Cryptocurrencies allow people to move money the same way they move information on the internet. As of June 25, 2017 more than 900 different cryptocurrencies are being traded. As of July 2017, the most popular and alpha cryptocurrency, the Bitcoin (BTC), has a market cap of over $40 billion USD and trades with daily volumes averaging $1 billion with peaks up to $2 billion per 24h. Blockchain, the foundational technology behind all cryptocurrencies, is not an easy-to-understand technology as it is a weird combination of cryptography, distributed systems, economics, game theory, some graph technology, and politics. The most common reason for the existence of the many different blockchains for cryptocurrency are ethically dubious money-making schemes. Most investors and consumers are incapable of evaluating the blockchain technology details and convinced themselves that blockchains will make them loads of money and/or make the internet secure and/or overthrow the government. Besides providing real opportunities for cyber criminals and high risk traders, the blockchain has sparked the interest of many industries, IoT being one of them. As the era of IoT is upon us and the number of IoT devices and size of IoT ecosystems is growing exponentially, blockchain is tipped as one of the technologies that will fuel the future of IoT.
The question is to what extent the blockchain really affects and secures the IoT ecosystems. Since the IoT security debate broke and the blockchain gold-rush is gaining heavenly altitudes, one can find an article on how blockchain will secure and save the IoT every other week, evangelizing the pinnacle technology that will magically secure all the insecure devices and threats associated with them. Some are headlining how blockchain will resist DDoS attacks, others how blockchain will bring security to the devices and make them resistant to compromise and become part of larger botnet armies. Lots of those articles and talks are foggy, not exposing any details nor providing proof points. Clearly blockchain is hyping, so it’s a good time to go a bit deeper and try to separate the fantasy from the reality, scratching the surface to find what sits below the blockchain and how this can be leveraged to build a better future for IoT.
The future of IoT is decentralized
To understand the need for a technology like blockchain for IoT, we need to understand the problem IoT will be facing in the future. Note that I’m exploring mostly the technical side of the story; the rise of blockchain owes a lot to its openness and independence from any trusted parties or governing bodies.
Most of today’s IoT ecosystems are built around a centralized, brokered communication model. All the IoT devices in the system are known, authenticated and communicating through centralized, large cloud services which provide huge amounts of processing power and storage. Any two devices in the ecosystem that need to exchange information will be brokered through the central service. Even if they are only a couple of feet away and are connected to the same home network, they will have to connect to the public cloud servers to exchange even the smallest bit of information. Think of IFTT, a great and innovative automation tool, solving the simple predicate of ‘if this, then that’ by pulling in trigger events and emitting actions, fully governed in and from the cloud. Want to turn on the radio through your smart switch? Create an IFTT recipe and stitch the cloud in between your home switch and your internet connected AV receiver and admire the little miracle you just achieved.
While the cloud provides immense potential for computing and storage, and will continue to persist as the primary design pattern for small scale IoT deployments, this central model will not be able to cope with the huge ecosystems we expect to see in the near future. Even if centralized cloud servers could accommodate the scale in an economical fashion, they still are the single point of failure for the whole ecosystem and an optimal target for DoS attacks with a blast radium that impacts the whole ecosystem. To scale an ecosystem of devices to millions or even billions and make the system resistant against any currently known DoS attacks, a decentralized approach is preferred in which each device represents an autonomous system. All communication and information exchange between devices, servers and services, part of the ecosystem, should be based on a distributed autonomous system paradigm.
Blockchain use cases for IoT
As much as there is not one blockchain to rule them all, blockchain is also not the silver bullet for all issues faced by IoT today. Blockchain is not going to solve the security posture of IoT devices, nor protect them from being compromised and enslaved in large botnets to perform massive DDoS attacks. Neither will it prevent users from not changing the default passwords or forcing them to use secure authentication mechanisms. What blockchain can prevent, however, is disruption or corruption of transactional state or values in business processes that are based on the blockchain and run as business applications on top of the IoT devices or ecosystem. The blockchain provides trust and a way to rationalize complex business networks comprised of many participants in use today in the industry, such as energy, transportation, finance, manufacturing, and more. Manually keeping track of transactions across different participants, mostly using multiple ledgers and different IT systems, is complicated and prone to error. The token (money, services, products) needs to go from one participant to the other in exchange for other tokens (money, services, products) and there needs to be a trail of transactions associated. Blockchain provides this kind of distributed ledger where all participants can join in and transact tokens with each other.
Sky Matthews, CTO of Watson IoT at IBM discusses four use cases for blockchain in the context of IoT and how that will transform businesses as we know them:
- Improving workflow and real-time visibility on the status of shipments
- Asset lifecycles and history such as parts history and provenance, maintenance and repair history, damage events and transfer of ownership
- Infrastructure management where blockchain can facilitate distributed FCAPS capabilities across multiple administrative domains, and ability to track records across a distributed network where multiple suppliers and vendors participate
- Guaranteeing the safety and reliability of the food supply chain by tracking where ingredients from store-bought food originated from, how far they traveled, how long they were stored before being processed, etc.
In a broader context, blockchain has the ability to improve on many of the processes involving transactions, immutable history and ways to exchange value of any form (tokens/shares/contracts) between multiple, distributed participants. Namecoin for example is an experimental “altcoin” open-source project aimed at improving decentralization, security, censorship resistance, and speed of certain components of the internet infrastructure such as naming systems and identities. Namecoin was one of the first forks of Bitcoin and through the Dot-bit project it aims to implement a decentralized version of Domain Name System. As the name implies, Namecoin is a two faced system, partly domain name ecosystem and partly a currency. In what follows I describe how the economics are inherently tied to the prevailing of the domain name system. Without the economics, the system will simply fail and cease to exist.
Our internet experience depends on a centralized naming service called DNS for resolving names to IP addresses. The centralized nature of DNS might allow domain names to be controlled by governments or large organizations, abusing their power to censor the internet. Domain names can be hijacked and stolen by criminals and the central nature of the DNS infrastructure makes it prone to DDoS attacks. Dot-bit aims to solve most of those problems through the use of Namecoin, decentralizing and freeing website addresses much in the same way Bitcoin decentralized and freed money.
Websites leveraging Dot-Bit technology end with ‘.bit’ and clients surfing this alternative internet need to adopt a different way to resolve names to IP addresses. Dot-bit-enabled websites do not rely on traditional DNS servers to resolve their hostnames but store their records in digital ledgers provided by Namecoin. The system requires a full copy of the blockchain (a.k.a. the digital phonebook) on every client computer in the system. Through the distributed nature of the blockchain, every user in the world using Dot-Bit will have the same phonebook data and by consequence, it would become very hard to remove (censor) or change (hijack) entries for the same reasons no one can prevent anyone from spending Bitcoins. Because the phonebook is located on your local computer, it improves your privacy as no one can collect your name query information from central servers to analyze your surfing habits. The Dot-Bit project also claims to be much faster in propagating updates when websites move between locations. The typical DNS system can take between 24 and 48 hours to update all cached entries across the recursive DNS servers while the Dot-Bit blockchain should be able to provide and distribute updates within 40 minutes on average.
Distributed trustless consensus
Blockchains are a major breakthrough for the distributed trustless consensus problem. The other technologies used by blockchains such as distributed storage, pseudonymity, transaction verification, shared ledgers, digital contracts, … are essentially solutions that are well known outside of the blockchain space. The main innovation introduced by Satoshi Nakamoto in his original Bitcoin paper was the use of the so-called Proof of Work (POW) to enable trustless consensus and solve the double spend problem.
The Proof of Work is a requirement that needs to be performed in order to create a new block on a distributed ledger (the blockchain). The proof of work is a mathematical puzzle that takes a considerate amount of computing power to solve. It is an economical measure to deter DoS attacks and other abuses of the blockchain. In the case of bitcoin, the puzzle consists of finding a number (a nonce) that is included in the block such that the SHA-256 hash of the block has a certain amount of leading zeros. The required number of leading zeros changes over time and increases to compensate for increasing hardware speed and number of nodes in the system. Whenever a new candidate block is to be put at the end of the chain, miners who want to put the block on the chain need to solve the puzzle and be the first to do so. Depending on its compute power and an ounce of probability, a miner can be the first to solve the problem and wins the right to append the new block at the end of the chain. The miner who won will be rewarded, in the case of Bitcoin the reward comes in a certain amount of new Bitcoin.
Bitcoin, and more generally blockchains based on Proof of Work, are vulnerable to the 51% attack. A malicious agent that would be able to obtain at least 51% of the mining power of a blockchain for an extended time will have the ability to reverse or block transactions. Because they have the monopoly on which transactions get recorded on the blockchain, they can send new transactions and then reverse them, making it appear as though they still had the coin they just spent, a vulnerability known as double spending. The security of the blockchain is compromised if the aggregate ‘good behaving’ compute power does not keep at least a 51% quorum.
By incentivizing the miners, the system attracts good behaving compute nodes and the total compute power required to attack such systems increases with every good behaving node added to the system, making attacks nearly economically unviable. To put the economics in perspective, according to VICE Motherboard, in June 2015 one Bitcoin transaction required the same amount of electricity as powering 1.57 American households for one day.
Stay tuned for Part 2, in which we’ll cover blockchain and IoT further.
Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.
As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today's security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. He discovered BrickerBot, provided the updated Hajime report and follows closely any development and new threats in the IoT landscape. Prior to Radware, Pascal worked with the largest EMEA cloud providers on their SDN and next gen data center strategies as a consulting engineer for Juniper. As an independent consultant Pascal architected sensor networks, automated and developed PLC systems and lead security infrastructure and software auditing projects. At the start of his career he was a regular presenter at IBM conferences for Perl and Unix kernel development.