Inside money, markets, and big tech

Security firm releases flawed blockchain into the wild to help educate hackers

Get hacking, hackers

fumblechain, python, blockchain, cryptocurrency, test, securtity, cybersec, infosec, black hat, kudelski

Despite their supposed security, there are still many exploitable vulnerabilities that can compromise a blockchain. But one security firm thinks it can fix that, and it believes the key to developing more secure blockchains is to start with a really insecure one.

Cybersecurity firm, Kudelski Security, has announced that it will be demonstrating its deliberately insecure blockchain at the Black Hat USA infosec convention in Las Vegas next month. The company claims it’s the industry’s first intentionally vulnerable blockchain.

Kudelski Security‘s blockchain, called FumbleChain, is designed to be deliberately vulnerable so that budding hackers can ply their trade and try to break it. In doing so, the security firm hopes to learn how hackers exploit the decentralized systems, and eventually learn how to make more secure blockchains.

“There is a common misconception that blockchains are inherently secure, but the reality is that the technology is incredibly nuanced and complex, and a great deal of attention must be paid to its underlying security and cryptography,” said Nathan Hamiel, head of cybersecurity research at Kudelski Security.

The FumbleChain is running a spoof ecommerce application called FumbleStore. In cybersecurity speak FumbleStore is a CTF (capture the flag) type hacking game. In CTF hacking games participants compete to either break or secure computer systems, and capture various components of digital real estate.

This approach to cybersecurity education is quite common in the industry. The DVWA (Damn Vulnerbale Web Application) is a deliberately broken web app design to teach users about web-based application security.

FumbleChain is written in Python, an easy to manipulate programming language, in an attempt to make it easier for CTF participants to read and modify its source code. The blockchain‘s code is also constructed in modules so new CTF or hacking challenges can be added over time, presumably as old ones run their course or become irrelevant.

Kudelski Security‘s blockchain is available as a code repository on GitHub and a web-based demo.

If you fancy yourself as a bit of a hacker, go and take a look at the FumbleChain demo and see if you can break the blockchain. But be careful, Kudelski says running the demo might expose your machine to attacks.

Published July 26, 2019 — 12:38 UTC