Of Blockchains and IoT Security Silver Bullets

Well, if it is an IoT Security silver bullet, I’d have to be the Lone Ranger. I’m not entirely sure if it’s a case of lack of understanding, or merely a good excuse for a blog post, but blockchain is not the answer to IoT security challenges. It is an answer to some IoT challenges, but not as much to security.

I really like this image by Beecham Research. Take a few minutes to study it, and you’ll realize why it’s worth a thousand words. I could conclude this post right here with a simple question: how many these threats does blockchain help in addressing directly?

Why the misconception?

Irreversibility. Blockchain is essentially a ledger; a distributed, decentralized and irreversible ledger. The irreversible nature of the ledger leads to this misconception of blockchain being the answer to all security challenges. It’s hard to contest that blockchain is an answer to fraudulent transactions. But does that make it the silver bullet to all IoT security issues? If, for example, someone were to hack into a device (the “transactor”) and record malicious transactions in the chain, is blockchain network capable of detecting the intrusion? No. It will continue to log this transaction; and log it like a carving in a stone tablet (read The DAO example below)! So the fork of blocks (and transactions) beyond this point may very well be based on a compromised transaction.

The other aspect that may lead to misconception is storing identities in a blockchain. Presuming this to be a good idea, the blockchain will just be acting as a ledger of identities. The underlying identities are enforced through digital signatures, and not the blockchain network itself.

The concept of consensus among participating nodes is an important feature of irreversibility. One of the features of a blockchain is to only approve/log transactions that have been consented by a large number of miners. If a large number of nodes (miners) do not have consensus on a block of transactions, that particular chain gets voided. But once a block has been inserted, it cannot be reversed. Although this is a very important capability to have on a peer-to-peer network, it is insufficient to cover the broad threat vector in IoT.

What secures the blockchain, then?

As a ledger or database, whatever you prefer to call it, blockchain is merely a data structure. A certain way for storing transactions/records. A simple way to understand what secures a blockchain, let’s take the example of a couple of breaches that took place on blockchain networks. In June 2016, a false transaction created on the Ethereum blockchain network led to hackers walking away with $55 million worth of crypto-currency. In August 2016, hackers stole $72 million worth of bitcoins by hacking into the Bitfinex exchange.

In Ethereum’s case, the hack was based (presumably) on compromised software code. The code allowed the hacker to siphon out money (called Ether) from a smart contract created on the Ethereum network. There’s a great explanation of the chain of events on this website. It’s worth pointing out that the Ethereum blockchain network itself checked out perfectly in its implementation and promises (so let’s refer to this incident as The DAO incident rather than badmouthing Ethereum in any way). It was the faulty code implementation that led to this disaster. This fault, a human error, could have happened in any case – blockchain or not. An attack of this sort could not have been prevented aside from employing proper testing and quality assurance techniques. So this, for me, is more of a process or policy security lapse that could have happened regardless of the underlying technology.

The more obvious security incident is Bitfinex, a bitcoin exchange set up in Hong Kong. Bitcoins are stored in wallets (or more specialized versions in this case called multi-signature wallets). The incident happened when (again, presumably) the hackers were able to hack into Bitfinex’s servers. Again, it was not the bitcoin blockchain network that was compromised. But the blockchain had no means to prevent this incident from happening “on” its network.

Both examples do not show a lapse in blockchain technology’s security itself, but clearly show that the purpose of a blockchain is not to implement security. If I were to draw an analogy, consider someone using a database server like Oracle or MySQL; then write a code that is prone to primitive threats like SQL injection (somewhat analogous to The DAO case); and also keep all your sensitive data in clear format in the database. These oversights do not make Oracle or MySQL insecure solutions for managing data, but it highlights that these solutions are merely for managing data; securing the data and information goes far beyond the underlying structure. Eventually, it is the combination of policy and an underlying encryption mechanism that actually secures the content (data, software, identities) on the blockchain.

An IoT Solution, comprises of many different components. In the simple example above I assume that the different components of the solution are using a blockchain ledger, whether for managing smart contracts, identities or even crypto-currencies. Regardless, each component requires its own security, including the blockchain ledger! A "silver bullet" could be something that could span across all these components. Unfortunately, such a silver bullet doesn't exist.

Hype + Hype = Hyper-Hype?

IoT has been a hyped term for some time now. But it’s now undergoing a tapering and rationalization phase. Blockchain is still hyped. Most people are still trying to understand what it is capable of, but the potential seems quite obvious. The emergence of blockchain in financial and trading transactions, where it has shown to reduce transaction times and introduce an immutable record-keeping mechanism, has rightly been projected as a technology capable of curtailing fraud and reduce transaction processing times/costs. But assuming it to be a silver bullet for all things security in IoT is merely an oversimplification.

Blockchain shows immense potential (with a share of challenges) for IoT. Smart Energy, for example, could be one of the most potent use cases. But it will take time to find the right fit to implement smart contracts. A sector like utilities, marred with bureaucracy, might find it challenging to implement a nascent technology that requires a critical mass to achieve its potential. Theoretically though, with the capability to implement smart contracts to address the demand and supply handshakes (transactions), blockchain could indeed be a silver bullet…for IoT transactions, not security. After all, a chain is only as strong as its weakest link.

Would love to learn contrarian views on this conjecture as we unravel the potential for blockchain in IoT!

Here’s one of my earlier posts on IoT Security: https://www.linkedin.com/pulse/bring-out-valyrian-steel-iot-white-walkers-here-haider-iqbal

DISCLAIMER: All the cool views presented in this post are my own, and do not necessarily reflect the views of my past or present employers.