Internet of Things and Blockchain
Internet of Things and Blockchain
June 16th, 2022
For the past few years, there hasn’t been a game of “buzzword bingo” in a security organization that didn’t include words like “IoT” and “Blockchain”. There is simply no understating the breadth of the use cases that both technologies are each trying to solve, and both work in favor of and against security. IoT devices are used to help secure our physical world. However, device manufacturers often ignore security designs and the devices, themselves, are hard to patch and update. Users may also lack awareness of the risks surrounding privacy and confidentiality. Blockchain can be used to increase transparency and ensure both identity and compliance. However, the many forms of blockchain make data public, which could result in security leaks. One such use ensures trust in firmware and software updates by guaranteeing the integrity of the updates during distribution using third parties and blockchain-based contracts. The effect of putting some information onto a blockchain is to prove that the information is trusted, and to prove who put it there, which can improve the trust of patches and other updates that would occur after production. Ultimately, the goal is to marry the two technologies to allow the strengths of each to cover the weaknesses of the other to increase trust in the ecosystem.
For most businesses, the future of blockchain lies within smart contracts. Smart contracts are written permanently to a blockchain as an “if/then” statement, such that if a specific trigger occurs then an event is automatically generated. This is the most common use case that intersects the two worlds. The use of IoT devices as recorders of truth, commonly referred to as oracles, include IoT devices such as thermometers, scales, timers, and anything else needed to prove the conditions of the contract. Blockchains for tangible assets need a way to verify the information that is being written to the chain, and smart contracts rely on those data to ensure their correctness. But what happens when those IoT devices can no longer be trusted?
Figure 1. Blockchain and IoT communication contracts.
Securing the things: To be effective, most of the IoT devices used as oracles should be so inexpensive that they are practically disposable. This means that the cheapest device which meets the requirements will often be the device type selected. Further, one of the main ways that you can save money on a device is by reducing its security. A lot of work has gone into making open source software, however many companies still tend to use their own homegrown solutions which often come with homegrown vulnerabilities built in.
Securing the data in motion: Even data collected correctly needs to be protected. Many of the cheaper IoT devices have limited power for transmitting data, which generally means that the lowest power transmission is the one that is selected. Encryption on the device consumes energy, and increases the size of the data package, which again increases the need for power to transmit. Since there are no easy solutions, data harvesting needs to be well thought out. In general, the most secure path is an append-only style media, which can be read by various outsiders, such that only a trusted entity can move the data from each device to the database. One method used is a data harvester which might operate on a secondary channel from the primary function, like a touchless key fob on a door having a hardwire access point inside.
Securing the data at rest: Once the data has been entered into a database, (a blockchain is generally not advised for data storage) the data will need to be kept secured in order to prove that the trigger data was accurately utilized by the blockchain. While proof of what the correct data were may suffice(, it is often harder to prove that some alternate data values that could produce the same or an equivalent trigger were not seen in the transaction.
Proving the data access: What data can be read and by whom is important. The data is often a part of trade secrets, so open access should be avoided. Further in some industries such as medical IoT, there are privacy rights that need to be cared for, and blockchain can not only proved the protection, but proof that the protection was effective and only known personnel with a need to know accessed the information about a patient.
Bonus – Cloud instances: One of the easiest ways to help control the process - is to utilize cloud instances. Many of these systems are already set up to safely handle all the data processes from the point of data harvesting onwards. Redundant data stores are easily spun up to keep pace with the needs of the system while controlling access.
Over the coming years we are expecting to see an increase in the number of IoT devices intended to be used to report on and interact with the world around them. As they come into their own maturity, there will be a need for a new infrastructure to provide a secure back end to support the insecure front end. Blockchain technology appears to be looking for new footholds every day and the marriage of them to IoT could propel the next generation blockchains into our everyday lives.
These technologies will integrate into nearly every vertical. Connected cars will interact with smart cities as they move through them. Medical devices will share critical data with doctors and health providers as well as provide information to the patients just when they need it. They will enable shoppers to have more control and a smoother sales process in a post pandemic world. IoT devices will continue to play a bigger and bigger role in our homes, our schools, our offices, and the world around us.
As the use cases continue to pop up and mature, we will see the ways that IoT devices interact with blockchains evolve. For now, the limited power of IoT devices and the complexity of blockchain solutions means that the blockchains are simply reading the data from IoT devices, but in the future the interactions will increase in complexity. IoT devices will soon be designed to read data from a blockchain- either querying directly or through a proxy. Eventually IoT devices will reach a level of complexity where they will be able to write complex transactions for themselves.