Sebastian Gajek is Professor of Cryptography and Information Security and founder of Weeve, a startup in the Berlin ecosystem that brings IoT and Blockchain together. We talk with Mr. Gajek about cybersecurity and vulnerabilities in crypto industry and community.
Cyril Gilson: What can be done to prevent from happening someone hacking nodes in Blockchain, the problem similar to what happened with EOS?
Sebastian Gajek: The recent attack against EOS is about using vulnerabilities in their software that allows to hack the nodes. The consequence was that the attackers could extract secret key material and this allows them to fully control the nodes. It is the worst thing that can happen to any consensus protocol.
We have developed a very special operation system called the WeeveOS. It is an open-source project available on our GitHub. The operating system leverages cutting-edge security and privacy technologies. So, for example, we use a technique in order to isolate the secret keys from the rest of the operating system. This means in the case of EOS if WeeveOS operating system had been in place when the attacker compromised the nodes, they had got control over the nodes but were unable to extract the secret keys.
This way you have more security and more trust in the network. We are going to release our operating system officially at Ethereum Dev Conference. A pre-release of the WeeveOS is already available through our GitHub.
We believe a lot of Blockchain technologies like EOS, like Ethereum, like HyperLedger really need to secure the nodes. It looks like no one really tackles this problem right now. This is bad because consensus protocols only work when one can trust the nodes. But for this you really need some super strong security technologies, otherwise, you will not get the trust by the quorum.
Other vulnerabilities
CG: What other vulnerabilities do you see lately?
Sebastian Gajek: It’s like the general problem with cybercrimes: nodes are just some kind of programs, programs are written by humans and humans make mistakes. It’s natural right? Otherwise, humans would be machines.
Making mistakes is part of our genes. It looks that programming, for example, smart contracts, is like a new art.
People are now trying to understand what it really takes in order to program a proper smart contract. This is one main source where I see a lot of attacks and where devs really have to do better due diligence, take more care and verify whether the smart contract makes sense.
For example, ICOs might have fragile smart contract tokens and could be subject to those attacks.
False smart contracts
CG: Could you give some examples of this?
Sebastian Gajek: The number one running example is the DAO. That was the greatest example, showcasing what happens if you design the smart contract in a false way. The result was clear, a lot of coins have been shifted differently than expected.
This is a canonical example showcasing you have to put a lot of care in designing smart contracts, and the same holds now for designing the programs that implement nodes. The attack I described against EOS is based on a similar problem. One where developers develop just design some kind of code and have not been careful enough.
CG: Is there a way for individual investors in crypto to find out how secure is the system? Some indicators?
The point is the whole Blockchain technology is still young in comparison to other IT industries. I see now first consulting companies building up exactly a kind of business to figure out whether a smart contract is vulnerable. Similar services have to be applied, for example in order to verify whether the nodes are also free from vulnerabilities.
Again this is ongoing work because people first of all have to learn how to properly program and then other people will build up services on top of that in order to verify whether the programming was correct.
Blockchain will change the Internet. It’s just a matter of time until these consulting companies will figure out there’s a huge cake, so they will hire specialists that do have the right skills, in order to give you a better understanding of what’s good or bad.
CG: Before deciding whether to take part of ICOs or not, investors check the team, go over some lists, but I don’t think security is even in the top three points to check. What shall they do?
Sebastian Gajek: You are totally right, if I were an investor, I would really go through the points you mentioned, but I would also look who designed the contract. Because in the end, it’s all about reputation.
You really need to choose a smart contract design team that has a lot of credibility. That was one of the reasons why we have chosen to work together with ConsenSys because they have the leading experts in Ethereum development.