Endpoint

9/5/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Weakest Security Links in the (Block)Chain

Despite the technology's promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds.

There is no lack of buzz around blockchain. Though commonly known in relation to cryptocurrencies, blockchain is moving beyond financial services and will become an integral part of all future commercial transactions.

Despite the technology's promise to transform business operations, there are significant limitations and potential risks that are often overlooked. Those risks reside at the intersection of the digital and physical worlds. The good news is that there are solutions to address those risks, but adopters of blockchain first need to recognize that they exist.

The Security Value Premise of Blockchain
Fundamentally, blockchain technology enables the recording of events or transactions on a distributed ledger. This ledger is shared and accessible to all participants, not owned by any, and records data securely, immutably, and permanently. Essentially, a blockchain is a constantly growing set of interdependent blocks containing data, with each block recording an event or transaction. The game changer is that those blocks are distributed across a decentralized network, and every member of the network has his or her own copy of the entire blockchain.

If blockchain essentially is a digital record keeper, then blockchain is only valuable if those records can be trusted. Blockchain is trustworthy because of the decentralized nature of the network and the new database structure. The broad distribution of many copies of the blockchain provides an unprecedented level of trust because no single party controls the data and there is no single point of failure or tampering risk. Any authorized amendment to a pre-existing transaction is done by creating a new block — the original block remains intact and becomes part of the permanent history. 

Possible Problems
The value of blockchain is the guarantee of immutable data throughout the entire chain. But the digital world increasingly needs to connect and interact with the physical world. Although the security of the blockchain architecture is well established, its value is severely compromised if you can't ensure the same level of security for data before it is recorded into, or after it is accessed from, the blockchain. Only when this problem is successfully addressed can you claim to have an end-to-end solution.

In other words, the problem with migrating blockchain outside of financial services and into distributed edge computing applications — especially, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) — is that data can be corrupted before it's added to the blockchain. If corrupt data infiltrates the blockchain, the benefits are lost.

In the real world, the ends of the blockchain are the physical assets — i.e., in commercial, industrial, supply chain, IoT, and IIoT applications — for the data and records to get into the blockchain, companies need an interface and physical data storage for the data related to those assets.

Most hardware isn't secure — whether it's the storage or the interface, there is frequently a direct trade-off between security and usability. Additionally, the most common memory architectures used today are specifically designed to allow simple access and reprogramming, almost inviting tampering by bad actors. Data manipulated before being added to the blockchain would be unreliable, rendering the entire chain of trustworthy transmission and recording useless.

Trustworthy Data at the Edge: A New Approach to Distributed Hardware
With the rise of edge computing, security breaches at the edge of the network continue to plague businesses. Achieving data security at the hardware level offers users a consistent level of confidence both within and without the blockchain.

A new approach to protecting data at the edge is to securely embed it into the physical things and assets to which it relates. By placing highly secure chips directly on assets, critical assets or process data can be reliably stored, written, read, and exchanged in the distributed physical environment. Highly durable and rugged memory can ensure the data survives extreme environmental conditions regardless of where the asset travels.

Using this approach, data and documents can be stored at the point of use, directly onto physical assets in a distributed environment, and the information can be exchanged with the network using IoT or other communication or networking environments and protocols. Securing the data at the physical level ensures anything recorded in the blockchain is also trustworthy end-to-end.

Real-World Applications of Blockchain at the Edge, in IoT and IIoT
One of the most natural applications of blockchain and secure distributed asset data is the multiparty, multitouch, highly decentralized world of supply chain management. Asset-level secure data combined with a blockchain architecture provide multilevel visibility across the global supply chain, decreased administrative costs, and authentication against counterfeit products. The benefits are clear — increased traceability of products and assets to ensure corporate and regulatory standards are met; improved visibility and compliance when outsourcing manufacturing; verification of origin and pedigree of products in the supply chain, eliminating losses from counterfeiting; and reduced paperwork and administrative costs.

Several industries have already taken the lead on deploying embedded asset intelligence or blockchain technologies — from highly vulnerable products of healthcare, pharma and food companies, to unique use cases of luxury goods companies, high-end manufacturers, and aerospace players. Those companies have been using tags, chips, sensors, and software applications to track, secure, and validate origin of products, trace all the way from manufacturer to end user, and enable anyone in the chain with information and insights along the way.

Blockchain's distributed ledgers are a potent way to securely capture and share transaction and other business information, driving improvements in existing business processes and new ways of doing business. In the real economy, the blockchain needs to reflect data derived from myriad connections to physical things. That intersection of blockchain and hardware, the interface where data are fed to the blockchain, as well as storing it at the edge, is where the otherwise immutable chain is the weakest. Fortunately, technologies to securely store and embed data into physical things already exist and can be utilized to further fortify the entire chain and help deliver on its enormous promises.

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

 

Drew Peck, Executive Director at Tego Drew Peck is an Executive Director at Tego. He currently serves in an advisory capacity on several semiconductor company boards, focusing on IP and finance issues. He has been involved in the semiconductor industry for 40 years, first in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
turissde
50%
50%
turissde,
User Rank: Apprentice
9/11/2018 | 8:01:43 PM
Ensuring Data Provenance in Trustworthy Systems with K of N Multiparty Access and Hardware Roots of Trust
The efficiency and process streamlining that blockchain offers to business and investment has been established in recent years. The potential for providing rapid transit for funds, goods and services and a host of digital assets packaged as tokens appears to be unlimited. Technology embodied in smart contracts and decentralized applications (DApps) have extended far past the initial financial services applications to defense, critical infrastructure, manufacturing, marketing, distribution and supply chain management. The recent explosion in IoT technology and its obvious synergy with blockchain promises untapped power and reach of blockchain-enabled technology. Achieving its potential will require early addressing of vulnerabilities and ensuring security in the design and implementations of both.

SPYRUS FIPS 140-2 Level 3 certified Hardware Security Modules draw on over two decades of proven performance to provide the strongest possible security for such critical applications such as PKI- based identity management, data security, data integrity, and non-repudiation.

The security solutions outlined in this paper have been proven in military and commercial IT use cases. Certified high-assurance hardware repositories based on secure authentication and encrypted storage ensure data provenance and ensure trustworthy computing environments.

Download the SPYRUS Blockchain Security Product Overview to understand our solutions.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17229
PUBLISHED: 2018-09-19
Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17230
PUBLISHED: 2018-09-19
Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17231
PUBLISHED: 2018-09-19
** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allow attackers to cause a denial of service (assertion failure and application exit) via an "Edit color palette" search that triggers an "index out of range" condition. NOTE: this issue is disputed by multiple third par...
CVE-2018-17228
PUBLISHED: 2018-09-19
nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call.
CVE-2018-8889
PUBLISHED: 2018-09-19
A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account.