- Complicated supply chains leave technological devices vulnerable to hacking
- Blockchain technology could add both transparency and security to manufacturing
- For blockchain to succeed, collaborative standards and best practices are needed
Security vulnerabilities in technology extend well beyond problems with software. Earlier this month, researchers revealed that the hardware at the heart of nearly every computer, smartphone, tablet and other electronic device is flawed in at least two significant ways code-named Spectre and Meltdown.
Too few technology companies take precautions to protect every step in their supply chains, from raw materials through manufacturing and distribution. Products altered in the factory or en route to a user could turn an executive’s smartphone into a handy surveillance device.
Better supply chain security could both prevent and make it easier to recover from accidents and deliberate meddling.
Backdoors and secret passages
It’s common knowledge that hackers can attack software by sending users virus-infected emails or compromised links. But they can also interfere with computers by altering tiny circuits in microchips most users will never see. These weaknesses are physical, and they’re just as hard to identify as mistakes in software code.
Apple’s iPhone, for example, involves hundreds of suppliers from around the world making chips and hard drives, all of which have to be shipped, assembled and warehoused before ever being delivered to an Apple store or your door. Each step introduces numerous opportunities for security problems to arise.
Even sophisticated retailers like Amazon have been fooled by counterfeit or poorly manufactured facsimiles of real products. And in 2012, Microsoft warned customers that Chinese computer factories were installing malware on PCs.
Enter the ‘internet of everything’
As more and more devices – not just computers and smartphones but thermostats and baby monitors, and even doorbells – get connected to the internet, the growing threat from hackers easily gets lost in the excitement.
In 2009, the U.S. Department of Defense bought 2,200 Sony PlayStation 3 gaming consoles to use as components in a military supercomputer. But those systems are often manufactured abroad, making it that much more difficult to verify that they weren’t tampered with.
The Navy, at least, has learned from this mistake: The Naval Surface Warfare Center Crane Division has pioneered automated inspections, using artificial intelligence to examine digital pictures of new circuit boards to detect unauthorized alterations.
But sometimes the government is part of the problem. Leaked documents have shown how the National Security Agency’s Tailored Access Operations team routinely intercepts new computer and networking equipment being shipped to specific people or organizations. NSA workers modify the hardware to add vulnerabilities and secret access for NSA hackers to use later, and then put the equipment back in boxes to be delivered as if nothing had happened.
Is blockchain a solution?
One new way to secure supply chains involves blockchain technology – a secure database system stored and maintained across many computers – to track and verify all aspects of a supply chain, even one as complicated as Apple’s.
This type of system can handle many of the existing tasks performed by corporate databases – with scanners monitoring items and packages at key stages, and humans adding data like delivery details. But blockchains offer at least three key advantages: security, transparency and automation.
The security comes from two features of blockchains: First, the data is stored in discrete chunks, or “blocks.” And as each block is created, it must securely link to the previous block in the database, making a “chain” of blocks and preventing anyone from modifying previously stored data. Changes can only be stored as additional data in the chain.
Blockchain transparency results from the fact that its data is stored in encrypted form, but is otherwise available to participants. Coupled with its security features, a blockchain supply chain database would let any entity involved in a shipment, for example, track the order’s progress with confidence that the data is accurate.
Blockchain systems also contain software code called “smart contracts” — unalterable instructions that can automate processes like issuing a payment upon delivery. The blockchain itself can monitor how long each step takes and then alert human supervisors if something takes too long – a sign of a production breakdown, or even that someone might be tampering with the goods.
Neither a magic bullet, nor a lost cause
No blockchain is immune to hacking – and none can evade the effects of hardware vulnerabilities like Meltdown and Spectre. But it could provide a major improvement over today’s methods and practices.
There’s a long way to go, including training people to use blockchains and agreeing on standards for data communication, encryption, and storage. And such a system would still face the problem of insider threats, though the underlying blockchain technology would make such attempts more difficult.
Finding new ways for private companies and governments to work together and share best practices such as by developing collaborative standards, would go a long way toward building robust blockchain-based systems that can help track and secure hardware across the burgeoning Internet of Everything.
Reprinted by permission of Scott Shackelford. You can read the original article at The Conversation.
Scott Shackelford is part of a multidisciplinary team of researchers based at Indiana University studying this thorny problem. Their work has helped highlight the fact that better supply chain security could both prevent and make it easier to recover from accidents – as chip flaws like Spectre and Meltdown appear to be – and deliberate meddling.