The billions of smart devices coming to the internet of things could transform homes, cities and lives. But they also could create a serious security headache.
The centralized security model common in the enterprise today will struggle to scale up to meet the demands of the internet of things, or IoT. And, with so many devices designed to be tiny and unobtrusive, pulling them from circulation could be difficult if they are captured in a botnet or go rogue.
Blockchain, and the combination of cryptographic processes behind it, offers an intriguing alternative. Because blockchain is built for decentralized control, a security scheme based on it should be more scalable than a traditional one. And blockchain’s strong protections against data tampering would help prevent a rogue device from disrupting a home, factory or transportation system by relaying misleading information.
“Blockchain is promising for IoT security for the same reasons it works for cryptocurrency: It provides assurances that data is legitimate, and the process that introduces new data is well-defined,” said Ahmed Banafa, IoT expert and lecturer at San Jose State University, who wrote a popular overview of the potential for blockchain to solve IoT security challenges.
The problem of IoT security needs solving because data flowing from sensors and embedded processors can change the way urban planners lay out hospitals and bus stops.
But blockchain isn’t a slam dunk. Bitcoin presents a simpler problem to solve than IoT security. With bitcoin, blockchain simply moves wallets of currency from one anonymous owner to another. Full-fledged device authentication, security and control layers are more complex.
In a recently published paper, Hardjono described a blockchain-based IoT framework called ChainAnchor. This framework addressed device security with activation and security layers supported by device makers, data providers and independent third parties.
In the paper, he argued that some or all of these parties could be allowed to license or sell anonymized data coming from IoT devices. Receiving the data could create incentives for outside agencies to participate in the blockchain, bringing additional CPU power to support the health of the system.
The proposed framework includes layers of access that can keep out unauthorized devices or cut bad actors (such as a hacked device) from the network. It also includes cases for safely selling and removing devices from the blockchain.
Researchers at the University of New South Wales in Sydney, Australia, are taking a different approach to blockchain-based IoT security. In their model of a blockchain-secured smart home, a high-powered block miner replaces the usual internet router or media center to manage all local network transactions. This device not only manages the internal blockchain but also controls communication between home-based IoT devices and the outside world. It also authorizes new IoT devices and could curtail or cut off devices that are behaving badly. In this model, even if a lightbulb is captured by a botnet, the miner would see that the lightbulb is trying to attack an outside server and block its packets from leaving the home.
Blockchain Not A Panacea
One potential limitation of blockchain as an IoT safeguard is the 51 percent attack problem. Because blockchain works through consensus, if 51 percent of the processing power in a network colludes to change a transaction, that change will be accepted.
Having a wide diversity of nodes, physically distributed around the globe, helps stave off “51 percent attacks” on bitcoin. A small, private IoT network in a home or single office building or factory, however, is not physically distributed. Consequently, a determined hacker could more easily subvert 51 percent of the processing power in a single location.
And although IoT devices are miracles of engineering, they are still underpowered compared to the hardware powering successful blockchains. Blockchain processing tasks are computationally difficult and time-consuming. Many devices lack the processing power to directly participate in a blockchain. This is for good reason: The heavy computational load helps protect integrity.
“The proof-of-work step in blockchain creates costs for someone who might want to flood a network with fake information,” said Christian Catalini, an assistant professor at the MIT Sloan School of Management in Cambridge, Massachusetts.
The IoT smart home concept simplifies the blockchain by reducing the proof-of-work computational requirement typical of other implementations.
“Standard IoT devices can’t do this kind of heavy computational work, just like you can’t mine bitcoins on a standard laptop anymore,” said Salil Kanhere, an associate professor and researcher at the University of New South Wales. “Relaxing those standards in a smart home environment will help scale up adoption.”
Even with simplified processing, the smart home IoT described in Kanhere’s work needed more processing and electrical power to complete transactions, and suffered longer delays than a conventional network architecture.
The Big Picture
Blockchain’s potential to transform the way we think about IoT security is actually a side effect of an even greater opportunity: to rethink problems with online identity that have been festering for decades.
“ The internet was not designed for the transactions taking place today,” Catalini said. “And our communication protocols don’t have enough information about the identity of individuals or devices embedded in them.”
The stakes are bigger than just keeping industrial sensors online and fitness bands on task. Tackling these challenges will create new approaches to online identity, trustworthy transactions and resilient networks.
“We’re in the early stages of rebuilding our digital infrastructure,” Catalini said.