Online "wealth" is coveted by hackers who are targeting blockchain code vulnerabilities

Our reporter Zhang Jiaxing

One line of code evaporated 6.4 billion yuan. This incredible hacking operation took place in April this year. Just because the hacker found a code loophole, the entire market value of the blockchain products related to it was instantly transferred out and approached zero.

"If traditional currency is valuable because of the national credit, then the existence of encrypted digital currency relies on the credit of blockchain technology." On September 6, at the ISC2018 Blockchain and Network Security Forum co-organized by Zhongxiang Bit and others, Zhang Xuan, deputy director of the Cyber ​​Crime Investigation Teaching and Research Section of the Investigation Department of Shandong Police College, said that due to the discovery of vulnerabilities in the blockchain technology code and some corresponding security incidents, people's confidence in blockchain technology has been gradually undermined.

Previously, it was believed that blockchain technology, due to the application of distributed storage, encryption algorithms and other technologies, has the characteristics of being tamper-proof and traceable, which are considered to be "foolproof". However, this characteristic is mainly for the information stored in the block. Taking the case at the beginning of the article as an example, blockchain technology ensures that the 6.4 billion can be traced back to where it was transferred, and the hacker's operation will be recorded in an unchangeable manner by the system, but it cannot "reject" the hacker's tampering with the underlying code and protect the virtual digital currency.

Blockchain technology itself has loopholes that can be exploited. "Using blockchain technology has become a new means for criminals to make illegal profits." Zhang Xuan said, and some people even said that blockchain technology has triggered a revolution in economic crimes. Faced with new challenges brought by new means, how should we respond to maintain the long-term development of blockchain technology?

Virtual currency becomes a new target for theft

Not long ago, a heist movie called "Ocean's 8" was released, telling the story of a group of beautiful thieves stealing a diamond necklace worth $150 million.

Compared with the thefts in the cryptocurrency circle, the value of this necklace is not so shocking. For example, on March 30 this year, the Chinese police uncovered a virtual currency theft in which three hackers working for a well-known domestic Internet company hacked into the victim Zhang's computer and looted virtual currencies such as Bitcoin and Ethereum worth 600 million yuan.

In the past, thieves targeted gold, silver, jewelry, and stacks of banknotes. Now, as long as you sit in front of your computer and move your fingers, you can get rich by stealing virtual currency. Cryptocurrency has become a new target for high-tech crime. Countries around the world are troubled. According to data, after tokens worth $530 million were stolen, 16 cryptocurrency exchanges in Japan plan to set up a self-regulatory group to self-examine and check system vulnerabilities.

Wang Weibo from the Information Security Department of 360 Group said that there have been 57 public attacks on public chains and exchanges targeting non-personal computers, causing losses of $1 billion. However, he believes that this is just the "tip of the iceberg". A large number of attacks will not be made public because they will have a negative impact on the reputation of exchanges, and the losses will be absorbed by the exchanges themselves.

In addition to theft, virtual currency has also become a tool for criminals. "Bitcoin has become a tool for money laundering, and has spawned 'professional money laundering rooms'," said Zhang Xuan. She cited an actual case: the victim met the suspect on QQ. He claimed to be a soldier who had fought in Iraq and hoped that the victim would help him collect parcels. Collecting parcels required a deposit of 800,000 US dollars. The victim transferred the funds to Wang, who specialized in Bitcoin transactions. Wang paid the suspect Bitcoin. The suspect did not leave any fraudulent evidence of receiving the money, but Wang, who was engaged in Bitcoin transactions, had a large amount of funds coming in, which increased the difficulty of investigation.

"With the involvement of Bitcoin (most of the encrypted digital currencies currently recognized by the black market are Bitcoin), the police's method of tracing the funding chain to solve the case may become ineffective." Zhang Xuan said that in his work, he felt that the case was difficult to investigate and the difficulty of tracking down criminals had greatly increased.

What's more, the criminal is not a person or a gang, but a legitimate business that operates normally. Zhang Xuan introduced that a technical operation and maintenance company developed a Trojan virus and installed it on the client's machine that it was responsible for operation and maintenance. When the machine memory was not occupied, it started the mining program and mined more than 5,000 digital currencies before being discovered. According to statistics, the company illegally controlled more than 3 million machines across the country. "The legal status of this illegal behavior is still very vague." Zhang Xuan said that the new criminal situation urged the improvement of laws and regulations and reminded law enforcement officers to constantly update their knowledge reserves.

Reflect on yourself three times a day to find out the shortcomings

"We may not know how hackers attack, but we should ensure the security of every detail." Wang Weibo said that checking for vulnerabilities in oneself can minimize security risks and even prevent problems from occurring in advance.

Just like an offensive and defensive battle, once the "vital point" of blockchain technology is mastered, the external attacks of hackers will be unstoppable. "Strengthening the walls" and "strictly checking and plugging leaks" are effective ways for the defender to cope with changes.

According to Wang Weibo, hackers' attacks on blockchain technology can occur at six different levels, including the application layer, contract layer, incentive layer, and data layer. Different attack methods at different levels will cause different consequences.

The lower the level of attack, the more likely it is that a single move will affect the entire blockchain. For example, an attack on the data layer will bring about changes to the entire blockchain rather than just one node. In May of this year, an attacker tampered with the time of generation of a blockchain, causing the mining difficulty to decrease, hijacking the entire main chain, and allowing the attacker to obtain a large number of tokens.

Therefore, the 360 ​​security team conducted research on six aspects of hacker attacks, identified vulnerabilities, and "prescribed solutions". Through security testing of a public chain and an exchange, the 360 ​​security team found 42 vulnerabilities, including 29 high-risk vulnerabilities that could affect the security of user accounts.

In addition to checking for vulnerabilities, the team also conducted in-depth tests on some hacker attacks and compiled a "Public Chain Penetration Testing White Paper". Wang Weibo said that the white paper will be released soon, which will analyze some security incidents, take blockchain attacks as the entry point, and deeply analyze hacker attack methods, as well as how to provide security protection against different attacks.

Wang Weibo believes that the blockchain industry is in the early stages of development and there are still many problems in terms of security. The development of blockchain technology requires security, and it is necessary to build a blockchain security ecosystem, focusing on different products such as digital currency wallets and smart contracts. At the same time, it is also necessary to implement dynamic prevention from nodes where digital currencies are generated, such as mining pools and exchanges.

Blindly launching blockchain projects is not advisable

"In addition to making blockchain technology itself more solid and trustworthy, we also face the problem of connecting the on-chain data of the blockchain with the real data." Wei Kai, director of the Cloud Computing and Big Data Research Institute of the China Academy of Information and Communications Technology, said that each industry has its own pain points when using blockchain. For example, in the traceability industry, how to ensure that the data on the chain corresponds to the product to be traced and will not be "switch"?

Whether the information written on the chain is true and can accurately reflect reality is something that blockchain technology cannot solve, and must be guaranteed by means outside the chain, such as the institutional system. Wei Kai believes that the current supporting system is lacking.

"To launch a blockchain application, you should ask four questions first," said Wei Kai. "Does the task need to record data? Does the recorded data require the participation of multiple parties? Can the multiple parties involved trust each other? If you can't find a trustworthy one, then you can consider abandoning the original carrier and using blockchain technology. The last question is, can you tolerate its lower efficiency compared to the centralized system?"

Wei Kai explained that the cost of using blockchain is also very high because it is a closed system and its efficiency is definitely not as high as that of a centralized system. At present, blockchain technology has no obvious efficiency advantages when used.

Wei Kai used "anxiety" to describe the current attitude of the industry and even the government towards blockchain. "Now more than 20 provinces and cities have issued incentive policies related to blockchain, and many places have built blockchain buildings. Have the companies in these buildings found any scenarios that must use blockchain? This question is worth everyone's deep thought." Wei Kai believes that in addition to the improvement of blockchain technology itself, policies, regulations, verification and other systems still need to be further promoted. To this end, the China Academy of Information and Communications Technology, together with 158 companies, launched the "Trusted Blockchain Promotion Plan" on April 9 to promote technical standards, industry applications, policies and regulations, etc., in order to gradually improve the favorable ecology for the development of blockchain.

This article is from Science and Technology Daily.