Guarding against the possible Spectre in every machine

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Scott Shackelford
 

Connecting state and local government leaders

By Scott Shackelford

|

As companies and government agencies explore ways to ensure that items are manufactured, assembled, shipped and delivered reliably and without tampering, they're building robust blockchain-based systems that can help track and secure hardware.

The Conversation

This article was first posted on The Conversation.

Security vulnerabilities in technology extend well beyond problems with software. Earlier this month, researchers revealed that the hardware at the heart of nearly every computersmartphone, tablet and other electronic device is flawed in at least two significant ways code-named Spectre and Meltdown.

Regardless of their cause, the mere existence of these significant vulnerabilities is a symptom of a much wider problem. Too few technology companies are taking proper precautions to protect every step in their supply chains, from raw materials through manufacturing and distribution into customers’ hands. Products could be altered either in the factory or en route to a user, turning, for example, an executive’s smartphone into a handy surveillance device.

I am part of a multidisciplinary team of researchers based at Indiana University studying this thorny problem. Our work has helped highlight the simple fact that better supply chain security could both prevent and make it easier to recover from accidents -- as the chip flaws appear to be -- and deliberate meddling.

Backdoors and secret passages

It’s common knowledge that hackers can attack software by sending users virus-infected emails or compromised links. But they can also meddle with computers by altering tiny circuits in microchips most users will never see. These weaknesses are physical, and they’re just as hard to identify as mistakes in software code.

The complex supply chains involved in most technological manufacturing are very hard to secure. Apple’s iPhone, for example, involves hundreds of suppliers from around the world making chips and hard drives, all of which have to be shipped, assembled and warehoused before ever being delivered to an Apple store or your door. All of these steps introduce numerous opportunities for security problems to arise; recent research has even suggested hackers could use smartphone apps to destroy manufacturing equipment or even blow up entire factories.

While no such large-scale disaster has yet been identified, even sophisticated retailers like Amazon have been fooled by counterfeit or poorly manufactured facsimiles of real products. Some supply chain threats can be more malicious: In 2012, Microsoft warned customers that Chinese computer factories were installing malware on PCs.

Enter the ‘internet of everything’

As more and more devices -- not just computers and smartphones but thermostats and baby monitors and wristwatches and lightbulbs and even doorbells -- get connected to the internet, the growing scale of the threat from hackers can easily get lost in the excitement.

In 2009, the Department of Defense thought it had a great way to buy a lot of computing power without spending too much taxpayer money: It bought 2,200 Sony PlayStation 3 gaming consoles to use as components in a military supercomputer. But as I and others wrote in response, those systems are often manufactured abroad, making it that much more difficult to verify that they weren’t tampered with.

The Navy, at least, has learned from this mistake: The Naval Surface Warfare Center Crane Division has pioneered automated inspections, using artificial intelligence to examine digital pictures of new circuit boards to detect unauthorized alterations.

Americans are rightly concerned about intrusive alterations during the manufacturing and shipping processes -- in part because U.S. government agencies conduct them. Leaked documents have shown how the National Security Agency’s Tailored Access Operations team routinely intercepts new computer and networking equipment being shipped to specific people or organizations. Then NSA workers modify the hardware to add vulnerabilities and secret access for NSA hackers to use later, and then put the equipment back in boxes to be delivered as if nothing had happened.

Is blockchain a solution?

One new way to secure supply chains involves blockchain technology -- a secure database system stored and maintained across many computers around the internet -- to track and verify all aspects of a supply chain, even one as complicated as Apple’s.

IBM and the international shipping giant Maersk are experimenting with using blockchain systems to better secure and transparently track shipments, such as by entering information about what is being shipped from whom and from where to whom and to where, and every step along the route in between, in a blockchain database.

This type of system can handle many of the existing tasks performed by corporate databases -- with scanners monitoring items and packages at key stages, and humans adding data like delivery details. But blockchains offer at least three key advantages: security, transparency and automation.

The security comes from two features of blockchains: First, the data is stored in discrete chunks, or “blocks.” And as each block is created, it must securely link to the previous block in the database, making a “chain” of blocks and preventing anyone from modifying previously stored data. Changes can only be stored as additional data in the chain.

So, in effect, a person who took a package to the post office couldn’t go into the database file and delete the word “Processing” and type in the word “Shipped” in its place. Rather, the person would add data saying the date and time the package was dropped off at the post office. That lets everyone track the package in real time, but also keep an eye on how long each step takes and help to identify where any problems occur.

Blockchain transparency results from the fact that its data is stored in encrypted form, but is otherwise available to participants. Coupled with its security features, a blockchain supply chain database would let any entity involved in a shipment, for example, track the order’s progress with confidence that the data is accurate.

Adding value to blockchain systems is the fact that they are digital records, so they can contain software code set to perform specific functions when certain data is stored in the system. These are often called “smart contracts,” because they are unalterable instructions that can automate some processes, like issuing a payment upon delivery. This adds another layer of security, too, because the blockchain itself can keep an eye on how long each step takes for every item, and then alert human supervisors if something takes too long -- a sign of a production breakdown, or even a signal someone might be tampering with the goods.

Neither a magic bullet, nor a lost cause

No blockchain is immune to hacking -- and none of them can evade the effects of hardware vulnerabilities like Meltdown and Spectre. But it could provide a major improvement over today’s methods and practices.

There’s a long way to go yet, including training people to use blockchains and agreeing on standards for data communication, encryption and storage. And such a system would still face the problem of insider threats, though the underlying blockchain technology would make such attempts more difficult.

At present, companies and government agencies are exploring ways to ensure that items are manufactured, assembled, shipped and delivered reliably and without tampering. Continuing these efforts, and finding new ways for private companies and governments to work together and share best practices such as by developing collaborative standards, would go a long way toward building robust blockchain-based systems that can help track and secure hardware across the burgeoning internet of everything.

NEXT STORY: State CIOs stress security, emerging tech and IT consolidation for 2018

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.