itb-au logo
Story image

ESET: Will blockchain secure the Internet of Threats?

15 Jul 2019

Article by ESET senior research fellow Nick FitzGerald

Gartner’s “hype cycle” now places blockchain technology well on the downward slide from the “peak of inflated expectations” toward the “trough of disillusionment”.

Hence, the following may seem like kicking someone while they’re down…

Please wait a moment while I lace up these boots nice and tight!

It is well established that contemporary IoT devices, and their associated cloud services, have a terrible security track record.

It seems that any vaguely talented security researcher can randomly select an IoT device, poke at it briefly after installing it into a carefully instrumented test network and uncover nasty privacy exposures or full-blown security vulnerabilities.

Worse, these flaws are often what can only be described as “n00b level at best”.

The reasons usually given for this state of affairs are one or both of “they’re small, cheap, low-powered devices – you can’t expect everything” or “they’re small, cheap, low-powered devices – you can’t expect everything”.

No, that’s not an editing or proofing error.

The common excuses boil down to IoT devices being low-powered so they don’t have the grunt to do proper security, or that they are “designed down” to the lowest manufacturing price to allow them to be as price-competitive as possible (and thus maximally profitable for their manufacturers).

Furthermore, security considerations tend to be overlooked, if the designers were even aware that there might be security issues to begin with.

In this environment, many pundits are terribly keen to propose blockchain technology as the silver-bullet solution, with innumerable claims during the last couple of years that blockchain can secure IoT.

When you look closer, these claims typically fall into one of two camps.

One of these comprises the “optimistic hand wavers” who seem to be repeating something vague that they half-heard at some briefing or conference session.

The other camp comprises those who have clear notions limiting which IoT security issues blockchain tech might solve.

The latter may well be right that, eventually, blockchain-backed smart contracts and data-brokering will help resolve those kinds of issues for some (perhaps quite distant) future IoT devices (recall that these devices are mostly cheap, low-powered and struggle to handle decent encryption).

However, before these potential future devices can negotiate those contracts or supply that data, they must connect to a network.

It’s about 20 years now since many very serious internet email veterans proposed potentially replacing SMTP with an improved protocol that would be designed to significantly reduce, if not outright thwart, spamming.

We’re still waiting, and not due to the lack of either talent or effort that was thrown at this proposal.

It turned out that SMTP – with all its numerous flaws – is so embedded in what we do and “how stuff works” that we cannot get rid of it.

The notion of scrapping it is effectively untenable.

And so is the notion of replacing the network layers on which IoT devices depend for their most basic communications.

Zigbee, Z‑Wave, 802.11x, TCP/IP and then the need for application-level protocols such as telnet, (S)FTP, HTTP and so on, to provide configuration and update interfaces for more complex devices.

Blockchain cannot fix the dozens, hundreds, thousands of flawed implementations or configurations of all of these, already shipped in all those billions of existing devices.

As future products will be expected to work seamlessly with all of that already deployed kit, it seems likely we’ll see vendors continuing to make much the same mistakes moving forward.

Link image
Why employees have never been more vulnerable to cyber attack
COVID-19 is presenting the perfect opportunity to cyber attackers to mount potentially devastating spear-phishing campaigns against organisations via their remote workers. Learn how to fight back.More
Story image
HPE announces new virtual desktop solutions in wake of COVID-19
“The response to COVID-19 has pressured our customers to rapidly implement secure and remote work options for their organisations.” More
Download image
How a simple, secure authentication suite can help your business
Top-end secure authentication is more important than ever with cyber attackers taking advantage of enterprises in these uncertain times. Make sure you have the best protection.More
Link image
Why secure remote access tools are more important and valuable than ever
Cyber attacks are ramping up as more people work from home and render themselves vulnerable. Here's why an effective remote access tool is absolutely essential to keep systems and users secure.More
Story image
Start-up raises 1M, looks to save enterprises from technical debt
“We are on a mission to help enterprises deliver high-quality SaaS implementations at scale by shining a light on the costly and problematic issue of technical debt."More
Story image
Google Cloud launches COVID-19 rapid response programme
The Rapid Response Virtual Agent tool streamlines customer interaction with its Contact Center AI, which provides a ‘first line of response’ through conversational self-service support via chat or over the phone.More