sb-eu logo
Story image

ESET: Will blockchain secure the Internet of Threats?

15 Jul 2019

Article by ESET senior research fellow Nick FitzGerald

Gartner’s “hype cycle” now places blockchain technology well on the downward slide from the “peak of inflated expectations” toward the “trough of disillusionment”.

Hence, the following may seem like kicking someone while they’re down…

Please wait a moment while I lace up these boots nice and tight!

It is well established that contemporary IoT devices, and their associated cloud services, have a terrible security track record.

It seems that any vaguely talented security researcher can randomly select an IoT device, poke at it briefly after installing it into a carefully instrumented test network and uncover nasty privacy exposures or full-blown security vulnerabilities.

Worse, these flaws are often what can only be described as “n00b level at best”.

The reasons usually given for this state of affairs are one or both of “they’re small, cheap, low-powered devices – you can’t expect everything” or “they’re small, cheap, low-powered devices – you can’t expect everything”.

No, that’s not an editing or proofing error.

The common excuses boil down to IoT devices being low-powered so they don’t have the grunt to do proper security, or that they are “designed down” to the lowest manufacturing price to allow them to be as price-competitive as possible (and thus maximally profitable for their manufacturers).

Furthermore, security considerations tend to be overlooked, if the designers were even aware that there might be security issues to begin with.

In this environment, many pundits are terribly keen to propose blockchain technology as the silver-bullet solution, with innumerable claims during the last couple of years that blockchain can secure IoT.

When you look closer, these claims typically fall into one of two camps.

One of these comprises the “optimistic hand wavers” who seem to be repeating something vague that they half-heard at some briefing or conference session.

The other camp comprises those who have clear notions limiting which IoT security issues blockchain tech might solve.

The latter may well be right that, eventually, blockchain-backed smart contracts and data-brokering will help resolve those kinds of issues for some (perhaps quite distant) future IoT devices (recall that these devices are mostly cheap, low-powered and struggle to handle decent encryption).

However, before these potential future devices can negotiate those contracts or supply that data, they must connect to a network.

It’s about 20 years now since many very serious internet email veterans proposed potentially replacing SMTP with an improved protocol that would be designed to significantly reduce, if not outright thwart, spamming.

We’re still waiting, and not due to the lack of either talent or effort that was thrown at this proposal.

It turned out that SMTP – with all its numerous flaws – is so embedded in what we do and “how stuff works” that we cannot get rid of it.

The notion of scrapping it is effectively untenable.

And so is the notion of replacing the network layers on which IoT devices depend for their most basic communications.

Zigbee, Z‑Wave, 802.11x, TCP/IP and then the need for application-level protocols such as telnet, (S)FTP, HTTP and so on, to provide configuration and update interfaces for more complex devices.

Blockchain cannot fix the dozens, hundreds, thousands of flawed implementations or configurations of all of these, already shipped in all those billions of existing devices.

As future products will be expected to work seamlessly with all of that already deployed kit, it seems likely we’ll see vendors continuing to make much the same mistakes moving forward.

Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More
Story image
Five wine-tasting tips that should be applied to network security
What does network visibility really mean? Much like a blind wine tasting, we need to keep an open mind and trust what data is telling us without being biased by previous results.More
Story image
Thycotic acquires Onion ID, launches new access management products
Thycotic has acquired Onion ID, a privileged access management (PAM) solutions provider, and has added new products to its PAM portfolio to protect enterprise cloud apps and better enable remote workers.More
Story image
WatchGuard completes acquisition of Panda Security
Executives say the immediate goal of the now-combined companies is to provide stakeholders access to a newly expanded portfolio of security solutions.More
Story image
Intel creates 10th Gen vPro processors for 'next generation of business computing'
“Built for business, the Intel vPro platform is a comprehensive PC foundation for performance, hardware-enhanced security, manageability and stability,” says Intel.More
Story image
Thycotic launches DevOps Secrets Vault solution for greater cloud security
“DevOps Secrets Vault is a cloud-based vault that balances the security and velocity that DevOps teams require for this growing part of the enterprise attack surface."More