Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly
E-Mail vvv

The Weakest Security Links in the (Block)Chain

Despite the technology's promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds.

There is no lack of buzz around blockchain. Though commonly known in relation to cryptocurrencies, blockchain is moving beyond financial services and will become an integral part of all future commercial transactions.

Despite the technology's promise to transform business operations, there are significant limitations and potential risks that are often overlooked. Those risks reside at the intersection of the digital and physical worlds. The good news is that there are solutions to address those risks, but adopters of blockchain first need to recognize that they exist.

The Security Value Premise of Blockchain
Fundamentally, blockchain technology enables the recording of events or transactions on a distributed ledger. This ledger is shared and accessible to all participants, not owned by any, and records data securely, immutably, and permanently. Essentially, a blockchain is a constantly growing set of interdependent blocks containing data, with each block recording an event or transaction. The game changer is that those blocks are distributed across a decentralized network, and every member of the network has his or her own copy of the entire blockchain.

If blockchain essentially is a digital record keeper, then blockchain is only valuable if those records can be trusted. Blockchain is trustworthy because of the decentralized nature of the network and the new database structure. The broad distribution of many copies of the blockchain provides an unprecedented level of trust because no single party controls the data and there is no single point of failure or tampering risk. Any authorized amendment to a pre-existing transaction is done by creating a new block — the original block remains intact and becomes part of the permanent history. 

Possible Problems
The value of blockchain is the guarantee of immutable data throughout the entire chain. But the digital world increasingly needs to connect and interact with the physical world. Although the security of the blockchain architecture is well established, its value is severely compromised if you can't ensure the same level of security for data before it is recorded into, or after it is accessed from, the blockchain. Only when this problem is successfully addressed can you claim to have an end-to-end solution.

In other words, the problem with migrating blockchain outside of financial services and into distributed edge computing applications — especially, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) — is that data can be corrupted before it's added to the blockchain. If corrupt data infiltrates the blockchain, the benefits are lost.

In the real world, the ends of the blockchain are the physical assets — i.e., in commercial, industrial, supply chain, IoT, and IIoT applications — for the data and records to get into the blockchain, companies need an interface and physical data storage for the data related to those assets.

Most hardware isn't secure — whether it's the storage or the interface, there is frequently a direct trade-off between security and usability. Additionally, the most common memory architectures used today are specifically designed to allow simple access and reprogramming, almost inviting tampering by bad actors. Data manipulated before being added to the blockchain would be unreliable, rendering the entire chain of trustworthy transmission and recording useless.

Trustworthy Data at the Edge: A New Approach to Distributed Hardware
With the rise of edge computing, security breaches at the edge of the network continue to plague businesses. Achieving data security at the hardware level offers users a consistent level of confidence both within and without the blockchain.

A new approach to protecting data at the edge is to securely embed it into the physical things and assets to which it relates. By placing highly secure chips directly on assets, critical assets or process data can be reliably stored, written, read, and exchanged in the distributed physical environment. Highly durable and rugged memory can ensure the data survives extreme environmental conditions regardless of where the asset travels.

Using this approach, data and documents can be stored at the point of use, directly onto physical assets in a distributed environment, and the information can be exchanged with the network using IoT or other communication or networking environments and protocols. Securing the data at the physical level ensures anything recorded in the blockchain is also trustworthy end-to-end.

Real-World Applications of Blockchain at the Edge, in IoT and IIoT
One of the most natural applications of blockchain and secure distributed asset data is the multiparty, multitouch, highly decentralized world of supply chain management. Asset-level secure data combined with a blockchain architecture provide multilevel visibility across the global supply chain, decreased administrative costs, and authentication against counterfeit products. The benefits are clear — increased traceability of products and assets to ensure corporate and regulatory standards are met; improved visibility and compliance when outsourcing manufacturing; verification of origin and pedigree of products in the supply chain, eliminating losses from counterfeiting; and reduced paperwork and administrative costs.

Several industries have already taken the lead on deploying embedded asset intelligence or blockchain technologies — from highly vulnerable products of healthcare, pharma and food companies, to unique use cases of luxury goods companies, high-end manufacturers, and aerospace players. Those companies have been using tags, chips, sensors, and software applications to track, secure, and validate origin of products, trace all the way from manufacturer to end user, and enable anyone in the chain with information and insights along the way.

Blockchain's distributed ledgers are a potent way to securely capture and share transaction and other business information, driving improvements in existing business processes and new ways of doing business. In the real economy, the blockchain needs to reflect data derived from myriad connections to physical things. That intersection of blockchain and hardware, the interface where data are fed to the blockchain, as well as storing it at the edge, is where the otherwise immutable chain is the weakest. Fortunately, technologies to securely store and embed data into physical things already exist and can be utilized to further fortify the entire chain and help deliver on its enormous promises.


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:


Drew Peck, Executive Director at Tego Drew Peck is an Executive Director at Tego. He currently serves in an advisory capacity on several semiconductor company boards, focusing on IP and finance issues. He has been involved in the semiconductor industry for 40 years, first in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/11/2018 | 8:01:43 PM
Ensuring Data Provenance in Trustworthy Systems with K of N Multiparty Access and Hardware Roots of Trust
The efficiency and process streamlining that blockchain offers to business and investment has been established in recent years. The potential for providing rapid transit for funds, goods and services and a host of digital assets packaged as tokens appears to be unlimited. Technology embodied in smart contracts and decentralized applications (DApps) have extended far past the initial financial services applications to defense, critical infrastructure, manufacturing, marketing, distribution and supply chain management. The recent explosion in IoT technology and its obvious synergy with blockchain promises untapped power and reach of blockchain-enabled technology. Achieving its potential will require early addressing of vulnerabilities and ensuring security in the design and implementations of both.

SPYRUS FIPS 140-2 Level 3 certified Hardware Security Modules draw on over two decades of proven performance to provide the strongest possible security for such critical applications such as PKI- based identity management, data security, data integrity, and non-repudiation.

The security solutions outlined in this paper have been proven in military and commercial IT use cases. Certified high-assurance hardware repositories based on secure authentication and encrypted storage ensure data provenance and ensure trustworthy computing environments.

Download the SPYRUS Blockchain Security Product Overview to understand our solutions.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.