Any doubt that Internet of Things (IoT) devices have the ability to wreak digital havoc was removed during the last quarter of 2016 when IoT-device powered Mirai botnets handily disrupted internet service.
To find out why IoT devices are coming under attack, researchers at the University of Portsmouth analyzed 55 systems for managing the IoT and found a majority had neither support for security or privacy, nor did they implement robust controls. Why is this the case?
In this University of Portsmouth press release, Paul Fremantle, a member of the University’s School of Computing, says, “There aren’t really strong incentives for manufacturers to update their systems to keep you safe….” Fremantle adds another likely reason is that IoT devices do not have enough processing capability and/or memory to implement strong security solutions.
SEE: Ebook–Cybersecurity in an IoT and mobile world (TechRepublic)
There might be a workable solution
Fremantle believes blockchain technology can be used to enhance security, privacy, and the manageability of IoT devices. “Blockchains create a shared governance,” he is quoted as saying in the press release. “They produce an environment for IoT networks where there can be trust, anonymity, and effective contracts between parties without any single vendor being in charge, and without requiring any party to be trusted above another.”
What is a blockchain?
Figure A depicts how blockchain technology uses a decentralized database shared among a network of computers to approve an exchange. In an article for the World Economic Forum, Rosamond Hutt notes that, in a blockchain, the information is held securely and transparently on a digital ledger for all users on the network to see.
What about not having enough computing power?
As to IoT devices not having enough processing power, in the research paper Enhancing IoT Security and Privacy with Distributed Ledgers, authors Fremantle, Benjamin Aziz, senior lecturer at the University of Portsmouth’s School of Computing, and Tom Kirkham, from the Science and Technology Funding Council, Harwell, UK, write:
“Many blockchains provide lighter-weight models of validation such as the Bitcoin SPV and the Ethereum Light Client Protocol. However, even these may require more processing than an IoT device can provide, and this requirement may also increase in the future with the growth of the blockchain ledger.”
SEE: Information Security Management Fundamentals (TechRepublic Academy)
Fortunately, the three authors figured out a way that even the smallest IoT devices can participate by using a trusted arbitrator between the blockchains and internet-connected devices.
Their proposal uses an existing concept in blockchain technology called an oracle. “An oracle is a system that reports on the world to the blockchain in a reliable fashion,” explain Fremantle, Aziz, and Kirkham. “For example, a smart contract may require payment when a certain condition is met, and the oracle is used to report to the blockchain when that condition exists.”
The researchers want to change how an oracle works. “We propose that the IoT and blockchain industries require the exact opposite–a trusted intermediary that reports on the state of the blockchain on behalf of the IoT device,” the three state in their paper. “Such an entity, which we call a Pythia, could interact with the blockchain on behalf of IoT devices and do so in a trusted fashion. Therefore, it would act both as an oracle to the device, as well as an oracle to the blockchain.”
“Pythia is named after the priestess at the temple of Apollo in ancient Greece, who acted as a go-between between the gods and humans,” explains the university press release. “With this system in place, IoT developers will be able to trust blockchains more easily, leading to many new approaches for a secure IoT.”
SEE: IT leader’s guide to the blockchain (Tech Pro Research)
Still in the planning stage
Fremantle, Aziz, and Kirkham explain that Pythia is a preliminary proposal at this time. But, they are convinced it is possible to implement:
- A blockchain based on existing distributed ledgers that enable Smart Contracts such as HyperLedger or Ethereum; and
- A SGX-based blockchain client to provide trusted data from the blockchain.
The three researchers believe their methodology of using a distributed ledger to provide a shared governance model for IoT devices, networks, and cloud systems is workable, and they are in the process of prototyping the concept. Fremantle adds a cautionary note, “Unless we solve the security problems soon, there will be more serious attacks coming.”
All one has to do is search “2017 and IoT botnets” to see that Fremantle is not kidding.