How Blockchain Can Protect IoT Devices

Uploaded on 2018-09-05 in TECHNOLOGY-Key Areas-Blockchain, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Developments, TECHNOLOGY-Key Areas-Internet of Things

The world is full of connected devices — and more are coming. In 2017, there were an estimated 8.4 billion internet-enabled thermostats, cameras, streetlights, and other electronics. By 2020 that number could exceed 20 billion, and by 2030 there could be 500 billion or more.

Because they’ll all be online all the time, each of those devices — whether a voice-recognition personal assistant or a pay-by-phone parking meter or a temperature sensor deep in an industrial robot — will be vulnerable to a cyberattack and could even be part of one.

Today, many “smart” internet-connected devices are made by large companies with well-known brand names, like Google, Apple, Microsoft, and Samsung, which have both the technological systems and the marketing incentive to fix any security problems quickly. But that’s not the case in the increasingly crowded world of smaller internet-enabled devices, like light bulbs, doorbells, and even packages shipped by UPS. Those devices, and their digital “brains,” are typically made by unknown companies, many in developing countries, without the funds or ability — or the brand-recognition need — to incorporate strong security features.

Insecure “internet of things” devices have already contributed to major cyber-disasters, such as the October 2016 cyber attack on internet routing company Dyn that took down more than 80 popular websites and stalled internet traffic across the US. The solution to this problem, in my view as a scholar of “internet of things” technology, blockchain systems and cybersecurity, could be a new way of tracking and distributing security software updates using blockchains.

Making Security a Priority

Today’s big technology companies work hard to keep users safe, but they have set themselves a daunting task: Thousands of complex software packages running on systems all over the world will invariably have errors that make them vulnerable to hackers. They also have teams of researchers and security analysts who try to identify and fix flaws before they cause problems.

When those teams find out about vulnerabilities (whether from their own or others’ work, or from users’ reports of malicious activity), they are well positioned to program updates, and to send them out to users. These companies’ computers, phones, and even many software programs connect periodically to their manufacturers’ sites to check for updates, and can download and even install them automatically.

Beyond the staffing needed to track problems and create fixes, that effort requires enormous investment. It requires software to respond to the automated inquiries, storage space for new versions of software, and network bandwidth to send it all out to millions of users quickly. That’s how people’s iPhones, PlayStations, and copies of Microsoft Word all stay fairly seamlessly up to date with security fixes.

None of that is happening with the manufacturers of the next generation of internet devices. Take, for example, Hangzhou Xiongmai Technology, based near Shanghai, China. Xiongmai makes internet-connected cameras and accessories under its brand and sells parts to other vendors.

Many of its products — and those of many other similar companies — contained administrative passwords that were set in the factory and were difficult or impossible to change. That left the door open for hackers to connect to Xiongmai-made devices, enter the preset password, take control of webcams or other devices, and generate enormous amounts of malicious internet traffic.

When the problem — and its global scope — became clear, there was little Xiongmai and other manufacturers could do to update their devices. The ability to prevent future cyber attacks like that depends on creating a way these companies can quickly, easily, and cheaply issue software updates to customers when flaws are discovered.

A Potential Answer

Put simply, a blockchain is a transaction-recording computer database that’s stored in many different places at once. In a sense, it’s like a public bulletin board where people can post notices of transactions. Each post must be accompanied by a digital signature, and can never be changed or deleted.

I’m not the only person suggesting using blockchain systems to improve internet-connected devices’ security. In January 2017, a group including US networking giant Cisco, German engineering firm Bosch, Bank of New York Mellon, Chinese electronics maker Foxconn, Dutch cybersecurity company Gemalto, and a number of blockchain startup companies formed to develop just such a system.

It would be available for device makers to use in place of creating their own software update infrastructure the way the tech giants have. These smaller companies would have to program their products to check in with a blockchain system periodically to see if there was new software. Then they would securely upload their updates as they developed them. Each device would have a strong cryptographic identity, to ensure the manufacturer is communicating with the right device. As a result, device makers and their customers would know the equipment would efficiently keep its security up to date.

These sorts of systems would have to be easy to program into small devices with limited memory space and processing power. They would need standard ways to communicate and authenticate updates, to tell official messages from hackers’ efforts. Existing blockchains, including Bitcoin SPV and Ethereum Light Client Protocol, look promising. And blockchain innovators will continue to find better ways, making it even easier for billions of “internet of things” devices to check in and update their security automatically.

The Importance of External Pressure

It will not be enough to develop blockchain-based systems that are capable of protecting “internet of things” devices. If the devices’ manufacturers don’t actually use those systems, everyone’s cybersecurity will still be at risk. Companies that make cheap devices with small profit margins, so they won’t add these layers of protection without help and support from the outside. They’ll need technological assistance and pressure from government regulations and consumer expectations to make the shift from their current practices.

If it’s clear their products won’t sell unless they’re more secure, the unknown “internet of things” manufacturers will step up and make users and the internet as a whole safer.

Inverse:

You Might Also Read:

A Guide To Addressing Corporate IoT Security

« US Army Upgrades Cyber Protection Training
Trump Relaxes US Cyber Attack Rules »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

Dionach

Dionach

Dionach are a certified information security specialists who provide Penetration Testing, IT Security Auditing and Information Security Consultancy.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Cyjax

Cyjax

Cyjax monitors the Internet to identify the digital risks to your organisation, including cyber threats, reputational risks and the Darknet.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

ChainSecurity

ChainSecurity

ChainSecurity provides products and services for securing smart contracts and blockchain protocols and conducts R&D in the areas of security, program analysis, and machine learning.

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp is the world’s largest network of multi-corporate backed accelerators helping startups scale internationally.

Infopercept Consulting

Infopercept Consulting

Infopercept is a leading cybersecurity company in India, providing a critical layer of security to protect business information, infrastructure & assets across the organization.

IT Acceleration

IT Acceleration

IT Acceleration is a full-service IT management and support, IT compliance and Digital Forensics company.

Redbot Security

Redbot Security

Redbot Security provides industry leading manual penetration testing. Protecting critical systems and data - red team attack and breach simulations, (OT) critical infrastructure testing.

CAT Labs

CAT Labs

CAT Labs is building digital asset recovery and cybersecurity tools to enable governments to fight crypto crime and to protect investors from hacks, fraud and scams.

TAFEcyber

TAFEcyber

TAFEcyber is an Australian based consortium focusing on the skilling of the fast-growing cyber security workforce through education and training.