Fix Vulnerabilities in Blockchain Supply Chain Solutions or face Disruption

Introduction

In an earlier article, I had described how Blockchain technology-based supply chain solutions can solve issues that arise with traditional supply chain solutions during high-stress situations like the COVID-19 pandemic.  I had also written on how Blockchain solutions can stabilize the supply chain during stressful conditions. In the article, I had suggested that modifying existing Blockchain technology-based solutions to assist with COVID-19 fight is a faster deployment route than developing a new one.

Any technology is prone to cyber-attacks. And, with the COVID-19 pandemic, cyber-attacks have increased. FBI recently issued a warning about Kwampirs malware that targets supply including the healthcare industry. A Blockchain technology-based supply chain solution would not be immune to cyber-attacks either thus defeating the purpose of providing medical supplies to healthcare facilities.

Blockchain security can be easily misunderstood. Some believe that technology’s inherent security capabilities translate to the entire solution’s security. This is far from reality.

Blockchain technology-based solutions need to be protected as they can face Cyber-attacks in several areas. Cyber-attacks can occur at network, node, smart contract, algorithm level, and much more.

Some of a Blockchain solution's vulnerabilities are as discussed below. I believe it should help lift the fog of false sense of security based on Blockchain’s security advantages.

It is assumed that you are familiar with Blockchain technology. And, that you are familiar with different types of Blockchains -public, private, permission-less, permissioned, etc. and its consensus mechanisms.

Cyber-Attack Patterns

Algorithm Level

The 51% Attack for Proof of Work (PoW) consensus algorithm is much publicized and described. However, another kind of attack, called Selfish mining attack is as dangerous.

A 51% Attack is hard due to the distributed computational power of peer to peer network supporting the Blockchain. This equals shifting trust from a central authority to distributed verification using cryptography. Such an attack gets even harder with time as the number of blocks increases making it difficult to rewrite all the blocks while new ones are still being mined.

However, a Selfish Mining attack can happen anytime regardless of the number on blocks on the Blockchain. It can be undertaken without control of 51% of the resources. In a selfish mining attack, the miner holds off on broadcasting the validated block results to the peer network for some time. The miner starts mining the next block on top of the validated and unpublished one thus getting ahead of the peer nodes. All the financial rewards end up with the selfish miner while the rest of the peer network is straddled with adopting the selfish miner’s solution. Of course, this poses a risk to the selfish miner in case another peer node finds the solution before the selfish miner declares it to the peer network.

Other consensus mechanisms for different implementations have their security risks also. One needs to consider them while designing a Blockchain-technology based solution.

Smart Contract Level

In simple terms, a smart contract is an interface between Blockchain and the external world. It is an executable code whose output can be verified by any node by executing the same smart contract using the same inputs. It is very useful for triggering output when certain conditions are met, e.g., verified hailstorm damage (input) triggers payments (output) to homeowners.

Smart contracts are a prime target for cyber attackers. Here are some of the several places where a smart contract is vulnerable:

• On a public Blockchain, smart contract code is visible. An attacker can analyze it, discover code’s vulnerabilities, and attack it.
• Smart contracts are immutable. An incorrect algorithm cannot be undone resulting in unwanted output when the smart contract executes. One way to undo this is to replace the old one with a new smart contract. However, if there is no “kill-switch” for the previous smart contract, the code is still “alive” and can be exploited. Even a dormant (or killed) code is subject to analysis by malicious actors to attack the subsequent version.
• Some smart contracts may be written by malicious developers who may program backdoors. They can also program outputs that serve them. Attacks arising from such programming “errors” cannot be reversed causing harm.
• A smart contract interfaces with the external world and brings data from external sites like NOAA for weather information, or 3rd party components that provide input to smart contracts. These interfaces and components can be vulnerable and can be attacked.

Network-level

A Blockchain solution sits on top of network infrastructure, public or private depending on its implementation. And, the network infrastructure comprises of traditional routers, switches, and other networking gear. Therefore, any Blockchain solution infrastructure is prone to the same type of attacks that traditional networks are.

A node has to interface with the network to participate in the Blockchain solution. Both public and private nodes are subject to the same vulnerabilities at the interface level that traditional systems do.

Consider a private Blockchain solution comprising of multiple partners, as in the drug supply chain example I provided in my earlier article. Assume that each partner represents one node on the Blockchain network. Security is only as good as the weakest node on the network through which cyber attackers can penetrate the Blockchain solution.

Other considerations

Blockchain security or its vulnerability does not stop here. A user who does not protect their private key properly represents a vulnerability. A mobile wallet can get compromised for several reasons. A Blockchain consensus algorithm can get attacked by understanding how the algorithm works. Selfish mining and 51%-Attack has already been discussed for open Blockchain consensus approaches. Multiple transactions are linkable back to the same address. By additional methods (e.g. IP address), an attacker may be able to identify the user or entity that is transacting. And, that represents a potential risk and/or vulnerability based on the infrastructure used by the user or the transacting entity.

Conclusion

Blockchain technology brings many advantages, one of which is security. Due to peer network supporting Blockchain and distributed ledger maintaining the same copies of the transaction, attacking a Blockchain network is hard. However, Blockchain’s strengths alone are insufficient to protect the entire solution. To protect the benefits of a Blockchain solution, security should be incorporated from initial stages through deployment and operations. 

About JP Batra, Author

JP Batra is an Interim CTO/CIO for mid-sized companies, and a functional executive leader on strategic initiatives, Blockchain, AI and IoT for large corporations. A distinguished innovator, a thought leader, and B2T strategist, Batra transform IT departments and prepares them to thrive in disruptive environments. His emerging tech and innovation-driven work are aimed at accomplishing growth, opening new markets, reducing costs, improving employee engagement, and creating new opportunities for companies. JP’s twitter handle is@jpbatra and he can be reached at [email protected]

Keywords:

#Blockchain #Emergingtech #EmergingTechnologies #ProductManagement #CIO #CTO #CPO #Innovation #POC #Technology # Product #Management #Product #Development #Healthcare #COVID-19