A titanic technology: Why blockchain security needs to shape up or ship out

Luke Turvey is a security consultant at Pen Test Partners who specialises in blockchain security. He regularly writes about the potential application of the technology, from securing the Internet of Things (IoT) to enabling business departments to securely access data, to the Maritime sector. Luke has also debated the potential for compromise, highlighting the vulnerability of this distributed architecture to attack through wallet compromise, for instance, and has pioneered the concept of resilience testing and the hardening of Blockchain. As a CHECK Team Leader, Luke is actively engaged with carrying out security testing and reporting on behalf of commercial clients on a daily basis and continues to study Ethical Hacking and Network Security. He also holds a BSc degree from Coventry University.

Blockchain in the context of the maritime industry has the potential to radically transform and simplify the supply chain. From cargo to customs, boat loading to banks, blockchain could provide a secure mechanism to enable the exchange of documents and payments on an unprecedented scale by doing away with numerous systems and data silos.

It’s this reasoning that saw Maersk Line announce its intention to partner with IBM to develop a commercial blockchain company for the shipping sector and why initiatives such as the Blockchain in Transport Alliance (BiTA) continue to attract hundreds of members with UPS the latest to join its ranks.

But is blockchain really a silver bullet solution for shipping? Yes, the system is distributed resulting in a system with no single point of failure and yes, it is immutable – but that doesn’t make it infallible. Blockchain can be attacked or hacked in a number of ways.

Access all areas

Firstly there’s the prospect of Private Key Compromise. Gain access to the user’s private key address (aka the wallet) and you can control their transactions. Wallets are protected using passwords therefore this will only be as secure as the password. Poor password management can see passwords easily cracked and once a genuine account is compromised the attacker can then carry out illegitimate activity.

Secondly, blockchain relies upon encryption and as history shows cryptography can age and become susceptible. Encryption standards such as CBC, RC4, MD5 and SHA1 have all become outmoded due to technological advancement. Quantum computing could see the encryption used by blockchains cracked requiring a move to a new form of encryption. At the point of compromise in order to remediate the issue, all old transactions and wallets would be frozen and a new blockchain would start afresh from the last frozen block using the new encryption standard causing widespread disruption and with cost implications that could undermine adoption.

Miner mayhem

Then there’s the prospect of corruption through ownership. Miners work with the ledger to reach a consensus which ensures the security of the network therefore the theory goes that the more miners there are the more secure the network will be. But if you control the majority of those miners you could also potentially control the network and historical data. Alternatively, we could see malware attacks capable of deleting the ledger on all nodes eradicating historical data.

We also need to consider the physical presence of the miners, which brings us to the fourth issue. Ship operators may have little alternative but to keep miners onboard given satellite costs and bandwidth constraints creating a physical point of compromise. The sheer scale of operations could also lead to demands for disk space resulting in the hard disk becoming full and the ledger not being updated.

To get around this problem, operators may decide to have fewer miners on the blockchain to keep down hard disk storage costs. Fewer miners leads to less consensus, less distribution and less security.

Jumping the gun

Finally, there’s the issue of smart contracts – otherwise known as decentralised applications – which brings a whole new set of vulnerabilities into the mix. We’ve already seen blockchain applications with flaws that have been abused. The DAO hack is a case in point. An attacker ran a coded function before it should have been executed and stole millions of dollars by becoming the owner of the very wallets which the program had created. They effectively jumped the gun and triggered an expected action before it could be completed legitimately. Many blockchain exchanges and wallets have been hacked in a similar fashion.

These issues all concern the blockchain itself; we haven’t even begun to touch on other issues that could result from how blockchain interfaces with other systems, such as how a blockchain API might exchange information with other applications.

Blockchain does indeed look set to deliver on its promise to simplify supply chains in shipping but whether it will present us with a more secure solution is by no means assured. Just like any other network architecture, implementations will need to be assessed and hardened by looking systematically at node, ledger and application security. Assuming blockchain confers security through design smacks of a certain ‘unsinkable’ ship – and unless the sector looks to stress test, we could see blockchain become a ‘Titanic’ technology.


Interested in hearing leading global brands discuss subjects like this in person? Find out more at the Blockchain Expo World Series, Global, Europe and North America.


View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *