It’s All FUD: Reports of Crypto Vulnerabilities Are Often Exaggerated
- The reporting on the crypto industry is often exaggerated in tone and framing.
- It's worth keeping in mind that security flaws are regularly uncovered throughout the tech industry.
Much of the world is scared of crypto. The U.S. Federal Reserve officials have deemed bitcoin a threat to financial stability, economists regard bitcoin as a giant 'bubble,' and banks have suggested that cryptocurrencies present a significant threat to their business models.
It would seem that such fear has now infected perceptions of crypto's cybersecurity. In April, it was reported that researchers at Israel's Ben-Gurion University had discovered a way to steal private crypto keys from air-gapped wallets, which are physically separated from the internet.
However, while the article's headline alarmingly raised the possibility that funds could be stolen from such wallets, the hack came with a caveat. Namely, the research assumed that the air-gapped wallet was already affected with malware. But as Symantec cybersecurity researcher Candid Wüest told Cryptonews.com, “If [the wallet is] a special purpose-built device that only runs trusted signed code, then the likelihood of a compromise is very small, unless the attacker has physical access.”
The Ben-Gurion research is therefore very limited in its scope, while much of the other research on the cybersecurity of crypto systems relies on similarly contingent assumptions. Still, this doesn't stop minor vulnerabilities from being covered by the media as if they were serious, thereby needlessly adding to the fear, uncertainty and doubt surrounding crypto.
The internet of bugs?
Another example of supposed crypto vulnerability arrived in February, when it was reported in The Next Web that IOTA – a decentralised internet of things platform – was vulnerable to replay attacks. Such attacks occur when an attacker reuses a hash produced by another user. This enables the attacker to steal cryptocurrency in cases where that other user still has funds remaining in the wallet encoded by the hash.
However, it soon emerged in the backlash to TNW's article that it isn’t possible to have funds left over in an IOTA wallet, since the platform's protocol ensures that all wallets are one-time use only.
It was therefore claimed in a Medium blog post by the IOTA Foundation that the transactions had been produced by the researcher using a test network he created that didn't apply the full IOTA protocol. As IOTA co-founder Dominik Schiene told TNW in response to its article, "There is no vulnerability. Make that the headline."
(Not) Ledger's flaws
Another case of somewhat misleading vulnerability reporting involves the hardware wallet manufacturer Ledger. In February, it was reported that the Ledger Nano S could be compromised by a hacker if they uploaded malware to the non-secure part of the device (the part which communicates with other devices).
Such a ruse is possible, however, only if the attacker gains physical access to the wallet before it comes into the hands of its owner. Known as a 'supply-chain attack,' it just won't happen if the owner purchases their device from Ledger itself or from a reputable vendor.
Another exaggerated claim regarding Ledger related to how all their devices were supposedly susceptible to 'man-in-the-middle' attacks. In other words, Ledger's Google Chrome app could be infected with malware that causes the hacker’s wallet address to be displayed instead of the user’s. But as Ledger pointed out in a blog post, it "is not a Ledger security flaw," since it didn't affect the device itself (which can be checked directly for the true recipient address), but the user's computer.
A tech problem
Such examples highlight how much of the reporting on the crypto industry is often exaggerated in tone and framing, presenting highly contingent vulnerabilities as if they were inherent to the systems being covered. That said, there is indeed much in the cryptocurrency space that isn't entirely unsafe, as indicated by the Verge attack and Coincheck hack.
But for the sake of balance, it's worth keeping in mind that security flaws are regularly uncovered throughout the tech industry (including Apple, Google, Microsoft, Intel, Facebook, LinkedIn, WhatsApp, Skype).
Candid Wüest said:
“As devices and software are generated by human beings, there is always the chance that some vulnerability can be found and exploited by an attacker […] as recent chip vulnerabilities have shown, there are a lot of parts [in any system or device] that need to be secured and should not be forgotten.”
It’s therefore not the case that the crypto world is any less safe than any other, no matter what certain news outlets might have you believe.