Over the years, IoT has received much praise from both large enterprises and individual consumers. However, the mass adoption of this new technology gives rise to many security concerns. To put it simply, every ‘thing’ connected to the ‘internet’ is a potential security threat to the whole network. The San Francisco-based IoT conference, Internet of Things World, surveyed over 100 IoT enterprise leaders and revealed that security and implementation are the top two categories of challenges for the technology adoption.
According to the 2020 Unit 42 IoT Threat Report, currently 98% of IoT device traffic is unencrypted, meaning that the absolute majority of confidential and personal data on the network is extremely vulnerable to cyber-attacks. Moreover, 57% of IoT devices can be easily exploited by hackers as they are vulnerable to medium-severity attacks. Given the advantages of IoT and its exponentially growing popularity, it’s critical to re-examine how we approach security management of IoT devices and networks.
But first, what exactly is wrong with the existing security architecture used by IoT manufacturers, and is there a way for internet of things developers to address is effectively?
Connected devices are designed principally for users’ convenience: they enable easy network access, which is usually automatic or by entering user credentials. This allows people to use their devices easily from anywhere in the world. At the same time, this opens numerous doors for cybercriminals, who can access internet-connected devices and steal personal information, such as financial data or sensitive medical information.
Paradoxically, most consumers are aware of these vulnerabilities of IoT devices and yet are willing to sacrifice security for the sake of convenience. Probably the most notable example of this trade-off is smart speakers often used in IoT home automation, such as Amazon Echo and Google Home. Although both companies’ employees admittedly listen to users’ conversations for the purpose of improving the services, this barely impacted the sales figures of these devices.
For example, a couple living in Milwaukee has suffered a privacy-breach incident that reminds a scene from a horror movie. A cybercriminal took over their smart home system, played disturbing music loudly, talked to them via a camera, and changed the room temperature to 32 degrees Celsius. Although this was a relatively harmless act, such incidents are becoming more common and should raise major red flags. At the end of the day, a regular consumer’s privacy is a low-hanging fruit for hackers. Until users’ information is stolen and misused, most consumers seem to be not bothered at all.
From a business perspective, time to market is a critical metric in today’s competitive reality. Unfortunately, ensuring stability and security of the devices comes second. For example, the Global Print Security Landscape report reveals that in 2019 an astounding 60% of businesses in the UK, France, and Germany have been hacked through printers, which led to more than $400,000 in losses.
Currently, IoT uses a client/server model, or a centralized model of networking. IoT devices use a single gateway to transfer data between them and connect through a cloud server. This model has been utilized over the last decades, but it is no longer suitable for the increasing number of IoT devices and the volumes of data they share. The centralized architecture has a number of shortcomings:
The Mirai incident is one of the examples proving that the centralized model is not reliable. Being the largest DDoS attack ever, Mirai caused a temporary failure of many popular websites, including Amazon, Reddit, CNN, Netflix, the Guardian, Twitter, Spotify, and GitHub. The Mirai botnet first attacked Dyn, a popular DNS provider, and then the internet’s biggest websites through the unprotected network. As a result, the companies lost millions of dollars and their reputation was compromised.
Blockchain—a decentralized distributed ledger—is a revolutionary technology that could become the key to overcoming IoT security challenges. A blockchain-based approach to IoT networks may solve many of the problems faced with the current model and improve security.
The following features make blockchain an effective weapon in combating IoT cyberthreats.
In a blockchain ledger, data is stored on various nodes all over the world, which eliminates the single point of failure. Before adding any data to the network, all nodes must approve and verify it. Thus, no change is allowed without a common agreement from all of the network participants. This approach is named peer to peer communication and is intended to protect blockchain transactions from malicious parties. Since there is no single server, there is no chance of a man in the middle attack, when hackers can grab the information sent between a server and a device.
Blockchain is public, which means that it’s accessible to everyone in the network. All network participants can see the common history of stored blocks and transactions, but they need a private key to see the content. This gives a complete transparency to all operations and keeps data safe at the same time. Once a piece of information is stored on a blockchain, it is impossible to change it.
Blockchain uses advanced encryption algorithms to secure data, which makes it more private. This is done primarily for financial operations to be carried out without risks. Using the blockchain model, IoT devices may send and receive messages in the same way as financial transactions to enable secure data communication between connected things.
The application of blockchain in IoT security enables a direct information sharing between connected devices instead of communication via a centralized network, thus decreasing the susceptibility of IoT to cyber-threats. Currently, the highest rate of blockchain adoption among IoT-enabled businesses in the US is seen in pharmaceuticals, transportation and energy sectors, according to a Gartner survey . All these industries rely on transportation of physical goods, and the majority of companies that have successfully adopted blockchain are veterans of the IoT industry.
Perhaps the most promising way of successfully combining the two technologies is to install chips in every IoT device. For example, the alliance of Ubirch, a blockchain-anchoring security specialist, G+D Mobile Security, and IoT carrier 1NCE has developed an IoT security service that leverages the power of blockchain and sensor-embedded chips to significantly increase security. Data no longer travels from sensors to the cloud to be approved, which single-handedly eliminates the possibility of the ‘man in the middle’ type of hacking attacks. Now the information is sealed by a private key directly on the device and is anchored in a public blockchain, which means that data about every access to a particular sensor is forever recorded on a ledger. Adopting smart contracts for this purpose also opens up more opportunities for enhancing
Such applications of blockchain and enterprise IoT can also significantly increase standards in other industries such as pharmaceuticals and food. For example, many medical machines have to be kept under regulatory-approved temperatures. IBM’s Food Trust has been in the works for a few years already, but IoT sensors can bring even more exciting opportunities when combined with blockchain.
IBM and Samsung have developed a PoC for a blockchain‑enabled IoT system called ADEPT (Autonomous Decentralized Peer‑to‑Peer Telemetry). It uses smart contracts and peer-to-peer messaging to create a distributed IoT network. ADEPT may find its application in a smart home, where a Samsung washing machine, for example, can become a semi-autonomous device capable to perform self-service and maintenance. If the machine goes out of order, it will notify operator about the breakage and install software updates on its own. Using ADEPT, the washing machine can communicate with other smart devices in a network to optimize energy efficiency. For instance, it may postpone a cycle of washing for several hours if the TV is on. Moreover, it allows the machine to manage the supply of detergent it uses: pay for the order itself and receive a delivery confirmation from the retailer. The washing machine’s owner then will receive a notification about the purchase on the smartphone. This is less futuristic than it may sound, and the systems similar to ADEPT may gain the market soon.
Chronicled, a self-proclaimed IoT and blockchain laboratory, applied a combination of these two technologies to pharmaceutical supply chains. The developed solution allows drug makers, wholesalers, and hospitals to monitor each step of drug shipment and makes it difficult for criminals to unload stolen medicines.
By utilizing a secure IoT platform, [Chronicled is] also able to attest to the quality levels of the drugs and to ensure that these drugs do not fail during the supply process, which could impact the efficacy when taken by the patient.
Although there are many advantages of adopting blockchain for IoT security, the technology is far from perfect. Being a technology enabler for Bitcoin, blockchain does its job well in the cryptocurrency realm: protecting sensitive financial data when moving currency from one person to another. However, IoT implies control over a network of devices, where multi-layered security has to be put in place.
One of the major roadblocks on the way to adoption is paradoxically linked to one of the proposed advantages of blockchain: every action on the network has to be approved by other network participants for it to go live. For example, in case of an obvious security breach through one of the connected devices, denying access to that device would significantly decrease the negative impact of spreading the malware. On a bigger scale, with thousands of ‘things’ connected to a large network, it can be difficult to receive consent from the majority of entities.
It could seem that this can at least be implemented for smaller systems like smart homes. Unfortunately, another challenge emerges: home devices don’t usually have enough computing power to maintain a blockchain.
There is no easy way to address this challenge, but a custom blockchain platform can be a solution. Blockchain developers have to ensure that corrupted devices could be instantly eliminated from the network without the need for a conventional blockchain consensus. Organizations should thoroughly investigate their privacy requirements and choose a proper blockchain type or request the development of a custom one until ready-made solutions appear on the mass market.
The security of IoT devices and networks is a complex problem requiring a comprehensive approach and creative solutions. One possible way of enhancing security and reliability within an IoT ecosystem is the application of blockchain technology.
By decentralizing IoT networks with blockchain and eliminating single points of failure, connected devices get additional protection and become less vulnerable to malware and other attacks. Other advantages of a decentralized IoT infrastructure include more autonomous operations and lower costs of network and infrastructure maintenance.
However, blockchain is not a panacea for all IoT security challenges. To authenticate and protect the fast-growing network of connected devices, a well-thought-out strategy and a combination of several approaches to IoT security are necessary.