attacks to continue to grow in frequency and severity.