See how blockchain can strengthen IoT security
The Internet of Things (IoT)—the inter-working of physical devices—goes beyond machine-to-machine communication. Devices send streams of data to be analyzed, worked on, and stored. Because this information is used to improve efficiency and accuracy, to optimize performance, or simply to report status, we must have full assurance that these devices are secure and that the data sent is valid. We must ensure that the devices and the data have not been manipulated or compromised.
Distributed Denial of Service (DDoS) attacks using the IoT
As an example, let’s look at one of the latest DDoS attacks that brought down half the eastern seaboard of the US. The attack was concentrated on DYN, a large Domain Name Server (DNS) provider for URL resolution for the US. The attacker knew full well that without DNS servers, no web sessions could be completed using URL resolution.
How were the DYN servers brought down? This was an ingenious attack using non-secure, non-traditional IoT devices from around the world. As we learned from this attack, the general population is unaware of how easy it is to attack a device and break its security. Typically, these IoT devices have one layer of security: a username and password. Many or most come with simple default passwords that consumers do not realize they should change.
An internet bot was used to brute-force the credentials of the IoT devices, in this case, mainly IP-connected cameras. By loading small scripts or uploading new software, these devices could then be used as a robot army, sending request messages to the DYN DNS servers, overloading them, and ultimately causing them to crash. DDoS attacks like this are common, relatively easy to execute, and can cause a lot of harm on today’s networks.
IoT devices compromised by internet bot
Below is a sample from the Mirai bot that compromised all these IoT devices.
As can be seen from the code, it uses a simple, brute-force attack on usernames and passwords. The passwords are very easy and, typically, are the default ones for new equipment. The users or installers of these devices either neglected to change the default passwords, or they changed them to very simple ones that would be easy to guess. (Even more-complex passwords may be breakable, given enough time and the right algorithm.)
How can we secure the IoT?
How do we secure these devices? With today’s technology, there is no security appliance in the market that can provide 100 percent security. Sure, most can provide relatively good security, possibly making it harder for a bad actor—at least hard enough that the actor will move on to an easier target. But there are those persistent bad actors who might see that as a challenge and persevere.
How to combat the IoT security threat
So what do we do with those persistent bad actors? How do we combat their threat?
Machine-to-machine communication is increasing exponentially with IoT devices. We collect data from an IoT device, perform analytics on that data, create output, and send it back to the device for optimization. If any of the data from the IoT device to the analytics engine or in the return feedback loop is compromised, we could be faced with a disaster, depending on the type of device. So security for the IoT and its data is becoming increasingly important.
In addition to the basic security of username and password, we need something such as blockchain technology to provide data integrity assurance. Blockchain technology allows for a unique way to bind data to its creation time and origin. This produces a defensible chain of custody that can be used to independently verify data integrity without relying on any centralized trust anchors. If implemented correctly, blockchain technology, coupled with governance policies, can provide the assurance that no data has been compromised.
How blockchain can assure data integrity
How does blockchain technology do this? What do we need from a blockchain to make this possible?
Blockchains are typically built for different applications. For example, for cryptocurrency, smart contracts, or the IoT. Each application has its own set of requirements, so one blockchain does not fit all. This does not mean we can’t use a combination of them to get the desired result. The key blockchain features needed for the IoT are:
- distributed architecture
- low maintenance
An IoT blockchain must meet all these requirements since trade-offs can impact the functioning and effectiveness of the IoT.
So, how do we secure IoT devices and prevent them from becoming a bot army?
For DDoS, one way would be to store all the DNS entries in a blockchain, distributing the entries and making them transparent: in effect, giving control to the IP owners.
Blockchain software supply chain
For IoT devices, this would require manufactures to implement a blockchain software supply chain to prove the provenance and chain of custody of the software and the configuration loaded on any device. Governance can be achieved via smart contracts using another blockchain. By securing their software supply chain and implementing smart contracts, devices will be less prone to bot attacks.
These are just a couple of ideas on how to secure the IoT using blockchain technology. There are many different use cases in the IoT, each with its own unique set of requirements. Although blockchain technology is not a silver bullet for security, it has great potential to add another layer in the security arsenal to combat cyber crime.
The uptake of blockchain technology in the industry proves that it has the potential to solve some pressing security issues. As blockchain implementations mature, there will be more momentum in the use of blockchains.