How to terminate an unsecure IoT device.
In our last post we talked about smart contract security. Our theory is that a community investment in smart contract security might lead to an IoT industry that can deploy devices with cheap but highly secure software. In our Chain of Security group we have looked into this area in more detail. Our partner Sensify said that the challenge with the recent DDoS attacks using IoT (Mirai attacks) is that they exploit the vulnerabilities in the firmware of the devices without changing the firmware.
Therefore any system that tries to monitor changes in firmware for example firmware hashing would be largely ineffective. (Firmware hashing is a notion we have at Chain of Things of manufacturer’s hashing the firmware of a device and the buyer of a device hashing their firmware and if there is a match then the firmware has not be tampered with in transit.) But can blockchain technology make it impossible for a hacker to get into a device through malware or similar? Speaking in our Chain of Security group last week we thought that if a blockchain could manage access to devices then it might be effective in preventing hacks of unsecure devices.
How could that work?
You would register your DVD player and all your local devices with a blockchain ‘hub’ device (Blockchain Hub) and the Blockchain Hub would manage incoming/outgoing communications with the local devices. The Blockchain Hub would effectively become the router for all your devices. In the event that malware comes into a home and wants to take over a washing machine or security camera then it has to seek approval from the Blockchain Hub before being allowed to communicate with the washing machine.
What is significant is that Blockchain Hub would be controlled by an immutable piece of code namely a smart contract. So it would not be possible for a hacker to change the Hub code in order to get past it. That sounds good but there would be no point in going to the pains to setting up a Blockchain Hub if it increases the costs of achieving IoT security. The reason there is a lack of security in IoT is not because secure technology is not there. No. It is because in the world we live in greater security of a device increases its cost. To achieve ubiquitous security for low grade IoT devices you need to reduce the cost of embracing security to zero so that it is not an economic choice involved for the manufacturer to decide on whether to use a secure system or not.
The latest exploitation of unsecure devices is the Mirai attack. Under this form of attack a botnet takes over unsecure devices and turns them into zombie computers. As a result the malware is able to command the devices to do DDoS attacks on specific servers. Cameras and low end IoT devices are prime targets for Mirai attacks. As said above the Mirai attack does not involve any change of the device firmware, as essentially the Mirai attack involves the silent takeovers of devices.
To remedy this problem the obvious answer is to say ban unsecure devices or prohibit unsecure devices from connecting with ISPs. Another way to address this issue is to use the law proactively to initiate class actions against the device manufacturers with claims such as gross negligence. All three ideas have their merits but are largely unproven.
In our view to change an industry the incentives have to be aligned. For manufacturers to want to shift over to using better security you need to give them the ‘carrot’. The carrot in this instance is a no-brainer business decision which is to the effect that using a secure system does not increase costs but it does have the bonus of potentially reducing legal liability, regulatory and reputational hazards. With that type of ‘carrot’ you would expect to see positive change coming from the manufacturers.
So the hardest question now is how on earth can you increase device security but at the same time have zero effect on costs. In our view it can only happen with a combination of a blockchain technology that everyone decides to use, economies of scale and extremely active open source communities. The key about blockchain is that it is open-source and the costs of maintaining the system are shared by all stakeholders. This means with a big enough community behind a blockchain you can afford to plug all the security issues in the system. In addition when security issues arise they can be identified and addressed almost instantaneously. And once addressed then all blockchain users are updated in real-time. The result is that if you have a very active community behind a blockchain then through economies of scale the unit cost of using the system is low if not trivial.
Let’s look at an example surrounding how that could apply to the Blockchain Hub. The example below is that of a blockchain operating system for the Blockchain Hub built from set of smart contracts (Blockchain OS)
However before we look at this further let’s revisit the notion of smart contracts. Blockchain technology allows for the creation of small pieces of code (with bitcoin it was payment instructions) and now with other protocols it is more complex pieces of business logic that auto-execute. The key principle of a smart contract is that the code is immutable (cannot change) and that it auto-executes in a basic ‘if this happens then do this’ manner.
What is relevant about a smart contract in relation to a Blockchain Hub device is once you have the operating system of the Blockchain Hub as a smart contract (Blockchain OS) then no-one - once the smart contract has been deployed - will be able to change the code. It is this feature of immutability on a distributed ledger that keeps bitcoins safe from hackers. You could use the same feature to manage communications to devices whether secure or unsecure.
So the theory here is that we would create an operating system for Blockchain Hubs out of smart contracts. But for it to even potentially be useful you would need a huge community behind the Blockchain OS building and testing the smart contract code. If that were possible then we can potentially come close to the idea of achieving universal device security without increasing the unit cost per smart contract deployment. In fact under this system it wouldn’t matter if any device was unsecure. It would just matter that the device is controlled by a Blockchain Hub which would be unbreakable.
Let’s look at how a Blockchain Hub device would fare if Mirai was trying to turn your house appliances into zombies.
What could a Blockchain OS do?
One thing it could do is be able to respond to a global event effectively. For example if a certain brand of DVD player is vulnerable to hacks the manufacturer could taint the blockchain accounts for each of their DVD players. The Blockchain OS would pick up that the DVD players have been tainted. As such the Smart Contract would not allow incoming or outgoing communications from or to affected DVD players. In other words, the objects would be ‘blacklisted’. This notion is similar to a ‘recall’ of a car or phone but with ‘teeth’. Samsung says return your Note7 and get a refund. However there is no way of stopping someone from using a Note7 if they want to. Here however the Blockchain OS would enforce the ‘recall’, effectively terminating the device.
These are just concepts of course and will need a lot more working out before they could become viable. Not least because smart contracts have their own security related issues. At the moment the type of smart contract languages available involve complicated layers of business logic. Hackers find ways of spotting vulnerabilities within smart contracts. Until smart contracts on Ethereum can be secured the alternatives are to run the logic on a private network, ensure there is a ‘kill switch’ in the contract or use less complicated smart contract logic systems. On the latter point an alternative smart contract language being suggested at the moment is ‘cryptoconditions’ and the BigchainDB instance called Simple Contracts. Cryptoconditions have only a ‘if and then’ piece of logic without any recursive functions. Therefore they limit damage if something does go wrong.
In conclusion the idea of Blockchain OS is an interesting beginning of a conversation. But what is needed is a huge open source community to come together to write the code to manage these functions and devise a protocol to allow for the ‘termination’ of devices. That is a tall order but is maybe work worth doing, especially if Mirai is not a new attack but as Senator Mark Warner said ‘unprecedented in scale’.