Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 04 2018, @09:15AM   Printer-friendly
from the eclipsing-security dept.

Developers of Ethereum, the world's No. 2 digital currency by market capitalization, have closed a serious security hole that allowed virtually anyone with an Internet connection to manipulate individual users' access to the publicly accessible ledger.

So-called eclipse attacks work by preventing a cryptocurrency user from connecting to honest peers. Attacker-controlled peers then feed the target a manipulated version of the blockchain the entire currency community relies on to reconcile transactions and enforce contractual obligations. Eclipse attacks can be used to trick targets into paying for a good or service more than once and to co-opt the target's computing power to manipulate algorithms that establish crucial user consensus. Because Ethereum supports "smart contracts" that automatically execute transactions when certain conditions in the blockchain are present, Ethereum eclipse attacks can also be used to interfere with those self-enforcing agreements.

[...] Many researchers believed that the resources necessary for a successful eclipse attack against Ethereum would considerably higher than the Bitcoin attacks. After all, Ethereum's P2P network includes a robust mechanism for cryptographically authenticating messages and by default peers establish 13 outgoing connections, compared with eight for Bitcoin. Now, some of the same researchers who devised the 2015 Bitcoin attack are back to set the record straight. In a paper published Thursday, they wrote:

We demonstrate that the conventional wisdom is false. We present new eclipse attacks showing that, prior to the disclosure of this work in January 2018, Ethereum's peer-to-peer network was significantly less secure than that of Bitcoin. Our eclipse attackers need only control two machines, each with only a single IP address. The attacks are off-path-the attacker controls endhosts only and does not occupy a privileged position between the victim and the rest of the Ethereum network. By contrast, the best known off-path eclipse attacks on Bitcoin require the attacker to control hundreds of host machines, each with a distinct IP address. For most Internet users, it is far from trivial to obtain hundreds (or thousands) of IP addresses. This is why the Bitcoin eclipse attacker envisioned [in the 2015 research] was a full-fledged botnet or Internet Service Provider, while the BGP-hijacker Bitcoin eclipse attacker envisioned [in the 2016 paper] needed access to a BGP-speaking core Internet router. By contrast, our attacks can be run by any kid with a machine and a script.

[...] The paper, titled Low-Resource Eclipse Attacks on Ethereum's Peer-to-Peer Network, described two separate attacks. The simplest one relied on two IP addresses, which each generate large numbers of cryptographic keys that the Ethereum protocol uses to designate peer-to-peer nodes. The attacker then waits for a target to reboot the computer, either in the due course of time, or after the hacker sends various malicious packets that cause a system crash. As the target is rejoining the Ethereum network, the attacker uses the pool of nodes to establish incoming connections before the target can establish any outgoing ones.

The second technique works by creating a large number of attacker-controlled nodes and sending a special packet that effectively poisons the target's database with the fraudulent nodes. When the target reboots, all of the peers it connects to will belong to the attacker. In both cases, once the target is isolated from legitimate nodes, the attacker can present a false version of the blockchain. With no peers challenging that version, the target will assume the manipulated version is the official blockchain.

[...] The researchers, from Boston University and the University of Pittsburgh, warned users to protect themselves against the eclipse threat.

"Given the increasing importance of Ethereum to the global blockchain ecosystem, we think it's imperative that countermeasures preventing them be adopted as soon as possible," they wrote. "Ethereum node operators should immediately upgrade to geth v1.8."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by FatPhil on Sunday March 04 2018, @03:00PM (3 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Sunday March 04 2018, @03:00PM (#647628) Homepage
    Various reasons ranging from transaction fees being too high, to confirmation being too slow, to the fact that nobody bloody takes the currencies.

    Or for a more face-palmy answer - because if they were useful as a means of exchange, then they would be actively used as a means of exchange. And they aren't. And the contrapositive therefore tells us they are therefore not.

    If you think that these things are being used for commerce rather than speculation, then your head is way up in the clouds.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Sunday March 04 2018, @06:25PM

    by Anonymous Coward on Sunday March 04 2018, @06:25PM (#647688)

    How are transfers slow and expensive? Over 50k made today for practically free (10^-7 to 10^-8 btc per byte) in under an hour: https://bitcoinfees.earn.com/ [earn.com]

  • (Score: 3, Insightful) by requerdanos on Sunday March 04 2018, @10:38PM (1 child)

    by requerdanos (5997) Subscriber Badge on Sunday March 04 2018, @10:38PM (#647751) Journal

    Why isn't gold (the metal) used as a medium of exchange?

    Various reasons [such as] nobody bloody takes [it.] Or for a more face-palmy answer - because if [gold was] useful as a means of exchange, then [it] would be actively used as a means of exchange. And [it isn't]. And the contrapositive therefore tells us [that it] therefore [is not].

    All true. Despite this, gold is still a pretty popular investment. It has been used as a medium of exchange, but the problems with that approach mean that we store wealth in gold, but trade something else.

    Substitute your (most or least) favorite cryptocurrency, investment instrument, other metal or solid object, etc. for "gold" in the above just as you like.

    Usefulness as a medium of exchange is something that not a lot of cryptocurrencies are getting right, but like gold, they still have their uses.

    • (Score: 2) by FatPhil on Monday March 05 2018, @06:57AM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday March 05 2018, @06:57AM (#647887) Homepage
      They (cryptos) are not stores of value. They can, and many have, gone to nigh on zero. Ditto equities. Ditto some fiat currencies.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves