IoT and blockchain: a possible improvement in cybersecurity?
7th February 2017 by Marie-Claire Péroux
In this article, you will find an analysis, from a jurist point of view, on the possible resolution of cyber-security threat from the ever-expanding Internet of Things (IoT) or connected objects. The blockchain technology is much discussed as a mean to bring a more secure environment to collect and analyse the tremendous amount of new data (big data) generated by the IoT. You will understand how this peer-to-peer technique could save us from extremely harmful attacks on things directly attached to our physical daily life.
Connected object are brought closer and closer to us and a forward-thinking, ethical attitude to their security is urgently needed.
The problem with IoT and security
The figures do not lie about the importance of the IoT market.
It is expected to reach staggering numbers in just a few years.
A report [1] by Business Insider mentioned for example that about 34 billion, (billion...), connected “things” will surround us by 2020.
The connected things are already present in the industrial processes.
More importantly, because of the possible physical harm to humans, they are more and more present in our daily life, in our homes.
The connected things aimed at private persons [2] pose an important security problem.
Many new connected objects, which are only as many computers surrounding us, open many new entries to violations from cybercriminals.
The multiplication of these port of entry into data collection has not been followed by a concerted and well-engineered process in security.
Many of the connected apparels sold to the general public do not content an effective protection against cyberattacks.
Many products did not even bother to open the possibility of security patches in time of use. Objects are quickly put to the market to participate in the commercial race to sell cheap (not always) “things” with features not always that valuable to the consumers.
The latest large scale cyber-attack [3] was made though IoT which had not been correctly protected by the producer and the users.
The damages were just a taste of what is to come with the already expanding market of IoT.
When the objects, little computers in fact, come closer to human’s, security becomes more urgent.
The effects could be devastating, even with deaths, crimes committed directly through unseeingly harmful objects we already see in our daily life.
An example?
Among many, a hotel in Austria [4] was just ransomed by cybercrimals who could lock the hotel guests in their rooms.
Imagine this sort of attack in a fully connected house where the locks, the windows, the shutters, the communication system is handled by connected things?
This is not farfetched.
Why would former Vice-president of the USA Dick Cheney disable his connected pacemaker? [5]
This article is written in 2017 and nowhere do we see the consumers asking for more security of their personal information they give non-stop to their health devices, their home “butler” 6 like the newly released Amazon ECHO [7] tied to ALEXA, a cloud based voice recognition service based on artificial intelligence like SIRI, Apple’s voice assistant.
The problem is that numerous objects sold are built with just a short commercial view [8]. Since the consumers’ consent could hardly be qualified as “informed”, as is required by some important legal texts such as the General Data Protection Regulation (GDPR) [9] in the EU, enforced on March 25, 2018, there is no real short term incentive for most developers and producers of IoT to put an extra effort on a security no one yet requires before buying.
One can only encourage more concern from states to protect the personal data of consumers and companies.
The security of the data amassed from these points of collection and their secure storage is an ethical and an economic long term view:
Why let rogue cybercriminals or states or even robots themselves take over the power given by the huge mass of collected data analysed through machine learning and in the future by artificial intelligence?
Stephen Hawking has already voiced with other influencers his concern about the world of connected robots.[10]
The connected things could be seen as just spread out parts of one worldwide machine, each IoT being just a collector of big data and provider of services.
Let’s make sure that these services, the value brought by the connected things, stay within the goal of serving the highest collective interest of humans.[11]
Long term view urgently needed!
The extremities that some companies are willing to reach [12] in order to gather more and more detailed data on users for marketing purpose cannot be thwarted by consumers alone.
Most users have no clue of they give their “consent” to when they buy a connected object, they see it as a normal thing but they forget that it is connected non-stop and they do not realise that more of their personal life is recorded than they bargained for.
Most people will just see a service or a fun feature they want to try immediately, not imagining that the personal data collected will be analysed and aggregated with other data collected maybe from other services located in other countries.
As did rightly analyse the renowned security technologist, Bruce Schneier [13], some authority has to step in to curb the voracity of companies selling data and to protect the users against themselves.
The IoT generate more data than ever before, one has to make sure the data are securely collected and kept.
What if wrong personal data are collected from a connected object infected by some cyberattack?
I rarely see comments on the quality of the collected data:
It is very important that data used for predictive analysis are accurate and not tainted by cybercriminals.
When data is analysed and cross-examined by new powerful algorithms capable of prediction of behaviours (or machine learning) there should be trust in the quality of the information.
The security of decisions taken from the analysis depends on the trust the stakeholders have in the origin of the data.
If there is no secure way to identify the connected thing at the origin of the data, it might render entire economic policies affecting millions of people ill fitted to their real needs.
One can imagine that health data will contribute to better organize the health system of states.
Data collected by multinational companies could improve the efficiency of their supply chain, a better use of their workforce...
It is a question of time before data collected from a medical device serve as a proof of good or bad health to insurance companies.
It could have direct physically threatening impact to real persons.
They might not get their health insurance or at a steep premium for example. They might not get the treatment needed because the data have been corrupted by a cyberattack.
A complementary approach, to which I contribute in a group, is to create a sort of Trustmark, a label, but transparent, opened to all stakeholders including each user of IoT.[14]
Blockchain [15]: The future to secure the IoT?[16]
One problem with the exponential multiplication of connected objects is that they have developed by companies under different standards of communication, of identity, of privacy or security protection.
There is no consensus yet on how the communications between the object and the collector of information function and there is not a common view on how to protect the quality of the huge data collected called "big data".
This disparate web of private communications between the producer of data collectors (the connected things) and the users make it much easier for the cybercriminals to organise a wide attack.
There are as many weaknesses in the IoT web of communications as there are private company clouds and transmissions connecting disparate things with disparate value to consumers.
This disparate web of private communications between the producer of data collectors (the connected things) and the users make it much easier for the cybercriminals to organise a wide attack.
The solution of an open cloud, a common platform for all the IoT web to communicate and be individually recognised and accepted would be a good start for once.
However, a centralised platform or ledger, would have to be secured to the maximum since it would represent a great attraction for any cybercriminal or rogue state.
Since nothing so far on Internet stays secure forever, one might look for alternate methods.
The certainty of the identification of each connected thing would be greatly secured under a “real” opened, transparent blockchain where there is enough computing power to constantly treat the approbation of access to a certified object by all the participants at the same time.
Could the blockchain protocol be an answer to the security of the IoT?
Blockchain [17], what is it?
Without going into the details of this technique, you first have to realise that it is first just a mean to decentralise trust through peer-to-peer, encrypted, common ledgers.
We are used to rely on a centralised authority, be it a state, an organisation, a company ... to ascertain the trust in a norm, fiat money, a brand, a contract...
In the Blockchain there is an encrypted way to collectively approve the existence of “an event”. An event is a block or a fact written under a highly encrypted language and approved by all participants to the common ledger (peer-to-peer mechanism) before being recorded as a new element in the “chain” or ledger.
What can be recorded in the peer-to-peer ledger?
About any fact can be recorded:
- The proof of existence of a specific connected object: its components could be recorded as original, the owner would be the only one to access it, the data transmitted would be authorised by this recorded owner only
- The proof of the location of a specific object.
- The proof that an object has changed ownership with a specific stamp on the date, place, new owner, new use of the object.
The record of the event is kept in ledgers distributed to each stakeholder of the chain.
Not one single nod or participant of this web of ledgers has the power to change anything in the common ledger unless all the others approve the change.
The maintenance of the common ledgers of chosen events is based on the common interest of each participant to maintain the collective ledgers in accordance with agreed encryption.
If and when the open ledgers are managed by the connected objects themselves, they will constantly be able to check the identity of the other objects they communicate with, thereby ensuring that the right object is transmitting the right data to the right recipient for example.
Authorisation of access will be immune of tampering since it would require an extraordinary computing power to overcome the grid of connected objects managing the approval of changes in the common ledger of any chosen events (identity, origin of the components of the object, level of security in the object ...)
A public, open blockchain between connected objects requires a formidable collective computing power to manage, this power exists if all the computing power in the world is used efficiently, if the idle computing power worldwide is put to use.
It would be a certainly a good way to ascertain that an object is sending data through the genuine original chips and that it concerns the genuine owner of the device.
The identity of the object and of the source of data is “certified” by a collective proof.
It takes away the need of trust in the individual object since each object is collectively recognised by all the others.
Each connected object has a built-in capacity to participate in the proof that each transmission of data, each change of ownership, whatever event, is secure and originates from the right participant to the web of things.
That huge web of interconnected things developed and sold by different companies would auto-authorise the connections based on a system where it would take such an incredible amount of computing power to overcome that it renders cyberattacks too costly.
To conclude
I am obviously not a blockchain developer and this scenario might be a decade too early but some more forward thinking companies (like IBM) have put efforts in planning the future of IoT in an ethical and secure manner.
Responsible and forward thinking companies have started the process, they have recognised that things cannot go on like it started in IoT, especially since it takes part in our daily physical life.
We will be transported in connected things (driverless cars [18], trains), we will have connected devices implanted in our body (insulin pumps, pacemakers...), we will live in a house where energy, communications, entertainment, food supply will depend on connected things. Basically, in each room of our home, there will be objects of any size and sort, permanently connected to Internet and soon connected between themselves.
We will live in a constant snooping environment in our homes, in the streets, at work, at the hospital...
We should quickly be prepared to keep the control on the big personal data and stop just trusting the developers,[19] most have yet to understand the value of privacy in their design of new connected things.
It is urgent that all stakeholders take part in the security of the connected things BEFORE it gets out of hands.
We already have numerous unsecure objects in the market with no way to patch their security although they might last several years.
They represent an existing weakness which is already used for cyber-attacks.
We are bound to see more and more attacks, it is the ubiquity of the connected things which is appealing to cybercriminals.
I would appreciate your view on this matter, please feel free to contact me through this blog.
IOT= SO MANY NEW DOORS
TO ENTER IN COMPANIES BUSSINESSES AND
THE LIFE OF MORE AND MORE PEOPLE!
References:
[1] Therewillbe24billionIoTdevicesinstalledonEarthby2020
[2] IoT: the Connected Things as a Weapon
[3] Largest DDoS attack, ever delivered by botnet of hijacked IoT devices
[4] Hotel Ransomed by Hackers as Guests Locked Out Of Rooms
[5] Dick Cheney Feared Assassination Via Medical Device Hacking: 'I Was Aware of the Danger', abc News, Oct.19, 2013
[6] Nest: a technology company focused on smart home tools. Nest products include a thermostat that learns from user preferences, a smart smoke-CO2 alarm and a camera that tracks the user’s phone location to know when to turn on.
[7] For some insight on the offer : Amazon Alexa Community
[8] “80% of IoT apps not tested for vulnerabilities, report says” Conner Forrest, TechRepublic, Jan.18, 2017
[9] “Stephen Hawking, Elon Musk, and Bill Gates Warn About Artificial Intelligence” Observer, Aug.19, 2015
[10] Regulation (EU) 2016/679 Of the European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
[11] Asimov Laws:
- 1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
- 2. A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.
- 3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
- 0. A robot may not harm humanity, or, by inaction, allow humanity to come to harm.
[12] My article: “Privacy Attacked: Behavioral Marketing Taken to The Limit”, Swiss cybersecurity Blog, Jan.4 2017
[13] Bruce Schneier: 'The internet era of fun and games is over', The Daily Dot, Nov.16, 2016.
[14] IoT Label, Inclusive Open & Transparent label- Matteo Mazzeri
[15] "The first blockchain was then conceptualised by Satoshi Nakamoto in 2008 and implemented the following year as a core component of the digital currency bitcoin, where it serves as the public ledger for all transactions." Wikipedia description as of January 2017
[16] “Device democracy Saving the future of the Internet of Things “, IBM Institute for Business Value, July 2015, “Quelles solutions pour sécuriser l’IoT ? “Olivier Ezratty, Frenchweb, 3 mars 2016
[17] “What is Blockchain Technology? A Step-by-Step Guide For Beginners“ Blockgeeks
[18] "If You Own a Car, Read This Privacy Guide", TRUSTe, Jan.27, 2017
[19] "Le machine learning a-t-il oublié sa sécurité?", Jacques Cheminat, SILICON, 24 janvier 2017
0 Comments