The vulnerability was uncovered by Interpol ‘agents', including a Kaspersky Lab expert, who found that a threat to the ‘block chain' in virtual transactions could result in the transmitted code being embedded with malware or other illegal data, including child abuse images.
Block chains explained
A block chain (or blockchain) is a network-based inviolable ledger that is fully public and is constantly being updated and confirmed by autonomous computers. In line with this technology, a sequential transaction database technique is used to keep a ledger of crypto-currency monies. Transmission of ‘bits' of data can be performed using Cipher Block Chaining (CBC) where a sequence of bits are encrypted with a cipher key applied to a single block.
Notable crypto-currencies with substantial market capitalisation sums include Bitcoin, Ripple, Litecoin, Peercoin and NXT (or Nextcoin).
Depending on the crypto-currency and its protocols, there is a fixed open space on the block chain - this public 'ledger' of transactions - where data can be stored, referenced or hosted within encrypted transactions and their records.
It is this open space which was identified as the potential target for malware.
The threat was found by an Interpol officer and a seconded specialist from Kaspersky Lab in the Research and Innovation unit at Interpol's Global Complex for Innovation (IGCI).
The design of the block chain means there is the possibility of malware being injected and permanently hosted with no methods currently available to wipe this data. This could affect 'cyber-hygiene' as well as the sharing of child sexual abuse images where the block chain could become a safe haven for hosting such data.
It could also enable crime scenarios in the future such as the deployment of modular malware, a reshaping of the distribution of zero-day attacks, as well as the creation of illegal underground marketplaces dealing in private keys which would allow access to this data.
IGCI executive director Noboru Nakatani says that conducting this type of research to identify new cyber-threats is among the key aims behind the creation of the Interpol Global Complex for Innovation.
“The biggest advantage of Bitcoin is that it is decentralised and thus a trusted third party (like a bank) is not required to complete a transaction,” said Nikhil Kaul, product manager, at SmartBear Software.
Kaul spoke to SCMagazineUK.com to explain that while the legitimacy and verification benefits provided by a decentralised block chain are not just limited to payments, security is still an issue with this technology.
“The hack of Bitcoinica which resulted in close to half a million dollars being lost is another example of security being an issue with Bitcoin. Additionally, since block chain operates on the assumption that the longest chain is the legitimate one, security challenges may also arise if any malicious data miner gets more than 50 percent of the hashing power,” said Kaul.
Decentralised systems destruction
Never knowingly offline or without an opinion is TK Keanini, CTO of Lancope. Keanini spoke to SC to say that, "These folks are clever. As a general rule, if there is a public space in your protocol whereby data can be stored and retrieved, attackers will find a way to use it as a covert channel of communication. This is not the first time this has happened and people designing protocols need to add to this their threat modeling."
Quoted in Interpol's press statement on this topic, principal security researcher at Kaspersky Lab Vitaly Kamluk has said that the core principle of research in this area is to forewarn about potential future threats coming from decentralised systems based on block chains. Kamluk confirmed that his firm “generally supports” the idea of block chain-based innovations, but thinks that there is a duty to keep these technologies clean, sustainable and useful for the purpose for which they were intended.
The research was unveiled at the Black Hat Asia 2015 event in Singapore, just weeks before the official inauguration of the IGCI.