Tineola: Taking a Bite Out of Enterprise Blockchain

Conference:  Defcon 26



The presentation discusses the use of Hyperledger Fabric in building a blockchain insurance app and the potential security risks associated with it.
  • Hyperledger Fabric is a popular platform for building blockchain applications
  • The build blockchain insurance app is a typical insurance application with a web front-end
  • The presentation discusses the potential security risks associated with the app, including the possibility of insurance fraud
  • Smart contracts in Fabric are actual programs that interact with the ledger through a simple interface called Shem
  • The ledger in Fabric is a key-value store that can be accessed through get and put state commands
  • The presentation emphasizes the importance of securing smart contracts and avoiding the inclusion of sensitive data in the blockchain
The presenter discusses a potential scenario where a repair shop employee uses their access to the blockchain to commit insurance fraud by submitting a fraudulent repair claim. They demonstrate how easy it is to obtain a user's password from the blockchain and use it to file a claim. The presenter emphasizes the need to avoid including sensitive data such as passwords and credit card information in the blockchain.


Blockchain adaptation has reached a fever pitch, andthe community is late to the game of securing these platforms against attack. With the open source community enamored with the success of Ethereum, the enterprise community has been quietly building the next generation of distributed trustless applications on permissioned blockchain technologies. As of early 2018, an estimated half of these blockchain projects relied on the Hyperledger Fabric platform. In this talk we will discuss tools and techniques attackers can use to target Fabric. To this end we are demoing and releasing a new attack suite, Tineola, capable of performing network reconnaissance of a Hyperledger deployment, adding evil network peers to this deployment, using existing trusted peers for lateral network movement with reverse shells, and fuzzing application code deployed on Fabric. As George Orwell said: "Who controls the past controls the future. Who controls the present controls the past." This talk will demonstrate how a sufficiently armed red team can modify the blockchain past to control our digital future.



Post a comment

Related work