When it comes to digital currencies, Bitcoin stands out from the crowd due to its decentralized nature and strong encryption practices propping its architecture. Importantly, Bitcoin owners needn’t disclose any sensitive information when performing transactions. This does not hold true for the classic payment workflow via a credit card, where you need to at least provide the card number and security code.
There’s also an opinion that, although services related to Bitcoin have been hacked or otherwise abused multiple times, cybercriminals never actually compromised the underlying protocol.
But are things really so serene in the cryptocurrency landscape? Let’s try to figure it out.
Components of Bitcoin Security Posture
To get the big picture, it makes sense to draw the line between the following layers of Bitcoin security architecture:
- The security of the protocol proper and the blockchain
- The security of Bitcoin wallets, exchange services and payment systems
This split is important because people mostly deal with services built on top of the protocol itself. The kernel system is only tasked with issuing coins and keeping track of transactions afterwards. Everything else, including ownership-related operations, is outsourced to third-party services.
Blockchain Security Challenges
The blockchain technology is protected by military-grade cryptography. Ideally, it should be immune to all types of malicious interference. And yet, there’re two main security challenges stemming from the objectives of the blockchain:
- Validating transactions. This technology is supposed to make sure that the spent amounts match unspent outputs within the previous blockchain. To this end, it checks for transaction signatures created with valid private keys.
- Verifying the authenticity of the blockchain that’s being mined. The easiest way to perform this function is to ascertain that miners work with the longest blockchain available. Since extending the blockchain is very resource-consuming, the longest one is most likely authentic because miners have spent the most effort working with it.
Despite the fact that these security practices appear to be reliable, cybercrooks have some abuse mechanisms up their sleeves. They can pilfer Bitcoin by guessing private keys and signing transactions. They can also brainwash a sender of Bitcoin into thinking that the transaction was rejected and the funds were not spent, while they actually were. The more competent threat actors can look for zero-day vulnerabilities and use them to manipulate the blockchain.
Abusing the Protocol
Perpetrators may leverage the following techniques to compromise the Bitcoin protocol:
- Brute-forcing private keys. Because the key space is gigantic, it is extremely problematic to pull off a heist like this. It is currently more of a theoretic attack vector. A fairly viable method, though, is to simply scour the blockchain for unspent outputs. Hackers with enough time and computing resources on their hands may be able to succeed doing that.
- Dictionary attacks. Criminals can try to guess the private key for a Bitcoin address that has unspent outputs. If it works, they leverage bots to figure out if any coins were sent to the compromised address. If stars align, the crooks steal the funds easily.
- The double spending trick. Confirmation blocks for Bitcoin transactions are not generated instantly. It is usually a matter of 10 minutes or so. Hackers can take advantage of this timeframe to perform double spending of the funds. This tactic is the most viable in case a user is reluctant to wait for confirmation and prematurely thinks the transaction has been completed.
- Flooding the network. It is very problematic to knock such a powerful network offline for a certain amount of time. If an attacker manages to cause this kind of outage, it can lead to a hiatus of most miners’ work. Meanwhile, the black hats may be able to take advantage of other users’ transactions.
- Harnessing vulnerabilities of the protocol. Hackers reportedly used the infamous transaction malleability bug to steal about 7 percent of all Bitcoin via the Mt. Gox exchange. This demonstrates how successfully cybercriminals can weaponize protocol flaws.
- Cracking the crypto. Cryptography per se is nearly impossible to circumvent as long as it is implemented correctly. The associated flaws can play into perpetrators’ hands. In a recent move, attackers leveraged a factorization flaw in a popular code library to get hold of private keys belonging to millions of users.
How About the Security of Affiliated Services?
This is a nontrivial question because people mostly interact with a bevy of services built on top of the protocol and the blockchain, including exchange systems and wallets.
Bitcoin exchanges usually hold large amounts of cryptocurrency and fiat currencies. Furthermore, they have bank accounts facilitating their business operations. Wallets are utilities keeping private keys. They use regular authentication mechanisms, such as passwords and biometrics. Bitcoin payment systems allow users to buy things with their digital cash. They keep coins in internal wallets.
These third-party services are the weakest links in the entire cryptocurrency paradigm. They aren’t any more secure than run-of-the-mill digital payment processing systems, and they engage the blockchain to simply monitor transactions.
Exchanges are the most heavily targeted entities in this whole framework. The latest incident hit the headlines on Jan. 26. Coincheck, a popular cryptocurrency exchange headquartered in Japan, admitted having lost a whopping $500 million worth of tokens as a result of a well-orchestrated hack. Just imagine the scope of the problem. That’s the biggest reported cryptocurrency compromise ever.
Bitcoin Security: Pros and Cons
The protocol and the blockchain are nearly bulletproof. The flip side of the coin is that the associated services listed above don’t bode that well in terms of security.
Here are the things on the plus side of Bitcoin in this regard: transactions cannot be reversed; transactions cannot be censored as long as they are signed with a valid key; and there are no links between ownership and a Bitcoin address, which translates to better privacy.
On the other hand, there are numerous caveats. You end up losing your Bitcoin in the following cases:
- If you lose your private keys
- If you type a wrong destination address
- If your computer gets hacked
- If your wallet gets compromised
- If the Bitcoin exchange you use gets hacked
To top it off, the blockchain will not generate any alerts if someone transfers your funds away.
Another issue has to do with authenticity. The number of miners and generated transactions is constantly growing, which may cause a split of the network. In fact, that’s exactly how the fork of the Bitcoin system called Bitcoin Cash emerged in August 2017. The problem is, the authenticity of the forked blockchain can be questioned at some point, and so can the validity of the cryptocurrency mined within it.
As far as security goes, Bitcoin is a mixed blessing. To its credit, this cryptocurrency boasts a competently tailored set of innate protection mechanisms relying on cryptography and well-thought-out operational algorithms. However, any system is only as strong as its weakest link. The affiliated third-party systems are susceptible to hacks and manipulations and therefore do a great disservice to Bitcoin security-wise, ultimately making it just about as safe as fiat currencies.
About the Author
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot security issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.