Tags: case study, new customer, Hacken service, security analisys, cybersecurity

Company name: Ambrosus

Company description: Ambrosus is a Blockchain and IoT Ecosystem, built for industrial data management.

Service: Blockchain security review and penetration testing“We appreciated the quality of work done by the Hacken team. They were professional, and thorough in their audit, and allowed us to get a third party perspective on the security of AMB-NET and its accompanying crypto-economic architecture as well as additional tools. If the opportunity presents itself, we look forward to working with them more in the future.” — Dr. Vlad Trifa CPO of Ambrosus.

About Ambrosus

Ambrosus is a Blockchain and IoT Ecosystem, built for industrial data management. By combining the immutability of a public blockchain with encrypted IoT sensing devices, Ambrosus provides a framework for integrating secure, transparent, and accessible data into the fabric of the physical world. As an Open-sourced Ecosystem Ambrosus allows developers, entrepreneurs, and enterprises to leverage their blockchain and IoT infrastructure to build innovative solutions for the new digital economy.

The project focuses on 2 complex tasks – web/network penetration testing for the deployed nodes, and blockchain security assessment for node codebase and NOP script. Ambrosus agreed to the scope of the work at the start of the project and the review was conducted encompassing the entirety of the scope. The scope includes attacks on all endpoints that are simulated through 4 main classes of potential attackers:

external attacker

an external attacker with access to API

an attacker that hosts a Hermes node

an attacker that hosts an Atlas/Apollo node

Problems faced by Ambrosus

Ambrosus requested a third-party security audit to help identify potential weaknesses and blind spots across the entire infrastructure of the Ambrosus Network (AMB-NET). This included checking potential entry points that hackers may utilize to compromise the network infrastructure, masternode architecture, smart contract protocols, and Ambrosus powered tools (Dashboard, Explorer, etc.).

Hacken Service Summary

Hacken security consultants imitated hacker activities to test the overall security state of the network. We thoroughly studied the Ambrosus ecosystem and defined crucial checks for a security review. The auditing process is described in the checklist below along with our comments and findings.

Blockchain-related tasks:

Review of crypto economics specification against potential threats

Checks for the access control implementation against permissions matrix

Analysis of potential hash collisions impact

Analysis of node upgradeability mechanism

Review of NOP script and analysis of potential threats during deployment

Testing and code review of token generation mechanism

Manual review of timeout mechanism

Analysis of the KYC process

Manual code review for immutability of data (Merkle proofs etc.)

Testing against deserialization vulnerabilities

Analysis of private key storage and usage processes

Analysis of cryptography implementation

Penetration testing tasks:

Dump and analyze traffic between nodes

Testing against privilege escalation

Docker escape testing

Fuzzing of APIs (all parameters in GET, POST, PUT requests)

NoSQL injection testing

Auto-scanning of the codebase and manual review of auto scanner findings

Web pentest for Hermes client side

Network discovery and scanning of the nodes

DDoS simulation

Security Audit Findings

Based upon the various blockchain related tasks and specific penetration testing simulations, the Hacken team was pleased with the results of the test, and the quality of code on the Ambrosus Platform. While select medium-to-low risk issues were identified, the Hacken team provided clear steps and recommendations on how to fix the presented risks. In response to these recommendations and in light of the positive results of the test, the Ambrosus team accepted the Hacken recommendations and will fix all the security issues identified.

Summing Up

Overall, the security review provided by Hacken focused on blockchain related penetration testing of core components of the Ambrosus Ecosystem. This included among other components, the Node Onboarding Process, a comprehensive review of the crypto-economic infrastructure, Web penetration for the Hermes Masternode client side, as well as a DDoS simulation. The Ambrosus Ecosystem was found to be of high caliber, with only a limited number of medium to low risk issues, that will subsequently be resolved by the Ambrosus team.

According to the review, the Hacken auditors evaluate the security state of the Ambrosus Ecosystem to be highly secure, particularly in light of corrections made by the Ambrosus team from the problems identified. The original code of the Ambrosus infrastructure was noted to be of very good quality. However, with the added fixes, the code is evaluated to be of very high quality.

How Hacken can help

At Hacken, we take security extremely seriously, and all the checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to contact our Team!

Read also:

Hacken provides all types of Cybersecurity Services for the Global IT industry

Top 7 vulnerabilities of 2018

Hacken Year in Review 2018