IOTA, a $2 billion cryptocurrency that supports Internet of things (IoT) transactions, was shown to have “serious weaknesses” according to a report recently released by researchers at MIT and Boston University.
(In a previous headline, I referred to IOTA as a blockchain. IOTA refers to itself as a "next generation blockchain" in its own tagline. More precisely, IOTA relies on a directed acyclic graph architecture.)
“When we took a look at their system, we found a serious vulnerability and textbook insecure code,” Neha Narula, director at MIT Digital Currency Initiative and one of the four researchers involved in uncovering the flaw, wrote in a blog post.
Specifically, the researchers claim they were able to break the homegrown hash function “Curl” that IOTA was using as part of its digital signature scheme to secure user funds. Further, the researchers were able to demonstrate how an attacker could then forge a user’s digital signature and use it to steal funds.
It's important to note that IOTA has since fixed the flaw.
IOTA is currently the eighth largest cryptocurrency by market cap. The project pulled in 1,337 bitcoin (valued at $500,000 at the time) in an initial coin offering (ICO) in late 2015. And, through its Trusted IOT Alliance, the project partners with several notable companies, including Microsoft.
Installing A Patch
Researchers notified IOTA of their initial findings in late July. In response, IOTA deployed a type of software upgrade known as a hard fork, on August 7, to stop using Curl for digital signatures. During that upgrade, the cryptocurrency exchange Bitfinex halted withdrawals and deposits of IOTA for three days.
When reached for comments, Dominik Schiener, cofounder of IOTA, stated that some of the claims in the vulnerability report were "wrong," and indicated IOTA would be releasing a formal, more detailed response soon.
In that response, IOTA did not deny its Curl hash function was breakable.
Instead, it claimed the second part of the attack — a scenario that involved forging a user's digital signature to steal funds — was “impractical” due to the complexity of the attack and the way in which the IOTA wallet and network are structured. Based on that, IOTA claimed user funds were never at risk.
Schiener also stated that IOTA has always been upfront about the “weaknesses and unknowns” in its protocol. In June, the project published a Transparency Report, where it admitted Curl was not as vetted as "older" hash functions.
Still, some were curious why the project took the risky step of creating its own cryptographic primitive to begin with.
Update, Saturday, September 9, 2017 3:30 PM EST: This story has been updated to include a summary of IOTA's public response to the vulnerability report.
Rolling Your Own
Hash functions are a popular building block used in designing secure cryptographic protocols. Bitcoin, for example, uses the hash function SHA-256 in its proof-of-work. (SHA stands for "secure hash algorithm.")
Several published, industry vetted hash functions are readily available for use. But Schiener indicated IOTA needed a more “efficient” hash function to meet its high transaction demands, so developers on the project went about creating their own.
However, the so-called practice of “rolling your own crypto,” is highly frowned upon. Ethan Heilman, a PhD candidate at Boston University and one of the researchers who found the IOTA bug, indicated he was surprised IOTA even tried it.
"Every blockchain makes mistakes," he said. "Bitcoin has had a number of bugs, but Bitcoin [core developers] have always stayed away from rolling their own crypto; they’ve attempted to use industry best practices."
Similarly, Alex Halderman, a computer science and engineering professor at University of Michigan, said he was not surprised to learn that a “non-standard hash function” was found vulnerable to attack.
That's because, creating a secure hash function is a really hard thing to do. It took nine years, for instance, to create the hash function known as SHA-3. Halderman compares it to creating a puzzle that's virtually impossible to solve.
But in the cryptography world, ensuring that high level of security is typically done through an open and collaborative process known as “peer review,” where new work is subject to the scrutiny of multiple experts in the field.
“When you build your own [cryptographic puzzle] it is kind of like self-publishing,” said Halderman. “You don’t have the benefit of close inspection and feedback from the community.”
Moving Forward
IOTA has since substituted the use of Curl in its digital signatures with a variant of the SHA-3 hash function it is now calling “Kerl.” But the project has not yet waved good-bye to its previous hash function; it continues to use Curl in other parts of its protocol, including proof-of-work and transaction ID generation.
So far this year, ICO projects have pulled in $1.5 billion, according to the news site CoinDesk. Many of those projects have not been subject to a formal peer review process, which may explain why there were only three blockchain presentations at Crypto 2017, a recent conference I attended, where peer review was the norm.
Still, ICOs are coming under increasing pressure. The Security and Exchange Commission recently issued warnings and even caused one company to revert its ICO. And China has also been clamping down on ICOs.
The work of researchers at MIT and Boston University appears to be part of a wider movement on the part of academics to step in and take a hard look at some ICO projects as well. Last month, Cornell Tech’s IC3 released a report on vulnerabilities in the 0x protocol.
As Narula touched on in her blog post, while blockchain has removed the need for trusted third-parties, we still need some kind of trust to ensure these newer protocols are safe to use – and invest in. The question is, where is that trust going to come from?
