sb-as logo
Story image

ESET: Will blockchain secure the Internet of Threats?

15 Jul 2019

Article by ESET senior research fellow Nick FitzGerald

Gartner’s “hype cycle” now places blockchain technology well on the downward slide from the “peak of inflated expectations” toward the “trough of disillusionment”.

Hence, the following may seem like kicking someone while they’re down…

Please wait a moment while I lace up these boots nice and tight!

It is well established that contemporary IoT devices, and their associated cloud services, have a terrible security track record.

It seems that any vaguely talented security researcher can randomly select an IoT device, poke at it briefly after installing it into a carefully instrumented test network and uncover nasty privacy exposures or full-blown security vulnerabilities.

Worse, these flaws are often what can only be described as “n00b level at best”.

The reasons usually given for this state of affairs are one or both of “they’re small, cheap, low-powered devices – you can’t expect everything” or “they’re small, cheap, low-powered devices – you can’t expect everything”.

No, that’s not an editing or proofing error.

The common excuses boil down to IoT devices being low-powered so they don’t have the grunt to do proper security, or that they are “designed down” to the lowest manufacturing price to allow them to be as price-competitive as possible (and thus maximally profitable for their manufacturers).

Furthermore, security considerations tend to be overlooked, if the designers were even aware that there might be security issues to begin with.

In this environment, many pundits are terribly keen to propose blockchain technology as the silver-bullet solution, with innumerable claims during the last couple of years that blockchain can secure IoT.

When you look closer, these claims typically fall into one of two camps.

One of these comprises the “optimistic hand wavers” who seem to be repeating something vague that they half-heard at some briefing or conference session.

The other camp comprises those who have clear notions limiting which IoT security issues blockchain tech might solve.

The latter may well be right that, eventually, blockchain-backed smart contracts and data-brokering will help resolve those kinds of issues for some (perhaps quite distant) future IoT devices (recall that these devices are mostly cheap, low-powered and struggle to handle decent encryption).

However, before these potential future devices can negotiate those contracts or supply that data, they must connect to a network.

It’s about 20 years now since many very serious internet email veterans proposed potentially replacing SMTP with an improved protocol that would be designed to significantly reduce, if not outright thwart, spamming.

We’re still waiting, and not due to the lack of either talent or effort that was thrown at this proposal.

It turned out that SMTP – with all its numerous flaws – is so embedded in what we do and “how stuff works” that we cannot get rid of it.

The notion of scrapping it is effectively untenable.

And so is the notion of replacing the network layers on which IoT devices depend for their most basic communications.

Zigbee, Z‑Wave, 802.11x, TCP/IP and then the need for application-level protocols such as telnet, (S)FTP, HTTP and so on, to provide configuration and update interfaces for more complex devices.

Blockchain cannot fix the dozens, hundreds, thousands of flawed implementations or configurations of all of these, already shipped in all those billions of existing devices.

As future products will be expected to work seamlessly with all of that already deployed kit, it seems likely we’ll see vendors continuing to make much the same mistakes moving forward.

Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
Cybersecurity market continues meteoric ascent
With the increase in cyberattacks, organisations are continuing to spend more money on security. However, without a focused cybersecurity strategy, they often spend it in the wrong areas.More
Story image
Majority of industrial enterprises face increase cyber threats since COVID-19
Leadership's top cyber security priority was implementing new technology solutions since the onset of the pandemic.More
Link image
Why the threat of ransomware requires quality resources to keep it at bay
With this ransomware prevention kit, learn actionable tactics for IT departments on how to manage backups and enable staff so that ransomware is a managed and controlled risk.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More