With attacks on crypto companies–including the Crypto[.]com hack and the Coinbase vulnerability–headlining news outlets this month, consumer confidence is being shaken, and a host of questions are being raised about the cyber security of cryptocurrencies. At Blackpanda, we investigate cyber crimes committed across all technology verticals, including crypto.
As a rule of thumb in cyber security, if something has a connection to the internet, it can be hacked. The crypto industry is no different. This article will provide insight as to why the answer to the question “can crypto be hacked” is yes, and why everyone involved in the crypto space should be prepared to deal with a cyber incident.
Is my crypto investment safe?
In the world of technology, there is always some probability of a cyber incident taking place. Whether it is hacking, denial of service, insider threat, account compromise, or technical failure, all technology can be broken in some way, no matter how implausible it may seem.
The likelihood of an event is what usually has a defining impact on how we approach securing different technologies. In fact, the probability of someone manipulating every endpoint contributing to or reading from a blockchain is very low. However, if attackers succeed at compromising even a fraction of a widely used wallet or platform, this can bring them significant financial gains.
As the number of crypto technologies increases—and the total number of users increases with them—the number of attackers that turn their efforts to stealing a part of that goes up as well. That is the likelihood of a crypto hack.
But wait—isn't crypto hard to hack?
Attackers typically target companies that are low-effort, high-reward to hack. Remote access is a great example of this. Attackers constantly scan the Internet and send billions of packets, or “probes” looking for an open, vulnerable remote service port that would give them direct access into a company. This is much like knocking on every door in search for a target, hoping that someone left theirs unlocked.
Usually, threat actors will give up if a target seems too challenging to attack, or attacking them requires too much effort. Persistent threat actors, however, continually chip away at high-value targets until something gives, breaks, or introduces an opportunity for exploitation.
Crypto platforms are no different in that they run on several of the elements we see exploited. Stolen API keys, unprotected databases exposed to the internet, social engineering and phishing; each of these can be targeted, as they form a component in the overarching infrastructure that makes crypto work.
How do you hack crypto?
There are many ways to apply force to an attack surface, using the military terminology, with an aim to deny, degrade, disrupt, destroy, or deceive the target. The STRIDE model lists several cyber attack patterns and works well for developers and security teams to collaborate and answer, “What can be attacked and how?”
STRIDE stands for:
- Spoofing—Whereby a user or program pretends to be another
- Tampering—Whereby attackers modify components or code
- Repudiation—Whereby threat events are not logged or monitored, or data can be modified
- Information disclosure—Whereby data is leaked or exposed
- Denial of Service (DoS)—Whereby services or components are overloaded with traffic to disrupt normal use
- Privilege Escalation—Whereby attackers grant themselves additional permissions–even admin–to then gain greater control over a system
What can be hacked?
If we quickly apply this methodology to crypto, we will identify several components that make up the ATTACK SURFACE that can be targeted by the patterns in STRIDE.
Application back end
The back end of an application includes all the servers, developers systems, source code and repositories, third-party libraries or plug ins, and other parts of the blockchain technology. Just this week a bug was detected in the Coinbase application that allowed users to steal unlimited cryptocurrency. This exploit shows the API’s used can have zero-day vulnerabilities that attackers exploit to their advantage.
The most damaging to a company, however, is when the source code itself is corrupted. A malicious code release would manipulate the underlying functionality of the app to siphon or outright steal tokens and transfer them to an attacker’s wallet.
End user application
End users manage their access and authentication tokens, interact with the application through their browser, and often download an exchange’s app to their phone. An attacker can target the mobile or web based application.
A threat actor may try to perform a man in the middle attack. Think about a malicious extension in the browser that can steal all the wallet information as a user creates it. Out of date browsers, and suspicious browser extensions make this attack more likely. By attacking out of date browsers, criminals can gain access to information that is usually obtainable during account creation. Thus, sensitive data such as personal details and copies of private keys could be rendered vulnerable and accessible by cyber threat actors.
Sensitive information could also be intercepted during an internet session if the user is on an insecure network, such as public WiFi.
The network spans user and company access to the platform, the content distribution network, and connectivity to the distributed servers performing proof of work or maintaining the ledger (depending on the type of platform). Though outages occur all the time, a prolonged outage between endpoints in the network would degrade the service and could stop the normal function of the blockchain.
The website includes all public facing pages, the web servers, and plug-ins that allow people to learn more or sign up for services. Defacement of any website could damage the company’s reputation. A website takedown by denial of service would cause a business interruption and result in monetary losses.
Though it seems like an easy question, I am answering in this way because technology changes constantly, no surprise there. The cryptocurrency architecture of today may be entirely re-invented in a year’s time. It is important to have a repeatable process, not one-off procedures, to get an idea of how a hack could happen today. Look at any hacking problem as an attack surface, a threat, and the likelihood and probability that attack will succeed.
Though the likelihood of any of these attacks you identified in your threat model may stay the same or decrease with compensating controls, the probability increases every day as the number of attempts increase. Anything can be hacked, it is a matter of time and resources. Stay tuned for our next article where I dissect these attacks in more detail.