What do local car dealers, hospitals and banks all have in common? At first glance, not much. However, all of them have become recent hacker targets. Why now when other, much larger corporate entities have traditionally been targets? One word – resources. Their resources, both network and personnel, are stretched thin. With the increased complexity and length of Distributed Denial-of-Service (DDoS) attacks, it’s a struggle for all organizations, let alone small and medium businesses. The 2016 State of SMB Security Report found that half of the 28 million small businesses surveyed were breached in the past year. Verizon cited, in their 2017 Data Breach report, that 61% of data breach victims were businesses with less than 1,000 employees.
Recently Italian bank Unicredit suffered two security breaches. Data of 400,000 customers was stolen, including loan account numbers and Personally Identifiable Information (PII). There is a suspicion the breach had to do with interaction with a 3rd party. This incident is the latest reported in a long history of cyber-attacks against financial institutions. Every hack however, can teach us a lesson.
Privacy or profit, that is the question. For C-suite executives around the world, striking a balance between safeguarding their organization’s data and meeting government regulations without adversely affecting day-to-day operations has always been a careful balancing act.
To read Part 1 of the series, click here.
To read Part 2 of the series, click here.
Blockchain in the IoT world
A blockchain implementation in the IoT world is probably not best served by a public blockchain based on Proof of Work. The inefficient consumption, not to say waste, of energy to generate Proof of Work is pretty much orthogonal with the premise of IoT devices, which have to consume less energy and are in some cases battery powered. POW comes at a severe cost and it does not add much value to the use case of a distributed ledger used within a consortium of partners. Hence the implementation based on Proof of Stake provides a better starting point for any attempt to chainify an IoT ecosystem where a consortium of partners is adopting a new business application. The security would then be based on a limited number of centralized nodes or cloud servers and by design it does not rely on independence of central trust as do the public cryptocurrencies. Most blockchain use cases I came across start from the assumption that there is a set of parties or a consortium of partners that have a common interest in a specific ledger, and while it might serve the larger public in terms of better quality and faster service, the consumer is not directly concerned with or interested in the ledger itself, only the parties who provide the service and rely on the ledger for remuneration will be.
A world of hashing
IBM, in partnership with Samsung, unveiled a concept ADEPT or Autonomous Decentralized Peer-to-Peer Telemetry that uses technology such as blockchains to create distributed networks of autonomous devices in a decentralized IoT ecosystem. As they introduce in their whitepaper, any protocol used by autonomous systems within the IoT ecosystem should be secured, authenticated and distributed, and the foundational communication functions which each node in the ecosystem should be able to perform in a distributed fashion are messaging, file sharing and coordination. As such, IBM and Samsung used three protocols for their concept: Bittorrent for file sharing, Ethereum for smart contracts, and Telehash for peer-to-peer messaging.
The first foundational function is obvious. IoT devices will typically interact with their environment through actuators or collect information of their environment from sensors. Whenever a change in the environment is sensed, a messaging system should provide a means to relay that information to other autonomous systems such as devices, servers or services. Such messaging must be distributed, secure and authenticated corresponding to the sensitivity of the information transported. Current IoT messaging systems, such as MQTT for example, use a central broker design and while they can be secured and authenticated, they will never provide the scale for millions or billions of devices without complex hierarchical designs. In the highly distributed, highly unreliable (I)IoT environments with low bandwidths, fluctuating latencies and regular disconnections, new peer to peer messaging systems are required which provide communication using encrypted messaging and transport, guaranteed delivery and store and forwarding of messages with ‘hop-on’ to other devices. Technology such as Distributed Hash Tables (DHT), used by the Bittorrent network, enables peers to search and find other peers in the network using a hash table of (key, value) pairs. Every peer generates and stores its own unique hashname in the DHT and uses the DHT to find peers to send and receive encrypted messages with in the network. Telehash is an open source messaging protocol based on a DHT implementation. Telehash provides distributed, secure messaging and routing through the Kademlia DHT implementation.
Distributed File sharing between nodes in an IoT ecosystem could provide for the exchange of larger chunks of non-real-time information such as configurations, global policies, and firmware/software updates. Bittorrent is well known as a robust and performant peer-to-peer file sharing protocol and its trackerless torrents are based on the same DHT implementation of the Kademlia protocol as Telehash.
When there is a need for transactions in the IoT ecosystem, then blockchain is the technology which provides the decentralized ledger where autonomous nodes in the network can verify the validity of each transaction without relying on a central authority. Every node in the system keeps a complete history of all the transactions performed in the whole ecosystem. Because of its distributed nature the ledger is tamper-proof, robust and not prone to man-in-the-middle attacks. Using blockchain, IoT devices become true autonomous smart devices which perform payments, agreements with other autonomous systems in the same ecosystem such as providing resources in return for certain services, provide history and support entitlements throughout the whole ecosystem without requiring a central entitlement server or service. Imagine smart devices part of a larger IoT ecosystem being able to place orders for repairing other parts of the ecosystem, using the blockchain for proof of support entitlement or paying directly with a global pools of tokens for replacement parts or interventions: a self-sustaining, self-supported, self-maintaining smart ecosystem that does not require any human intervention to operate and maintain. Blockchain as a technology is able to provide any functionality that requires a trusted ledger of transactions, which can also include events for compliance and regulatory management of Industrial IoT applications.
The ADEPT PoC successfully demonstrated four use cases using functional Samsung products:
- A W9000 Samsung washer autonomously reordering detergent (B2C)
- A W9000 Samsung washer autonomously reordering service parts (B2C)
- A W9000 Samsung washer autonomously negotiating power usage (B2C)
- Samsung Large Format Displays (LFDs) autonomously displaying advertising content (B2B)
“By empowering devices to engage autonomously in markets – both financial and nonfinancial – and react to changes in markets, the IoT will create an ‘Economy of Things’. Virtually every device and system can potentially become a point of transaction and economic value creation for owners and users. These capabilities will be crucial to everything from enabling sharing economies to energy efficiency and distributed storage.”
The ADEPT whitepaper cited that certain issues, including scalability and the nature of cryptocurrency development today, are potential challenges should the concept ever be applied on a grander scale. They address the issue of network scalability within the context of a distributed IoT, and according to the authors, there are no clear paths forward to scale the system as-is to incorporate billions of devices, but work in this area is promising. As they cite in the paper: “Multiple efforts like sidechains, treechains, and mini-blockchains are ongoing to address this problem. While each approach has its merits and demerits we are yet to see consensus on a common approach across the board. A blockchain to cater to hundreds of billions of devices needs to be scalable.” Also notable is the distinction of three broad categories of devices. Depending on their computing and storage capabilities, devices can be light peers which retain a light wallet with their blockchain addresses and balances, and perform minimal file sharing. To obtain its blockchain transactions, a light peer will turn to a trusted peer. The authors start from the assumption that in the next few years the cost of general-purpose computing will decline and more manufacturers will turn to devices with increased computing power and storage to create the ‘standard peers’ of the concept. A standard peer retains a part of the blockchain, based on its capabilities. The third category of devices, the ‘peer exchanges’ are high-end devices with vast computing and storage capabilities. These (cloud server) peers are owned and operated by the organizations and host the marketplace components such as analytics, payment exchanges, trade, legal compliance solutions, …. and are capable of interoperating and interacting with other business solutions. The peer exchanges are also the (only) repositories retaining a complete copy of the blockchain.
High-profile, high-reward targets for hackers
While public cryptocurrencies provide inherent resistance against traditional DDoS attacks, interfaces have to be formed between blockchain systems and third party services, between the systems and its users. Those interfaces will most conveniently be solved by providing web APIs and/or web applications, reaching back to the centrally brokered cloud solutions. Even if the technology behind the service is highly distributed and resistant to DDoS attacks, the entry-points and bridges between the ecosystems will represent high-profile, high-reward targets for hackers. Consider the recent DDoS attacks on the Bitfinex and BTC-e Bitcoin exchanges. The DDoS attacks were targeting and impacting the web service of the exchanges, not the blockchain nodes. There are also recent examples of hackers compromising these service points by stealing cryptocurrencies through redirecting web domains. such as here. Again, not exploiting vulnerabilities of the blockchain but the entry-point or service-point which provides end-users convenient access to the backend blockchain.
Until now we considered the blockchain to be perfect and not vulnerable to attacks, and while the algorithm might not be flawed, the implementation or the application (such as a smart contract) on top of the blockchain could be. Ethereum provides a programming language embedded in the blockchain to enable smart contracts and applications on top of the blockchain. On June 17th, 2016 a hacker used a weakness in the DAO code (a smart contract written on top of Ethereum blockchain) to drain 3.6 million ETH ($53m), essentially a third of the fund, into his account, within just a few hours.
In July 2015, Bitcoin activated the BIP66 soft fork. Pieter Wuille then disclosed that BIP66 fixed a consensus bug in OpenSSL that could cause a chainfork. Since many sidechains, including Namecoin, were based on Bitcoin and hadn’t yet activated BIP66 at the time of disclosure, this resulted in a serious 0day opportunity on the sidechains.
Hajime – the first distributed, multi-platform IoT software in production
Remember the IoT botnet malware? The botnet is estimated at a whopping 300,000 compromised IoT devices that communicate through a distributed peer-to-peer trackerless Bittorrent network, leveraging DHTs and using rotating info_hashes with RC4 public/private key for authenticating and encrypting communications. Hajime has support for a large range of IoT platforms based on arm5, arm6, arm7, mipseb and mipsel architectures. It provides automatic silent updates and modularity through extension modules. It even solved the distribution problem as it proliferates through common IoT vulnerabilities and exploits and aims at securing the devices from further compromise by IoT botnets – except for BrickerBot which aims its crosshairs at any infected IoT devices in an attempt to brick them.
The only feature Hajime is missing today is a blockchain implementation, which could bring new business applications to the botnet through a proper payment system for victimized devices and owners that could get ransomed by it… Joking… I hope….
As the future for scalable IoT is moving into autonomous, decentralized systems, providing new applications through Blockchain and growing into an Economy of Things, we all need to keep our mindset on security first. If we want to make the Economy of Things a profitable reality, our first priority should go to improving the overall state of security of all things connected, new and existing.
Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.
To view Part 1 of this blog series, click here.
Circling back to our main interest, the world of the IoT. In order to create a blockchain shared between autonomous devices that fulfills the security properties required to ensure operation of the ecosystem, the ‘good’ devices need to accumulate a minimum 51% share of the compute power in the system. To put this requirement in perspective, consider a Raspberry PI version 3, which represents a fairly well equipped IoT device in terms of memory, storage capacity and CPU power – know that most of the current IoT devices are far behind in terms of their computing capabilities. A RPi3 is able to generate about 10 hashes per second for the Ethereum POW. Your kid’s gaming rig, equipped with an Nvidia GTX1070 GPU, is able to perform this task at a rate of 25.1 million hashes per second. Meaning that in general, to have the same probability of completing the Proof of Work before any hacker with a modern day PC, the system needs to be composed of at least 2.5 million RPi3 devices. Or to put it differently, any IoT system using the same distributed trustless consensus paradigm used by Bitcoin needs to be larger than 2.5 million devices before it could be deemed secure from DoS and reverse attacks by individuals. This is not even taking into account government-sponsored or organized crime hackers as they have access to far more powerful systems, or people who have purposefully built hardware based on FPGAs typically used to efficiently mine Bitcoins.
Cryptocurrencies allow people to move money the same way they move information on the internet. As of June 25, 2017 more than 900 different cryptocurrencies are being traded. As of July 2017, the most popular and alpha cryptocurrency, the Bitcoin (BTC), has a market cap of over $40 billion USD and trades with daily volumes averaging $1 billion with peaks up to $2 billion per 24h. Blockchain, the foundational technology behind all cryptocurrencies, is not an easy-to-understand technology as it is a weird combination of cryptography, distributed systems, economics, game theory, some graph technology, and politics. The most common reason for the existence of the many different blockchains for cryptocurrency are ethically dubious money-making schemes. Most investors and consumers are incapable of evaluating the blockchain technology details and convinced themselves that blockchains will make them loads of money and/or make the internet secure and/or overthrow the government. Besides providing real opportunities for cyber criminals and high risk traders, the blockchain has sparked the interest of many industries, IoT being one of them. As the era of IoT is upon us and the number of IoT devices and size of IoT ecosystems is growing exponentially, blockchain is tipped as one of the technologies that will fuel the future of IoT.
After the Dyn attack by Mirai in October 2016, we knew we were facing an infliction point which would reshape the DDoS threat landscape for the coming months or years. The Internet of Things (IoT) would become an important part of that new landscape. After the attack, the inadequate security state of IoT and the unsophisticated nature of the botnets exploiting IoT devices such as IP cameras, DVRs and routers became apparent and the center of attention of many security researchers and reporters. IoT became the playground for many new bots and slowly turned into a battleground where bad bots, white-hat bots and vigilante bots are battling for ever-growing numbers of poorly designed and insecure devices.
In a recent Light Reading webinar, Principal Heavy Reading Analyst Jim Hodges and I discussed the growing need for Managed Security Services. DDoS attacks are becoming increasingly sophisticated and complex, lasting more than 24 hours in some cases. The attacks aren’t limited to specific industries or company sizes anymore, and push stretched internal IT resources to the breaking point. The 0s and 1s that flash through service provider networks are equally vulnerable. Attackers don’t care where the data is coming from…they’re looking for vulnerabilities they can exploit for money. The days of hacks focused on large retail organizations like Target and Home Depot are behind us. Merck and Co., a large U.S.-based pharmaceutical firm, was one of several global companies impacted by a massive global attack. Don’t let these hacks bring your customers’ network down.
The newly published OWASP Top 10 2017 Release Candidate introduces a new application security risk –protection of APIs.
It’s not a secret that managing information security is becoming more complex. It is also no secret that there are more threats and more solutions to stay on top of. While it makes me wonder if we are reaching the limit of the capabilities of the human mind when it gets to efficient information analysis for proper decision-making, I am quite certain we can agree that as far as information security professionals go, we are definitely getting to that point, subject to day-to-day constraints.
In the movies (and real life) one often needs to go through the Key Master to get to the destination. The job of the Key Master is to keep control of the access to the locks and barriers that protect important or sensitive material. Sometimes there is one key to get to the hidden rewards while other times, there is a long string of keys that must be maintained and managed. In other situations, the Key Master is more of a Key Maker, generating keys upon request.