sb-au logo
Story image

ESET: Will blockchain secure the Internet of Threats?

15 Jul 2019

Article by ESET senior research fellow Nick FitzGerald

Gartner’s “hype cycle” now places blockchain technology well on the downward slide from the “peak of inflated expectations” toward the “trough of disillusionment”.

Hence, the following may seem like kicking someone while they’re down…

Please wait a moment while I lace up these boots nice and tight!

It is well established that contemporary IoT devices, and their associated cloud services, have a terrible security track record.

It seems that any vaguely talented security researcher can randomly select an IoT device, poke at it briefly after installing it into a carefully instrumented test network and uncover nasty privacy exposures or full-blown security vulnerabilities.

Worse, these flaws are often what can only be described as “n00b level at best”.

The reasons usually given for this state of affairs are one or both of “they’re small, cheap, low-powered devices – you can’t expect everything” or “they’re small, cheap, low-powered devices – you can’t expect everything”.

No, that’s not an editing or proofing error.

The common excuses boil down to IoT devices being low-powered so they don’t have the grunt to do proper security, or that they are “designed down” to the lowest manufacturing price to allow them to be as price-competitive as possible (and thus maximally profitable for their manufacturers).

Furthermore, security considerations tend to be overlooked, if the designers were even aware that there might be security issues to begin with.

In this environment, many pundits are terribly keen to propose blockchain technology as the silver-bullet solution, with innumerable claims during the last couple of years that blockchain can secure IoT.

When you look closer, these claims typically fall into one of two camps.

One of these comprises the “optimistic hand wavers” who seem to be repeating something vague that they half-heard at some briefing or conference session.

The other camp comprises those who have clear notions limiting which IoT security issues blockchain tech might solve.

The latter may well be right that, eventually, blockchain-backed smart contracts and data-brokering will help resolve those kinds of issues for some (perhaps quite distant) future IoT devices (recall that these devices are mostly cheap, low-powered and struggle to handle decent encryption).

However, before these potential future devices can negotiate those contracts or supply that data, they must connect to a network.

It’s about 20 years now since many very serious internet email veterans proposed potentially replacing SMTP with an improved protocol that would be designed to significantly reduce, if not outright thwart, spamming.

We’re still waiting, and not due to the lack of either talent or effort that was thrown at this proposal.

It turned out that SMTP – with all its numerous flaws – is so embedded in what we do and “how stuff works” that we cannot get rid of it.

The notion of scrapping it is effectively untenable.

And so is the notion of replacing the network layers on which IoT devices depend for their most basic communications.

Zigbee, Z‑Wave, 802.11x, TCP/IP and then the need for application-level protocols such as telnet, (S)FTP, HTTP and so on, to provide configuration and update interfaces for more complex devices.

Blockchain cannot fix the dozens, hundreds, thousands of flawed implementations or configurations of all of these, already shipped in all those billions of existing devices.

As future products will be expected to work seamlessly with all of that already deployed kit, it seems likely we’ll see vendors continuing to make much the same mistakes moving forward.

Story image
Leader wins Acronis distribution agreement, brings cyber protection solutions to Aus
The agreement covers the entire Acronis Cyber Protect Cloud solution portfolio, which includes cybersecurity, backup, disaster recovery, secure file sync and share, as well as notary services.More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More
Story image
Three security essentials for financial services
Financial services organisations must provide the best possible customer experience in terms of mobile and online application availability, performance and security, writes Gigamon country manager for A/NZ George Tsoukas.More
Story image
Why consumer privacy is crucial in a remote work era
Organisations should monitor all file, app, user and web activity with comprehensive activity logs to uncover the whereabouts of consumers’ data.More
Story image
Microsoft adds new ways to bring AI to the edge with Azure Percept
"The goal of the Azure Percept platform is to simplify the process of developing, training and deploying edge AI solutions."More