The Internet of Things (IoT) as a concept is fascinating and exciting, but one of the major challenging aspects of IoT is having a secure ecosystem encompassing all building blocks of IoT-architecture. Understanding the different building blocks of IoT, identifying the areas of vulnerability in each block and exploring technologies needed to counter each of the weaknesses are essential in dealing with the security issue of IoT.
Figure 1: IoT Architecture
IoT architecture can be represented by four building blocks:
Existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format. It's easier said than done for many reasons, and here is a list of some of the challenges:
In addition to the above list, new security technologies will be required to protect IoT devices and platforms from both information attacks and physical tampering, to encrypt their communications, and to address new challenges such as impersonating "things" or denial-of-sleep attacks that drain batteries, to denial-of-service attacks (DoS). But IoT security will be complicated by the fact that many "things" use simple processors and operating systems that may not support sophisticated security approaches.
A prime example of the urgent need for such new security technologies is the recent massive distributed denial of service attack (DDoS) that crippled the servers of popular services like Twitter, Netflix, NYTimes, and PayPal across the U.S. on October 21st, 2016. It was the result of an immense assault that involved millions of internet addresses and malicious software. One source of the traffic for the attacks was devices infected by the Mirai malware. The attack comes amid heightened cybersecurity fears and a rising number of internet security breaches. All indications suggest that countless IoT devices that power everyday technology like closed-circuit cameras and smart-home devices were hijacked by the malware, and used against the servers.
Current IoT ecosystems rely on centralized, brokered communication models, otherwise known as the server/client paradigm. All devices are identified, authenticated and connected through cloud servers that sport huge processing and storage capacities. Connections between devices have to exclusively go through the internet, even if they happen to be a few feet apart.
While this model has connected generic computing devices for decades and will continue to support small-scale IoT networks as we see them today, it will not be able to respond to the growing needs of the huge IoT ecosystems of tomorrow.
Existing IoT solutions are expensive because of the high infrastructure and maintenance cost associated with centralized clouds, large server farms, and networking equipment. The sheer amount of communications that will have to be handled when there are tens of billions of IoT devices will increase those costs substantially.
Even if the unprecedented economic and engineering challenges are overcome, cloud servers will remain a bottleneck and point of failure that can disrupt the entire network.
A decentralized approach to IoT networking would solve many of the issues above. Adopting a standardized peer-to-peer communication model to process the hundreds of billions of transactions between devices will significantly reduce the costs associated with installing and maintaining large centralized data centers and will distribute computation and storage needs across the billions of devices that form IoT networks. This will prevent failure in any single node in a network from bringing the entire network to a halting collapse.
However, establishing peer-to-peer communications will present its own set of challenges, chief among them the issue of security. And as we all know, IoT security is much more than just about protecting sensitive data. The proposed solution will have to maintain privacy and security in huge IoT networks and offer some form of validation and consensus for transactions to prevent spoofing and theft.
To perform the functions of traditional IoT solutions without a centralized control, any decentralized approach must support three foundational functions:
Blockchain, the "distributed ledger" technology, has emerged as an object of intense interest in the tech industry and beyond. Blockchain technology offers a way of recording transactions or any digital interaction in a way that is designed to be secure, transparent, highly resistant to outages, auditable, and efficient; as such, it carries the possibility of disrupting industries and enabling new business models. The technology is young and changing very rapidly; widespread commercialization is still a few years off. Nonetheless, to avoid disruptive surprises or missed opportunities, strategists, planners, and decision makers across industries and business functions should pay heed now and begin to investigate applications of the technology.
Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain.
A blockchain consists of two types of elements:
The big advantage of blockchain is that it's public. Everyone participating can see the blocks and the transactions stored in them. This doesn't mean everyone can see the actual content of your transaction, however; that's protected by your private key.
A blockchain is decentralized, so there is no single authority that can approve the transactions or set specific rules to have transactions accepted. That means there's a huge amount of trust involved since all the participants in the network have to reach a consensus to accept transactions.
Most importantly, it's secure. The database can only be extended and previous records cannot be changed (at least, there's a very high cost if someone wants to alter previous records).
When someone wants to add a transaction to the chain, all the participants in the network will validate it. They do this by applying an algorithm to the transaction to verify its validity. What exactly is understood by "valid" is defined by the blockchain system and can differ between systems. Then it is up to a majority of the participants to agree that the transaction is valid.
A set of approved transactions is then bundled in a block, which gets sent to all the nodes in the network. They, in turn, validate the new block. Each successive block contains a hash, which is a unique fingerprint, of the previous block.
Figure 2: Key Benefits of Using Blockchain for IoT
Blockchain technology is the missing link to settle privacy and reliability concerns in the Internet of Things. Blockchain technology could perhaps be the silver bullet needed by the IoT industry. It can be used in tracking billions of connected devices, enabling the processing of transactions and coordination between devices; this allows for significant savings for IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains would make consumer data more private.
The ledger is tamper-proof and cannot be manipulated by malicious actors because it doesn't exist in any single location, and man-in-the-middle attacks cannot be staged because there is no single thread of communication that can be intercepted. Blockchain makes trustless, peer-to-peer messaging possible and has already proven its worth in the world of financial services through cryptocurrencies such as bitcoin, providing guaranteed peer-to-peer payment services without the need for third-party brokers.
The decentralized, autonomous, and trustless capabilities of the blockchain make it an ideal component to become a foundational element of IoT solutions. It is no surprise that enterprise IoT technologies have quickly become one of the early adopters of blockchain technology.
In an IoT network, the blockchain can keep an immutable record of the history of smart devices. This feature enables the autonomous functioning of smart devices without the need for centralized authority. As a result, the blockchain opens the door to a series of IoT scenarios that were remarkably difficult, or even impossible to implement without it.
For example, by leveraging the blockchain, IoT solutions can enable secure, trustless messaging between devices in an IoT network. In this model, the blockchain will treat message exchanges between devices similar to financial transactions in a bitcoin network. To enable message exchanges, devices will leverage smart contracts which then model the agreement between the two parties.
One of the most exciting capabilities of the blockchain is the ability to maintain a duly decentralized, trusted ledger of all transactions occurring in a network. This capability is essential to enable the many compliances and regulatory requirements of industrial IoT (IIoT) applications without the need to rely on a centralized model.
In spite of all its benefits, the blockchain model is not without its flaws and shortcomings:
Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the ecosystem, and throughout the ecosystem as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures. It's possible, but it can be expensive, time-consuming, and difficult.
The optimum platform for IoT can:
Security needs to be built in as a foundation of IoT systems, with rigorous validity checks, authentication, data verification, and all the data needs to be encrypted. At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, with better code development standards, training, threat analysis and testing. As systems interact with each other, it's essential to have an agreed interoperability standard, which is safe and valid. Without a solid bottom-top structure we will create more threats with every device added to the IoT. What we need is a secure and safe IoT with privacy protected. That's a tough trade off but not impossible and blockchain technology is an attractive option if we can overcome its drawbacks.
A version of this article first appear on IEEE-IoT.
Ahmed Banafa is an expert in new tech with appearances on ABC, NBC , CBS, FOX TV and radio stations. He served as a professor, academic advisor and coordinator at well-known American universities and colleges. His researches are featured on Forbes, MIT Technology Review, ComputerWorld and Techonomy. He published over 100 articles about the internet of things, blockchain, artificial intelligence, cloud computing and big data. His research papers are used in many patents, numerous thesis and conferences. He is also a guest speaker at international technology conferences. He is the recipient of several awards, including Distinguished Tenured Staff Award, Instructor of the year and Certificate of Honor from the City and County of San Francisco. Ahmed studied cyber security at Harvard University. He is the author of the book: Secure and Smart Internet of Things Using Blockchain and AI.