The internet of things isn’t coming, it’s already here. New healthcare, industrial, home and personal devices are being connected every day, right under our noses. Gartner predicts that by 2020, nearly 21 billion IoT devices will be online. Yet as exciting as this explosive growth may be, it also brings new challenges — and chief among them is security.
As the adoption of IoT grows we are witnessing major security incidents. The Mirai botnet, for example, was able to hijack thousands of connected home devices and launch distributed denial-of-service attacks that knocked out large portions of the internet.
As more IoT devices come online, such attacks — and potentially more dangerous ones — seem inevitable. Keeping them from becoming commonplace will take new approaches to online security, and one of the more promising solutions that’s under research right now is rooted in blockchain.
You’ve probably heard of blockchain if you’ve looked into any of the various digital “cryptocurrencies,” of which Bitcoin is the best known. The success of these currencies has inspired a number of researchers to start applying blockchain technology to other applications, including to help secure IoT.
Without getting into all of the complex computer science behind it, a blockchain is a kind of distributed database that acts as a distributed digital ledger for transactions. With cryptocurrencies, for example, blockchain keeps a record of every time the digital cash changes hands.
What makes blockchain interesting to security researchers is that once it is created, a blockchain is immutable. By the nature of its design, blockchains are inherently resistant to modification of the data. Once the data is recorded, the data in a block cannot be altered retroactively. Any attempt to corrupt and modify the data instantly raises a red flag, because the validity of the blockchain is constantly verified and corrected using cryptographic algorithms and multiple distributed data records. The blockchain is itself secure and difficult for a person or a group of people to hack, making it an ideal tool for data security applications.
The distributed and decentralized nature of blockchain-based technology also makes it a natural fit helping secure IoT. IoT itself is a fundamentally distributed system composed of countless devices, any of which might jump on or off the network at any given time, making it a poor fit for centralized controls.
Who (or what) goes there?
So how can blockchain help secure IoT? One way is through blockchain-based identity and access management systems. The idea is to use a private blockchain to store cryptographic hashes of individual device firmware, creating a permanent record of device configuration and state. This record can then be used to verify that a given device is genuine and that its software and settings haven’t been tampered with before allowing it to connect to other devices or services.
Such systems can be an effective defense against IP spoofing attacks like those launched by later versions of the Mirai botnet. Because blockchain can’t be altered, devices that attempt to connect can’t disguise themselves by injecting fake signatures into the record.
Another application for blockchain to secure IoT is as a directory for device and service discovery. The advantage over other discovery mechanisms is because a blockchain is distributed and cryptographically verifiable, it’s less vulnerable to man-in-the-middle attacks and other exploits. By comparison, not only could centralized controls or intermediaries be compromised, but they also limit the ability of the IoT network to grow and reconfigure itself organically.
Putting the pieces in place
While this is all exciting stuff, however, it’s still too early to say definitively that blockchain will be a major component of IoT in the near future. This is a new and evolving area. There is much work to do in the way of industry standards to make IoT security systems from multiple vendors interoperable.
It should go without saying that blockchain-based security is no panacea, either. Early versions of Mirai relied on simple vulnerabilities like weak passwords and well-known default passwords to compromise devices, some of which were baked into firmware. IoT will never truly be secure until manufacturers accept greater responsibility for locking down their devices and adopt highly secure technologies such as blockchain.
Hardware, however, is only part of the equation. As IoT evolves toward greater autonomy, the need for innovative, end-to-end systems that can secure this new type of network environment becomes increasingly urgent. Blockchain, while still an emerging solution, is one of the more intriguing technologies with potential to set us down that road.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.