According to Ernst & Young, over 10% of the $3.7 billion raised by Initial Coin Offerings in 2017 was stolen. This is an incredible share of numerous businesses’ capital going straight into the pocket of cyber criminals.
However, this figure is considerably less shocking when you consider that a Positive.com security audit of ICO projects in 2017 found that the average ICO contains no less than five security vulnerabilities, which could each be exploited by a cyber criminal.
Almost half of these vulnerabilities were of medium or high security, which indicates the ease of which they could be discovered and used by criminals. But severity aside, it only takes one vulnerability for attackers to get in and, of all the security audits conducted by Positive.com in 2017, only one did not contain at least one critical flaw.
The bottom line is that ICOs are being constructed with serious holes in them. Worse still, as the numbers from EY show, cyber criminals are taking advantage. Companies running ICOs are drawing huge sums of money in a very narrow window of time. If something goes wrong once the ICO is live, there little room for manoeuvring and precious little legal recourse that can realistically be taken. It’s the perfect conditions for cyber criminals to exploit. There is a high financial motivation and they’ve been drawn to ICOs like sharks drawn to churn in the water.
The consequence of an attack? Well there’s two parties that could be affected there: the ICO organisers and the investors. Just one vulnerability is enough for attackers to steal investors’ money and do irreparable damage to the corporate reputation of the ICO organiser.
The need to patch these holes is apparent but organisations are working on short time frames and might not realise where they are most vulnerable. So what are the main points of weakness? The team found vulnerabilities could be divided into five groups:
Vulnerabilities in smart contracts
The smart contract between the company and investors is the heart and soul of the ICO – it’s the method of collection. Which is why it is so concerning that 71 percent of tested projects contained vulnerabilities in smart contracts – accounting for a third of all vulnerabilities found in ICOs. Typically, this is due to a lack of programmer expertise and insufficient source code testing. Even though there are solid attempts to make contract development easier and more secure like OpenZeppelin and ConsenSys, dev teams are under time pressure. This leads to mistakes, and all it takes is a single vulnerability to give an attacker a window of opportunity.
>See also: How to ensure Initial Coin Offering safety
This is a particular issue because once an ICO starts, the contract cannot be changed and is public, meaning anyone can view it and look for flaws that could be exploited. This constraint has resulted in a number of high profile incidents, including the recent BatchOverFlow bug and the Parity Wallet vulnerability in late 2017.
Vulnerabilities in web applications
Hackers have, for years, used vulnerabilities in websites and other connected applications as a point of breach. Once through, it is only a hop, skip and jump into databases, web servers and other crucial infrastructure. Half of all audits revealed vulnerabilities in ICO web applications, a huge risk with unauthorised control of a website and its contents. This could potentially result in multi-million dollar losses in just minutes.
It’s also not always advanced attacks such as remote code execution. Hackers can use simpler methods, such as simply modifying your landing page and switching their own address with that of the ICO. Defacement, if done properly, is very hard to notice, until an investor realises tokens haven’t arrived, and the company realises their funds have, in fact, been going to another address.
Vulnerabilities allowing attacks against ICO organisers
ICO organisers are a vulnerable target for cyber criminals, operating at a critical time for their business with a lot of balls to juggle and a large amount of new investment coming on board.
The data shows that one in three ICOs had flaws that could enable attacks against organisers, and these can come in many guises. Strategies can include hijacking the email account of the ICO organiser, using information on social networks, gaining text message information from darknet merchants or social engineering techniques to bypass two-factor authentication, for example.
Something as simple as hijacking an organiser’s email account can have direct consequences. From there, attackers can reset the password for the ICO domain or web host, and subsequently replace the wallet address. This is what happened to Coindash.io, resulting in a $7 million loss.
Vulnerabilities allowing attacks against investors
Social engineering attacks that target investors are also a path for hackers. URL Phishing which directs investors to a clone address are increasingly commonplace and perhaps the most difficult vector for an ICO to protect against, because it is out of their control. Adversaries register a large number of tricky domains and social media accounts and pretend to be the ICO, luring unsuspecting victims onto their compromised website. For example, an ICO’s domain might be ‘example.com’ and the attacker sends people to ‘examp1e.com’ – with a request for financial information.
This risk can be mitigated by smart pre-planning by ICO teams, registering all possible versions of the project domain name, misspellings and signing up/registering names on social media accounts. It’s a simple solution but ICO teams shouldn’t brush this aside – 23% of projects tested by Positive.com experts contained flaws that use attacks against investors.
Vulnerabilities in mobile applications
Created by some ICO teams for investor convenience, mobile applications have become a critical point of weakness. On average, mobile apps had 2.5 times more vulnerabilities than web apps and, alarmingly, vulnerabilities were detected in 100 percent of ICO mobile applications.
>See also: Israel on the way to regulate ICOs
The most common flaws found include insecure data transfer, storage of user data in backups and session ID disclosure. These flaws may be useful in gaining details about a project, its organisers, and investors, which can be used by attackers in the attacks against organisers and investors outlined above.
Patching the leak
In an ICO, time is of the essence, and short time frames mean that anticipating attacks well in advance is critical for avoiding financial losses. The second a company goes public with an intention to do an ICO, it’s waving a huge flag to cybercriminals that it’s both valuable and also in a very vulnerable phase of its company growth. All ICO organisers must recognise that they are a target, ignorance is not an excuse.
ICO teams have a responsibility to their investors to ensure their security posture is as robust as possible. Losses as recorded in 2017 are not sustainable. Investors are not infinite and will shy away from projects if they think the risk – criminal as well as financial – is too high. Cybercriminals are the culprit but, if their ICOs are littered with vulnerabilities, organisers are the ones taking an irresponsible risk with investor money, and the consequences can be devastating for everyone involved.
Sourced by Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive.com