IBM Security team X-Force Red has announced the launch of a new blockchain security testing service to help businesses identify weaknesses in solutions that incorporate blockchain technology. The new service, called X-Force Red Blockchain Testing, evaluates both the backend processes used to manage blockchain networks and the actual ledger environment to identify exploitable vulnerabilities, covering the whole implementation.
Worldwide spending on blockchain solutions is forecasted to
reach US$9.7 billion by 2021, according to a recent report by the
International Data Corporation, indicating that blockchain implementations will
likely grow exponentially in the years to come. According to IBM, establishing hardened
industry standards will be a critical next phase in enabling the widespread
enterprise adoption of blockchain.
“While blockchain is a breakthrough for protecting the
integrity of data, that does not mean the solutions that leverage it are immune
from attackers, which is why security testing is essential during development
and after deployment,” said Charles Henderson, global head of IBM X-Force Red.
During a typical blockchain testing engagement, the X-Force
Red team, which is comprised of hackers, would break into blockchain networks
using the same tools, techniques, practices and mindsets as criminals would
use, and assess:
- Identity and access: X-Force Red will evaluate how permissions to access/add info to the blockchain are administered including password policies, susceptibility to brute force attacks, and the implementation of 2-factor authentication;
- Public Key Infrastructure (PKI): ensure the secure creation, management, and distribution of digital certificates and keys associated with a blockchain network;
- Smart contract flaws: perform penetration testing to ensure that smart contracts have no exploitable flaws; and
- Software supply chain attacks: common libraries and component dependency hacking can be tested during design and implementation to ensure secure dependency signatures and a trust build pipeline.
While the basic concept of blockchain, hypothetically, is
very resistant to attacks, it is not invulnerable. Many security experts warn
that blockchain implementations bring with them a wide range of dangers that
companies need to be aware of.
So far, no report of cyberattacks against enterprises
blockchain has been made partly because the technology is still in the
development or pilot stages. But attacks on public blockchain projects and
cryptocurrency exchanges are common.
In January, Ethereum Classic, the original version of the
Ethereum network, came
under attack. An unknown perpetrator essentially rolled back and altered
transactions on the network, stealing around US$1.1 million worth of the
cryptocurrency in a so-called 51% attack.
In total, hackers have stolen nearly US$2 billion worth of
cryptocurrencies since the beginning of 2017, mostly from exchanges.
“The growth of
cybercrime has fueled a rise in the number of individuals who can write
malicious code, and the dark web gives them the perfect marketplaces to sell
them on,” said
Rick McElroy, a security strategist at Carbon Black. The expertise the
criminals are gaining from these attacks, and the tools that are proliferating
in the underground, can be leveraged against enterprise projects, he added.
Attackers began springing 51% attacks in 2018, targeting smaller coins such as Verge, Monacoin, and Bitcoin Gold, and stealing an estimated US$20 million in total.
David Vorick, co-founder of blockchain-based file storage
platform Sia, expects
51% attacks to continue to grow in frequency and severity.