How Blockchain is the Key to a Secure IoT

IoT cybersecurity is a complex problem, one that many experts are willing to discuss but not many engineers are not willing to tackle. But as blockchain, the underlying technology behind Bitcoin, seeks a home outside of the clandestine world of crytocurrency, it may find its greatest application in providing a desperately needed way of securing our smart factories, smart homes, and other IoT networks.

In a talk at Arm TechCon 2017, Ben Smeets, a Senior Expert in Trusted Computing at Ericsson Research, suggested blockchain as the solution to the increasingly labyrinthine task of securing an ever-increasing number of connected devices. Securing IoT, he said, will require engineers to rethink how we think of digital identity. We cannot rely on simple username/password protection to verify the ID of people and devices. Think of how many logins you have for different web services and devices such at WiFi routers already and you can see how unscalable and unruly the problem gets as the number of devices and networks increases.

Smeets and his team at Ericsson Research have proposed a new way of looking at digital Ids they call “ID Brokering.” “[With ID Brokering] identity is not the credential itself. It is the description of the link between the identifier and its credential,” Smeets said. If you use Google, Facebook, or any other single sign on service you've seen the convenience of having one login to access multiple services. It's great for humans, but not so much for devices, Smeet said. What's more, there's only one level of security – if someone gains access to one system they have implicit access to every system by virtue of the single login. A glaring issue like this is what allows cyberattacks like the 2016 Mirai malware attack, which targeted and hijacked IoT devices, to happen. If devices only need one level of verification to access a network, then who's to believe they aren't doing what they're supposed to if their credentials check out?

The solution for Smeets and his team though is not to pile on extra layers of authentication, but rather to distribute them. And that's where blockchain comes it. Because the blockchain functions via a distributed and encrypted ledger shared across all of a network's users and devices, it creates a network of authentication that is verifiable and not easily hacked. With blockchain implemented, a device cannot access a network unless it is verified through the entire ledger. In this scenario attacks like Mirai become significantly more difficult, if not impossible, because a hacker would need to modify the entire ledger, and not just the credentials of any one device.

Ericcson Research demonstrated a proof-of-concept of this idea at the 2017 Mobile World Congress in Barcelona this past March. The researchers set up a small WiFi network that used blockchain authentication instead of a typical username/password setup.

Other use cases are also emerging. Also speaking at Arm TechCon, Qiang Li, VP and Chief Scientist at CloudMinds Technology, a cloud-based artificial intelligence and robotics startup, discussed his company's use of a blockchain-based authentication system for its cloud-distributed AI platform. The company's Human Augmented Robotic Intelligence (HARI) platform is a human-in-loop AI system in which artificial intelligence acts as the main control of a robot or device, but can also switch to a human agent in real time when it is needed. A robot performing a repair for example, could turn itself over to human control when it is unsure how to complete a task, then learn from the human operator to better train itself to perform the task autonomously in the future. Li said that security has become a top concern for Cloudminds as it develops its technologies.

“When you have a robot in every home security will be an issue,” Li said. “Devices will need to be authenticated to connect to cloud-based AI.” To this end Cloudminds has been experimenting with blockchain-based authentication as well as implementing another function of blockchain, smart contracts, to help automate tasks within a network.

Smart contracts are automated tasks that are performed only when the ledger verifies it to be authentic. In a typical network device B may be programmed to perform a task once device A is done with its own. Easy enough, but again security issues come into play if someone starts pretending to be device A or starts having device A tell B to perform some task it isn't supposed to. Imagine a hospital network in which devices, like a wireless infusion pump, may be instructed to administer medications or life-saving treatment based on certain conditions and you can envision how serious a threat this could be.

“Smart contracts can make blockchain function as your operating system,” Li said. Not only could devices accessing the AI be secured, the actions they perform could also be secured using smart contracts. By implementing a smart contract a device's action would have to be verified by the entire blockchain ledger before it could be performed.

Blockchain's security applications have been gaining traction the past two years. In the March 2017 issue of the Journal of Supercomputing, researchers from Sangmyung University in Cheonan Republic of Korea published a paper outlining a scheme for using blockchain technology to verify firmware updates. In a 2016 paper researchers from the UNSW Sydney School of Computer Science and Engineering detailed a use case of utilizing blockchain to secure a smart home network.

That said, blockchain implementation is not without its challenges. In a 2017 paper presented at an international conference on Internet of Things, Big Data and Security in Porto, Portugal, Paul Fremantle, a research student at the University of Portsmouth School of Computing, outlined some specific challenges with implementing blockchain for security. “A significant concern is the inability to process blockchains on small devices,” the paper says. Having a ledger distributed across potentially thousands (someday maybe even trillions) of devices and sensors requires a great deal of code and processing power to work seamlessly, and that's simply a task that some devices, particularly older IoT devices are not equipped to handle. Some, like the UNSW Sydney have made their own suggestions on how to solve this, such as a network design that intermixes different flavors of blockchain. But Fremantle has proposed creating a middleware that acts as a bridge between the blockchain and IoT devices, offloading the heavy processing work to the middleware instead of the devices themselves.

Blockchain security is still in its infancy and no real-world implementations have hit the market. But if the conversation around IoT security has been clear about one thing, it's that IoT brings a new set of security issues that will require a new way of thinking. Perhaps the solution to securing IoT isn't to lock devices behind digital iron gates, but instead to let the security be distributed.

Chris Wiltz is a Senior Editor at Design News, covering emerging technologies including AI, VR/AR, and robotics.