The many roles of Block chains in the Internet of Things March 08, 2018 Security Heavy Reading    0 Comments

Image source

In layman terms, a “blockchain” (or blockchain) is a technology concept that enables transactions between one or more entities who don’t inherently trust each other.  It does this without requiring a central authority to assert trust and as a bonus, it also allows for a complete history of transactions to be traced back to the source at any point in time.

Let’s translate this into a concrete example. Blockchains allows many users to buy/sell products with digital currency without requiring a bank to authorize payment. The technology inherently is able to identify and discard commonly occurring fraudulent situations like, for example, a person giving another person “digital cash” he or she does not really have. Further, should some form of payment discrepancy occur in the future, anyone using this technology can trace back all the transactions to find out the history that led to this situation without, again, requiring a central authority.

The example above relates to how “digital currency” can be used as an application leveraging blockchains. Indeed, this is what bitcoin is all about (Satoshi Nakamoto’s now famous 2009 paper [1] introduced this concept in its entirety on how blockchains could be used as a replacement to the current flaws in our currency economy). While this concept was not new [2] it gained a lot of popularity as it took a more novel approach to address known attacks compared to other solutions.

Given that “currency” was the first application of blockchain, a lot of people associate the core technology (blockchain) with a specific application of it (currency, aka bitcoin).

However, the technology community understood the much wider applicability of this distributed trust system and since then, blockchains have been proposed, and indeed adopted in many other verticals [3] that have similar issues of trust, verification, and traceability.

This brief paper will talk about how blockchains can be effectively used in IoT Networks

Characteristics and Pain-Points of an IoT Network

For the scope of this paper, an “IoT Network” is a system comprising of a few or many sensors devices and network servers, somehow connected to form a network where they can exchange data with each other as required to be able to provide specific value-added services. For example, “Amazon’s Alexa System” is an “IoT Network” comprising of Alexa-enabled voice gateways, bridges to talk to sensors like room temperatures, fans as well as complex devices like cars [4] for the purpose of providing a “Home Assistant service” that can enable consumers to control all aspects of their home just by speaking. There are many other examples of IoT networks like an “IoT Network” that monitors agricultural produce for crop damage (via image analytics, weather sensors, etc.), or an “IoT Network” that helps our military perform search and rescue (via communicating drones, heat sensors, etc).

In discussing any new approach for a system, it is useful to first understand the pain points being faced and then see if the solution we are proposing helps in addressing the problems in any tangible way. This section will briefly touch upon the key characteristics of an IoT network:

1. Lack of Scalability of Role/Validation of actors and transactions: An IoT Network grows exponentially over time [5, 6] which means a traditional “Client Server” architecture which involves central authorities to manage interactions is a challenge to scale, especially if they need to be involved in every transaction

2. Insecurity & Cost of Security: IoT networks are nascent and its security infrastructure has not played catchup with its deployment [6][7] [8] SSL, which is an underlying encryption technology for the wider internet and also used in IoT has had very serious compromises [9] [10] [11] and PKI based digital certificate systems are both expensive, assuming we don’t use self-signed certificates and lead to centralized point of compromise [12]

3. Centralized Authorities are always vulnerable: Centralized IoT authority servers have been hacked in the past and will continue to be hacked going into the future resulting in complete device compromise [13][14]

4. Tangible damage: IoT command and control messages affect tangible resources, the wrongful/malicious use of which can result in non-trivial damage - such as overheating a thermostat, hacking into video footage inside a private home for illegal surveillance, remotely controlling an internet-enabled car, and more. In cases of Industrial IoT, potential damages may result in power grid loss for cities, public transport derailment, and many other widely impactful situations.

There are many other characteristics and pain points, but for the scope of this paper, let us discuss more on the adoption of Blockchains in IoT networks

Blockchains to solve some of IoT Network Pain points

1. Scalability and role/transaction validation: A blockchain by nature is distributed. There is no single central authority that manages user credentials or roles. In a Blockchain network, any Full Node[15] always has a complete list of all ‘blocks’ which includes not just a history of all past transactions but also “rules” (often referred to as “consensus rule” which networks like Ethereum have extended to more powerful ”smart contracts” that introduce a complete programming paradigm for complex rules) that dictate what a specific entity or transaction’s limits are. This means as the network increases, we can also scale up the number of Full Nodes and in the event one or more full nodes go down, others can take over and they all have the same data to validate. This makes blockchains’ distributed authority inherently scalable. The fact that all Full Nodes can validate transactions also makes the process of transaction validation scalable and fault resilient
2. Insecurity & Cost of Security: While these are two different issues, they often go together. As the number of IoT devices grow, its gets increasingly more expensive to purchase trusted certificates for each device (or gateway). The other alternative(s) are to use self-signed certificates (inherently insecure [16]) or to deploy locally hosted CAs which establish trust in its own domain. These are often considered to reduce cost. The problem with locally hosted CAs however is the fear of liability if there is a breach. Compare this to Blockchains – they are inherently very hard to compromise. There are a few reasons for this – first, each time a block is created, the “effort” to create the next block (often called “Proof of Work”[17]) increases significantly to a point where it’s often not worthwhile to try and hack the system relative to the computation required. In other words, even if you consider deploying a private blockchain from scratch, as the participating nodes increase, the network becomes very secure without the associated financial costs. It is important to note that blockchain security only helps to identify and eliminate “fraudulent” or “rogue” entities that try and manipulate existing trust chains. It doesn’t help much in eliminating malicious attacks from buffer over/underflows or software bugs, for example.
3. Centralized Authorities are always vulnerable: This should be obvious by now – there are no centralized authorities in Blockchain. Each Full Node can serve as a Centralized Authority (CA). Even if some CAs were compromised, the blockchain network will recognize this compromise and quickly re-organize itself to discard this node. For example, if Full Node A (FNA) were compromised and it generated a fake block, or successfully modified a previous block, over a short period of time, other Full Nodes would compare this generated chain with their own copies and would reject this compromised chain
4. Tangible damage: With all the focus on cryptocurrencies and how block-chains avoid “double-spending”[18], another very useful feature of blockchains is often not discussed in as much depth, and that is of “Smart Contracts” [19]. Smart Contracts are essentially a set of “rules” that need to be met before a transaction is allowed. This goes beyond Let’s construct a hypothetical example – let’s assume you have a Nest Thermostat that can be controlled by a remote control mobile app. We can set up a “Smart Contract” between the remote app and the “Thermostat” that says, “the app is not able to change the heat beyond 80F”. This is a very simple contact example. In reality, a contract is a full programming language and one could create multiple rules including multiple authorization entities (called multi-signature transactions) before a transaction is allowed. One example of a contract language is Solidity [20] which is used in Ethereum [21]. An example of how smart contracts can be applied to finely control a connected car, for example, is described here [22] where the author describes how one can use smart contracts to rent cars and limit what users can do with them.

Issues with Blockchains

Are blockchains therefore ideal for IoT security? That would be a Yes and No. There are inherent issues with blockchains that cause issues in IoT which need to be resolved. Indeed, many of these issues are already being addressed and IoT networks of today are proposing modifications to Blockchains that are more applicable to these networks, such as HDAC [22]

Some of the issues that are being dealt with:

1. It takes too much computation to generate the next block and over time, it only gets harder. This makes it hard to deploy in an IoT network with low powered devices. There is already work that migrates from “Proof of Work” to “Proof of Stake” [23] which reduces the complexity but also reduces the fully de-centralized decision process
2. In the current specifications, “confirming” a block takes too much time (originally around 10 minutes in Bitcoin). This is obviously impossible in IoT networks. However, there have been many modifications to this – for example, Ethereum takes 10-15 seconds and there are further works to reduce this more [24].
3. Blockchains are susceptible to certain attacks [25], so just deploying block-chains is not an “end-all” solution to security. Vendors still need to look at blockchains as part of a larger problem. Admittedly, this is not really an “issue” with this technology, but we’ve seen customers who look at blockchains as their silver bullet. It’s not.

HSC’s role in IoT security and blockchains

Blockchain based private and public networks have become an important part of distributed trust and security in the IoT powered network. HSC works with ISVs/OEMs and Service Providers alike, helping them engineer and customize solutions around block-chains. Some areas of focus are:

• Developing private Blockchain networks, leveraging tools like Blockchain DB
• Implementation of Smart Contracts for B2B transactions (using Solidity/others)
• Enhancing digital certificate management with blockchains as opposed to a centralized server
• Integration of CRMs, ordering and booking systems with backend blockchains for supply chain management
• Improving/optimizing blockchain protocols/puzzles for blockchains to meet specific business needs, such as faster processing, better interoperability

Works Cited

1. S. Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," [Online]. Available: https://bitcoin.org/bitcoin.pdf.
2. "Bit gold," [Online]. Available: http://unenumerated.blogspot.com/2005/12/bit-gold.html.
3. "17 Blockchain Applications That Are Transforming Society," [Online]. Available: https://blockgeeks.com/guides/blockchain-applications/.
4. "Alexa For Your Car For Under $50," [Online]. Available: https://www.forbes.com/sites/larrymagid/2018/01/11/alexa-for-your-car-for-under-50/#628435f448a1.
5. "Roundup Of Internet Of Things Forecasts And Market Estimates, 2016," [Online]. Available: https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-forecasts-and-market-estimates-2016/#3fd81a48292d.
6. [Online]. Available: https://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-forecasts-and-market-estimates-2016/#3fd81a48292d.
7. H. P. Enterprise, "Internet of things research study," [Online]. Available: http://files.asset.microfocus.com/4aa5-4759/en/4aa5-4759.pdf.
8. "IOT MALWARE ACTIVITY ALREADY MORE THAN DOUBLED 2016 NUMBERS," [Online]. Available: https://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-numbers/126350/.
9. "The Heartbleed Bug," [Online]. Available: http://heartbleed.com/.
10. "SSL 3.0 Protocol Vulnerability and POODLE Attack," [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA14-290A.
11. "FREAK SSL/TLS Vulnerability," [Online]. Available: https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability.
12. "Comodo hacker: I hacked DigiNotar too; other CAs breached," [Online]. Available: https://arstechnica.com/information-technology/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached/.
13. "Exposed IoT servers let hackers unlock prison cells, modify pacemakers," [Online]. Available: http://www.zdnet.com/article/exposed-servers-hack-prison-cells-alter-pacemakers/.
14. "Why IoT Sucks (And Why That's Good for Partners)," [Online]. Available: https://rcpmag.com/articles/2017/04/01/why-iot-sucks.aspx.
15. "Full Node," [Online]. Available: https://en.bitcoin.it/wiki/Full_node.
16. "Self-Signed Certificates: Cyber-criminals Are Turning This Strength into a Vulnerability," [Online]. Available: https://www.venafi.com/blog/self-signed-certificates-cyber-criminals-are-turning-strength-into-a-vulnerability.
17. "Explaining blockchain?—?how proof of work enables trustless consensus," [Online]. Available: https://keepingstock.net/explaining-blockchain-how-proof-of-work-enables-trustless-consensus-2abed27f0845.
18. "Irreversible Transactions," [Online]. Available: https://en.bitcoin.it/wiki/Irreversible_Transactions.
19. "What on Earth is a Smart Contract?," [Online]. Available: https://hackernoon.com/what-on-earth-is-a-smart-contract-2c82e5d89d26.
20. "Introduction to Smart Contracts," [Online]. Available: http://solidity.readthedocs.io/en/develop/introduction-to-smart-contracts.html.
21. "The Ethereum Project," [Online]. Available: https://www.ethereum.org.
22. "A Smart Contract for a Smart Car," [Online]. Available: https://hackernoon.com/a-smart-contract-for-a-smart-car-db08eda4bb4f.
23. "Hdac : Transaction Innovation - IoT Contract & M2M Transaction Platform based on Blockchain," [Online]. Available: https://github.com/Hdactech/Hdac/wiki/Hdac-Technical-Whitepaper.
24. "Proof of Stake - is it the future?," [Online]. Available: https://medium.com/@cryptotoid/proof-of-stake-is-it-the-future-42bbd748dbb6.
25. "LSB: A Lightweight Scalable BlockChain for IoT Security and Privacy," [Online]. Available: https://arxiv.org/pdf/1712.02969.pdf.
26. "Can blockchain be hacked?," [Online]. Available: https://itsblockchain.com/can-blockchain-be-hacked/.