For those reading this who were cognizant of such topics as the Internet of Things (IoT) and security architecture back in 2016, you may have had some passing knowledge of the Mirai botnet attacks that showed us all just how risky the present client-server model of IoT can be. At issue is the reality that the vast majority of these kinds of networks rely on a central authority to manage devices, which, as the world becomes more aware of the capabilities of blockchain security, makes the centralized model seem as antiquated as a quill pen and papyrus.
Present Security Architecture Shortcomings
As most IoT networks are currently configured, data isn’t be considered trustworthy until it is vetted and allowed to pass through a single controlling security “gate.” As we saw with the Mirai incidents, a botnet barrage can focus efforts on compromising this lone point through a Distributed Denial of Service (DDNS) attack. Once through the centralized security “gate,” a hacker can access the resources of the entire IoT network. For those familiar with blockchain technology (which we’ll discuss in more detail in relation to the IoT shortly), the disadvantages of the present centralized security approach are obvious, especially when compared to the more secure distributed model found in blockchain technology.
How Overwhelmed Centralized Servers Could Wreck Your Life
It’s one thing to prattle on about the “disadvantages” of centralized server control on the IoT. It’s another, however, to bring into focus exactly what it could mean in your life or the business life of corporations everywhere. Let’s get more precise.
Online security: Through something as ubiquitous as a coffee maker (or any of dozens of other devices) attached to a home network, a hacker could enter the system and gain access to ALL the information on ANY network connected device. That means passwords, checking or savings accounts – all the worst parts of identity theft. Following that thread of thought, it would be relatively easy to introduce ransomware or tell devices to stop functioning entirely.
Surveillance: Got security cameras? Many homeowners and businesses do. One glaring weakness of a centralized server is how easy it is for hackers to get into the system and use security cameras to surveil the surroundings. What better way to have your privacy invaded or to case the place for a burglary? Even the remote camera on your vacuum cleaner could be hijacked by those with ill intent. We’re getting into creepy and legitimately dangerous territory here now.
A large enterprise nightmare: We’ve already mentioned Mirai. One offshoot, Persirai, has been trained to infect 1,250 different types of security cameras. As in the Mirai attack, the resources of a company’s network can be conscripted in support of a global DDNS attack. Since resources are involved in doing the hacker’s criminal bidding, there will be little bandwidth and processing left for legitimate work, slowing operations to a crawl and, oh, by the way, leaving protected company data wide open for stealing.
Shut it down: Sometimes a hacker has no other end in mind than the mischief involved in making another person’s life miserable. There are so many ways to penetrate what passes for security in today’s IoT networks – Man in the Middle, spoofing, cloning, data sinkholes – that a bad actor can sit back and take his or her pick. Once inside, it’s an easy matter to shut down or destroy devices, infect them with malicious code, and make a network permanently unusable. When you might have spent thousands of dollars to create this “smart” home network in the first place, losing it all just because some tech whiz was bored on a Sunday afternoon is likely not your definition of a good time.
Dumb Needs to Get Smarter
A few years ago, no one was really paying attention to lax security in the rush to set up IoT networks. The end goal was to create the smart home of the future but, oops, along the way we forgot that all this lightly protected bandwidth was just sitting there waiting for someone with the ill intent to harness and aim. That’s what happened in the Mirai incident. IoT networks were responsible for a large part of the DNS attack that managed to temporarily squirrel up servers associated with Twitter, PayPal, and Netflix as well as millions of innocent bystanders. For a few days, it appeared the internet was on its way to grinding to a halt in the face of the most widespread hack to date, and all this because IoT networks around the world were so easy to penetrate.
Why Blockchain is Better
In 2009, we began to hear about a brand new digital cryptocurrency, Bitcoin, which has since become a household name and private currency with market capitalization measured in the billions. While the idea of a digital currency that was beholden to no government or central bank was compelling, techies focused at least as much on the underlying database technology, dubbed blockchain, that offered the promise of the most secure online environment ever conceived. The blockchain model turns previous ideas of central authority, like those implemented by everything from your local bank to the IoT network that runs your house, on its head by decentralizing the whole thing, meaning that all participants in a blockchain have to verify a transaction before it is accepted as legitimate. This approach might not be unhackable, but it’s close. The cost in computer resources required to overcome a blockchain is so high as to be impossible for most single entities or modest organizations to mount.
Applying Blockchain Technology to an IoT
Think about the centralized authority model with an IoT network for a moment. The devices, though we like to call them smart, by design are not allowed to make security decisions on their own outside the central authority. With the blockchain model, a complete set of data is replicated and stored in its entirety with each device. Before any bit of data can be added to the network – such as when a hacker is gathering resources for a DNS attack – it must be verified and approved by all nodes on the network.
What should be apparent is that no longer can an IoT network be compromised from a single node. Instead, anyone engaged in nefarious behavior would have to figure out how to take over a majority of the network all at once, which is a much more difficult task. For example, in the Mirai botnet attack, a network protected by blockchain technology would have detected and quarantined the malware before it could consume enough of the network to take control.
Not a Panacea – Yet
The IoT universe, advanced as it might seem already, is in the nascent stage of development, which might actually be a good thing for those who see the potential in integrating blockchain protection from the ground up. The reality is that IoT presents a stiffer challenge than cryptocurrency, in which the distributed network is tasked only with moving currency wallets from one anonymous owner to another. To authenticate, secure, and control the layers of an entire network of devices, more complex infrastructure is needed.
Already, frameworks are being built to undertake these technical challenges. A suitable framework would need the ability to keep out unauthorized intrusions and to drop hacked devices from the network to prevent the spread of malware. There would also need to be a protocol for adding and removing devices from the blockchain without triggering a defensive reaction.
Another problem blockchain must overcome in order to be seen as a viable solution is the 51 percent attack problem as applied to small, physically confined IoT networks. In order to gain control of a blockchain requires the agreement of a majority of network devices, a difficult task when the network is scattered around the globe, but it becomes exponentially easier when targeting a home network. Though impressive, the smallish devices currently at work on home networks don’t have the computing power necessary to keep a full-fledged blockchain working at top speed. Experts have turned to the idea of a “dumbed down” blockchain approach that offers considerably more protection than the centralized authority version but doesn’t quite meet muster as a full-fledged blockchain.
The bottom line is that the Internet, as currently configured, was not designed to handle the volume and complexities of modern transactions. Built with decades-old technology, it’s not surprising that security breaches are large and occur often. Implementing blockchain technology to the IoT sooner rather than later would be a good idea. Get it in place. Finetune it later. A failure to address the gaping security holes now will assure a global headache for millions of smart homeowners later.
About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part time blogger at Privacy Australia, where he discusses online safety and privacy.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.