Hacking maritime blockchains
Every day we see more and more articles and posts pondering how blockchain might revolutionise the supply chain.
As security experts, we see this from a very different perspective. Blockchain solves some security issues, but also opens up new, concerning security problems.
Is Blockchain a Silver Bullet for security?
No. I believe there is so much hype around Blockchain technology right now that many organisations just assume it is secure because everyone says so. This is down to the consensus algorithms, which most people probably don’t understand. They hear “immutable”, “distributed”,” auditable” and think ‘secure’
Here are a few ways one might hack the maritime Blockchain:
Private Key Compromise, or hacking your wallet
Permissions to the Blockchain will be governed by their private key address, more commonly known as the wallet. Therefore, if you gain access to a user’s private key, you control their wallet and transactions.
How are many wallets protected? With a password. How secure are your passwords today? Now how do you feel about Blockchain wallet security?
Consider someone in your supply chain using a tablet to manage container movements at a terminal. Have they set a strong password for their wallet? If the tablet is stolen and the password is easily cracked, you have a big problem
Even though Blockchain may be secured by consensus, if a genuine account is compromised there is no stopping illegitimate use.
Broken cryptography in future
CBC, RC4, MD5 and SHA1 – just a few examples of cryptography that has been broken because of computing advances. The potential cracking power offered by Quantum Computing could expose the cryptography that secures the Blockchain. Once cracked, all trust in the Blockchain is lost.
If cracked, an immediate switch to stronger encryption will be required. All old transactions and wallets will be frozen and the new Blockchain will begin from the last frozen block.
The cost of such a change could be enormous, potentially eclipsing the cost savings from the Blockchain itself.
Miners are the security of a network. They implement the Blockchain by supplying the ledger and work together to ensure consensus. The amount of mining nodes you have on a network determines how secure the network will be. The design of the maritime Blockchain is important in this respect as if you have one organisation who controls all the miners, they then control the whole network.
If an attacker can gain control of 51% of all mining nodes, they can control the network and can change historical data. Another vulnerability of the scale of Heartbleed, WannaCry or NotPetya, for example, could be the one that destroys a Blockchain by deleting the ledger on all nodes, thus deleting all historical data for shipping.
Bandwidth available to shipping is limited as satellite communications are expensive. This means that a miner may be needed on board. Yet another box on the ship that may be difficult to keep secure and updated.
Over 40 million shipping containers exist globally. Keeping track of all this movement is going to make the Blockchain scale substantially and the amount of disk space needed for a miner to keep the ledger could become so large as to become unmanageable. If a miner is not under constant supervision, hard disk space could be filled and prevent the ledger being updated
Hard drive space of this scale will be expensive. One might decide to have fewer miners on the Blockchain to keep down hard disc storage costs. Fewer miners leads to less consensus, less distribution and less security.
Some Blockchains support Smart Contracts otherwise known as Decentralised Applications. Essentially this means coded programs can be run within the Blockchain.
This brings a whole new chapter of vulnerabilities into the mix. Already Blockchain applications have had flaws abused. Take the DAO hack for example: An attacker ran a coded function before it should have been executed and ended up stealing millions of dollars by becoming the very wallets which the program was in the process of creating. They effectively ‘jumped the gun’
This type of hack is just as real in the maritime environment. Many Blockchain exchanges and wallets have been hacked in a similar fashion, so what chance is there that the maritime industry will get security of the Blockchain 100% right first time?
We have only scratched the surface of Blockchain security here. So much more thought must be given to how the Blockchain interfaces with other systems, for example a Blockchain API interacting with the applications that use it.
It is clear to us that Blockchain does have its purpose in the maritime industry and could generate significant cost savings. But, it is not a silver bullet for security – your security problems will not go away if you implement a Blockchain, they will just be very different and potentially rather more complex.