Story image

ESET: Will blockchain secure the Internet of Threats?

15 Jul 2019
Sponsored
Twitter
Facebook

Article by ESET senior research fellow Nick FitzGerald

Gartner’s “hype cycle” now places blockchain technology well on the downward slide from the “peak of inflated expectations” toward the “trough of disillusionment”.

Hence, the following may seem like kicking someone while they’re down…

Please wait a moment while I lace up these boots nice and tight!

It is well established that contemporary IoT devices, and their associated cloud services, have a terrible security track record.

It seems that any vaguely talented security researcher can randomly select an IoT device, poke at it briefly after installing it into a carefully instrumented test network and uncover nasty privacy exposures or full-blown security vulnerabilities.

Worse, these flaws are often what can only be described as “n00b level at best”.

The reasons usually given for this state of affairs are one or both of “they’re small, cheap, low-powered devices – you can’t expect everything” or “they’re small, cheap, low-powered devices – you can’t expect everything”.

No, that’s not an editing or proofing error.

The common excuses boil down to IoT devices being low-powered so they don’t have the grunt to do proper security, or that they are “designed down” to the lowest manufacturing price to allow them to be as price-competitive as possible (and thus maximally profitable for their manufacturers).

Furthermore, security considerations tend to be overlooked, if the designers were even aware that there might be security issues to begin with.

In this environment, many pundits are terribly keen to propose blockchain technology as the silver-bullet solution, with innumerable claims during the last couple of years that blockchain can secure IoT.

When you look closer, these claims typically fall into one of two camps.

One of these comprises the “optimistic hand wavers” who seem to be repeating something vague that they half-heard at some briefing or conference session.

The other camp comprises those who have clear notions limiting which IoT security issues blockchain tech might solve.

The latter may well be right that, eventually, blockchain-backed smart contracts and data-brokering will help resolve those kinds of issues for some (perhaps quite distant) future IoT devices (recall that these devices are mostly cheap, low-powered and struggle to handle decent encryption).

However, before these potential future devices can negotiate those contracts or supply that data, they must connect to a network.

It’s about 20 years now since many very serious internet email veterans proposed potentially replacing SMTP with an improved protocol that would be designed to significantly reduce, if not outright thwart, spamming.

We’re still waiting, and not due to the lack of either talent or effort that was thrown at this proposal.

It turned out that SMTP – with all its numerous flaws – is so embedded in what we do and “how stuff works” that we cannot get rid of it.

The notion of scrapping it is effectively untenable.

And so is the notion of replacing the network layers on which IoT devices depend for their most basic communications.

Zigbee, Z‑Wave, 802.11x, TCP/IP and then the need for application-level protocols such as telnet, (S)FTP, HTTP and so on, to provide configuration and update interfaces for more complex devices.

Blockchain cannot fix the dozens, hundreds, thousands of flawed implementations or configurations of all of these, already shipped in all those billions of existing devices.

As future products will be expected to work seamlessly with all of that already deployed kit, it seems likely we’ll see vendors continuing to make much the same mistakes moving forward.