Is Blockchain the Silver Bullet of IoT Security?

Abstract

Blockchain has been proposed as a “Trusted Mechanism” for crypto-currency, asset transfer and distributed computing without centralized servers/databases and the needs of  trusted  intermediaries  / third parties. Since IoT devices are typically autonomous, distributed, unsupervised, and physically exposed, therefore it seems logical that Blockchains and IoTs are good matches. 

However, there is always a price to pay in adopting any new technology as an industrial solution and Blockchain is no exception! While the incorporation of Blockchain into IoT solutions introducing both a distributed ledger for managing ownership of digital assets as well as a generator for cryptographic proofed transaction data to ensure IoT data provenance, quality, and security, there are many challenges of deploying Blockchains in IoT security. The challenges include   

“ Proof-of-Work” in Blockchains are computationally expensive with limited efficiency and the requirements of increased storage capacity for ever growing Blockchain ledger, etc.    

Consequently, Blockchain is not a panacea for IoT security and there are business applications of IoT which may not be suitable to adopt Blockchain for security solution. Therefore, “To use or not to use Blockchain for IoT security” is a germane question to ask and an important decision to make for every stake holder who is involved in IoT security.  

In this column, after a brief introduction we first discuss the importance of providing highly scalable data integrity and authentication down to the hardware/chip level for IoT security. Next, we discuss securing IoT with Blockchain and the pros & cons as well as the challenges of deploying  Blockchain in IoT. Third, we discuss the suitability of adopting Blockchain to protect both IoT security and privacy for certain mission critical IoT applications. At end, we conclude that after using Blockchain for IoT, we still need a hardware-assisted Blockchain (e.g., PUF + Blockchain) to provide a robust and sustainable security for both IoT devices and IoT data. 

Introduction 

Per IBM [1], there are three key benefits of using Blockchain for IoT, namely 1) Build trust, 2) Reduce costs, and 3) Accelerate transactions. Technically speaking Blockchain and IoT are good matches because IoT applications are by definition distributed and Blockchain is designed as a basis for applications that involve transactions and interactions to provide useful functions such as: 1). Alternative to central authority and centralized databases, 2). Allowing a group of connected computers to maintain a single distributed, updated and secure ledger through the use of peer-to-peer (device-to-device) interaction, 3). Establishing Trust through immutable, time-stamped records and providing useful device security (e.g., ensuring data provenance, and data non-forgeability). 

However, there is no free lunch in adopting any new technology for IoT and Blockchain is no exception! While the incorporation of Blockchain into IoT solutions could introduce both a distributed ledger for managing ownership of digital assets and a generator for cryptographic proofed transaction data to ensure IoT data provenance, quality, and security, there are many challenges of deploying Blockchains in IoT security. The challenges include “ Proof-of-Work” in Blockchains are computationally expensive with limited efficiency and the requirements of increased storage capacity for ever growing Blockchain ledger, etc. 

Although superficially the distributed Internet of Things (IoT) meets Distributed Ledger Technology (Blockchain) quite well, when compared to traditional centralized databases, Blockchains are inefficient and require increased storage capacity. Consequently, Blockchain is not suitable to provide IoT security for all business applications of IoT. Therefore, “To use or not to use Blockchain for IoT security” is a germane question to ask and an important decision to make for every stake holder who is involved in IoT security. 

The importance of providing highly scalable data integrity and authentication for IoT security 

IoT refers to uniquely identifiable objects and their virtual representations in an Internet-like structure. In IoT, tens, hundreds or thousands of  novel  innovative, connected devices have emerged to interconnect and interact with one another in every sector to improve the quality of our lives in every area. IoTs typically have access to sensitive, personal information, and they also introduce a wide variety of new security issues for attackers to exploit including connecting new Internet capable devices, like TVs, home security systems, automation. Also, lot of IoT sensors and/or end-devices generate massive privacy or confidential data, thus the confidentiality or privacy threats are real. IoT devices are distributed, unsupervised, and physically exposed. Therefore, attackers can physically tamper with IoT devices which makes software-only protections inadequate and ineffective to deal with such attacks. Furthermore, IoT threats & attacks rely on well-known security weaknesses such as unpatched software, weak or default passwords, insecure boot, insecure update & upgrade, etc. Generally speaking, the integrity and denial-of-service (DoS) threats are much worse and more devastating in IoT and IoT systems are also very vulnerable to integrity and DoS attacks. 

Securing distributed IoT networks requires verifying the authenticity of data and identities of devices. IoT needs an effective and efficient encryption to provide secure communication between IoT nodes. It also needs to use cryptographic protocols based authentication and attestation that require unique, randomly generated, and closely guarded cryptographic keys for each IoT device. However, IoT devices are not designed with security in mind. For example, there is lack of encryption and other security safeguards deployed in home automation hubs that could facilitate burglary, stalking, and spying. Furthermore, IoT relies on microcontrollers with limited memory and computational power at end-devices which makes key generation and storage problematic in IoT systems. 

To sum up, since software-based security is insufficient to protect IoT from fraud, tampering and other integrity and DoS attacks, it is important to provide a hardware-assisted Blockchain (e.g., PUF + Blockchain) for robust, sustainable and simultaneous device and data security in IoT [8].  

Securing IoT with Blockchain and the corresponding challenges  

A Blockchain originally called block chain, is a growing list of records, called blocks, that are linked using cryptography. Blockchain basics can be found in [2,3,4]. 

The key components used in blockchain are depicted as follows: 

1. Blocks: In blockchain technology, data (e.g., Bitcoin transaction, Electronic Healthcare Record, or EHR) is collected in blocks, and blocks are connected to each other, forming a chain. The size of a block and the type of data it contains, depends on the type of domain. 

2. Nodes: A node is an independent computer containing all the information about the operations performed within the Blockchain network. In addition to executing Blockchain required computations, each node of the Blockchain network has a copy of the ledger file which keeps track of Bitcoin transactions or domain operation information. The multiplicity of the nodes as well as the fact each node contains information about all transactions within the  Blockchain network, relieve the need of a trusted third party and also protect the Blockchain from fraud, system failure, or hacking attacks. 

3. Miners: Miners are special category of nodes existing in the Crypto-currency Blockchains (e.g., Bitcoin). Typically, miners are nodes that not only store all information about all transactions within the  Blockchain network, but also record and validate the transactions  using a “proof-of-work” or “proof-of-stake” algorithm. 

4. Distributed Ledger Technology (DLT): The distributed ledger is made up of blocks of data that are chained together with cryptography that makes it almost impossible to make changes once something is recorded. Distributed ledgers use nodes to record, share and synchronize transactions in their respective electronic ledgers. Blockchain organizes data into blocks, which are chained together in an append-only mode. Blockchain work together with DLT to provide a “Trust Mechanism” which enables recording of interactions and transfer “value” peer-to-peer, without a need for a centrally  intermediary or third party. “Value” refers to any record of ownership of asset (e.g., Bitcoin, money, securities, land titles) or the ownership of specific information (e.g., identity, health information and other personal data). 

A possible working scenario for IoT Blockchain could be proposed as follows similar to the one given in [4]: 

1. Any node can request a “Value” transaction. The transaction could be any record of ownership of asset or the ownership of specific information. 

2. The requested transaction is broadcasted to a P2P Blockchain network with the help of Blockchain nodes. 

3. The Blockchain nodes validate the transaction and the requester’s status with the help of a known agreed-upon “proof-of-work”, “proof-of-stake” or other equivalent “mining/consensus” algorithm. 

4. Once the transaction is complete and validated, the new block is then appended to the existing Blockchain (i.e., recorded in a distributed ledger database). Once recorded, the data in a block cannot be altered retroactively and become secured from tampering and revision. 

The pros and cons of Blockchain have been discussed extensively in the open literatures [5,6,7]. Below is a synopsis of the pros, cons and the challenges of securing IoT with Blockchain: 

Pros: 

1. A Distributed Trustless System: Since each IoT Blockchain node replicates and stores a copy of a synchronized distributed ledger database, the system and the data are highly resistant to technical failures and malicious cyberattacks. Thus, there is no single point of failure in Blockchain. Furthermore, there is no need of an intermediary to arbitrate a transaction processing in Blockchain since the Blockchain nodes verify the transactions through a “mining” process using either a “proof-of-work” or “proof-of-stake” algorithm.  For the above reasons, Blockchain is often referred to as a distributed “trustless system”.     

2. Greater Immutability & Transparency: Transaction histories in IoT Blockchain are becoming more transparent through the use of Blockchain / DLT technology, because the shared distributed ledger can only be updated through consensus and changing a single transaction record would require the alteration of all subsequent records and the collusion of the entire Blockchain network.    

3. Enhanced Accounting & Traceability: Recording transactions in Blockchain virtually eliminates human error and protects data from tampering. Each time when every piece of data is passed on from one Blockchain node to the next, it is verified. Such data verification and validation process not only guarantee data accuracy but also provide a highly irreversible and traceable audit trail. The ingenuity of Blockchain design also facilitates easy location of any problem and the subsequent correction if there is any.  

4. Faster Transaction with Lower Transactional Costs: Bitcoin-like crypto-currency Blockchain allows for a fast, secure and cheap transfer of funds/assets/values across the globes through peer-to-peer transactions. Also, the elimination of exchanging “values” through third-party intermediaries allows Blockchain to greatly reduced transactional costs.  

5. High Level of Durability, Integrity and Security: By design, Blockchain has a built-in robustness in its overall structure. The fact that Blockchain is a “Distributed Trustless System” makes Blockchain inherently durable. Another fact that Blockchain has “Greater Immutability and Traceability” assures that it is very hard for anyone to alter the blocks already stored in the shared distributed ledger or hack the Blockchain to overpower the system. Blockchain also offers a very high level of integrity, because the robust DLT technology  and the consensus processes assure not only a device with a unique Hash ID can transact or store the transactions but also an accurate and reliable data every single time. Furthermore, no one can alter the blocks once they are recorded on the distributed ledger and block encryption in the Blockchain also makes it tougher for any hacking attempt. Therefore, Blockchain technology is highly secure due to the above security features. 

Cons:

1. Large Energy Consumption and High Operation/Maintenance Costs: The overall energy consumption and the maintenance costs for an IoT Blockchain are expected to be very high. One of the reasons is keeping a real-time ledger requires large power consumption because every time a new node is created in a Blockchain, it need to communicate with each and every other node at the same time. Another reason is to ensure that every transaction is valid, it needs to go through a complex consensus process (e.g., “proof-of-work” algorithm) which requires a lot of computational power from the “Miner” nodes and the need to communicate back and forth for all the nodes to ensure that a transaction is valid. All of them add up to a very large overall power consumption. Furthermore, the “redundant performance” nature of the Blockchain such as 1). Every node should have a copy of the ledger system; and 2). Every time the ledger is updated, all the nodes need to update their version of the ledger;  would also jack up the overall maintenance costs. Thus, it takes a fairly long time to register transactions in a Blockchain. Finally, every IoT Blockchain network client node must store the entire transaction history, therefore when more transactions processed on the network, the faster the size of the ledger grows (e.g., currently Bitcoin grew more than 200GB!).  

2. Complex Signature Verification and Private Keys Requirement: Every transaction created on the Blockchain network needs to be signed using a public-private cryptography scheme (e.g., Elliptic Curve Digital Signature Algorithm (ECDSA)). Then, every node also uses the same ECDSA to verify the authenticity of the transaction sender and subsequently ensure that the transaction happens between the correct nodes. The generation and verification of these signatures are computationally complex. To transact on the IoT Blockchain network, the sender node needs to own a private key. Furthermore, all the Blockchain addresses also have a private key. Thus, private keys must be properly secured so that they won’t be lost or disclosed to unauthorized users because private keys are required to operate the Blockchain network. 

3. Inefficiency and Redundant Performance: Blockchains usually use “proof-of-work” or “proof-of-stake” consensus algorithms to certify transactions. The consensus processes in Blockchain are very inefficient. Also, in Blockchain, every node in the network participates in the processing of the transactions independently and every node should have a copy of the Blockchain ledger. They introduced a lot of “redundant performance” and “transaction delay” in Blockchain!  For example, typically a new validated block could be added to the Bitcoin roughly every 10 minutes after a transaction request has been submitted. There are also a large communication, processing and storage overheads in the IoT Blockchain due to the intrinsic built-in distributed, redundancy and immutability of Blockchain/DLT technology in validating transactions as well as in setting up, maintaining and updating the distributed ledger. 

4. 51% Attack Vulnerability: It is well-known that Bitcoin or the other similar crypto-currency Blockchain has a notable security flaw / vulnerability, namely, “51% attack”. This attack happens if one entity manages to control more than 50% of the miners’ Blockchain hashing power, which would allow an attacker to disrupt the Blockchain by intentionally excluding or modifying the ordering of transactions.  Although a “51% attack” is theoretically possible, it is impractical because it would requires an attacker to invest large amounts of money and resources to attack Bitcoin or other similar Blockchain. In addition, a successful 51% attack would only be able to modify the most recent transactions for a short period of time because all validated blocks are already linked through cryptographic proofs and changing any older block would require intangible levels of computing power. Furthermore, Bitcoin or other similar Blockchain is very resilient and could quickly adapt as a response to any attack including a “51% attack”.  

Challenges: Superficially Blockchains and IoTs are good matches purely based on their distributed nature, however, there are still many challenges of deploying Blockchains in IoT security. The challenges can be summarized as follows [9,10,11,12]: 

1. Technology (e.g., High Resource Demand Blockchain vs. Resource Constraint IoT): Typically, Blockchain requires large energy consumption, high processing power and ever-growing storage capacity to operate and maintain which could be an “over-demand” for an IoT, since it normally relies on microcontrollers with limited memory and computational power at end-devices. 

2. Operational Challenges (e.g., An Inefficient and Redundant  Performance Blockchain may be overkill for many IoT systems): Although securing distributed IoT networks requires verifying the authenticity of data and identities of devices, it can be done by using an effective and efficient encryption to provide secure communication between IoT nodes and using cryptographic protocols that require unique, randomly generated, and closely guarded cryptographic keys for each IoT device to perform authentication and attestation. In contrast, in addition to using cryptography for ensuring secure, authenticated & verifiable transactions, Blockchain uses “proof-of-work” or “proof-of-stake” consensus algorithms to make all parties agree to network verified transaction and the DLT to make sure every node keeping an append-only system of record shared across business network. While this inefficient and redundant performance nature of Blockchain make sense for Bitcoin or Crypto-currency applications, it appears to be an overkill solution for IoT. 

3. Legal and Compliance Issues: Technical speaking, Blockchain is still an experimental technology which is only widely used for crypto-currencies but not well-proven for IoT applications due to the concern of legal and regulation compliance issues as well as the integration cost challenges. There are many legal issues associated with Blockchain technology including Jurisdiction, Decentralized Autonomous Organizations (DAOs), Contract enforceability, Leaving a blockchain, etc. as described in [12]. Furthermore, Bitcoin-type blockchains are facing regulatory pressures, such as some governments have made cryptocurrencies illegal in their territories  and Facebook’s Libra has tough time to get approval from either US or EU governments, etc. Finally, since Blockchain is too new to IoT community and the legal and regulatory compliance requirements for IoT are still evolving, therefore IOT producers and service providers not only may not realize all the associated compliance issues when injecting Blockchain to IoT but also don’t know how to validate the security and privacy of Blockchain in IoT since it is not a simple job to accomplish.  

The suitability of deploying Blockchain for IoT security and privacy 

As discussed in the previous section, there are many challenges that need to overcome before Blockchain could be successfully deployed in IoT security. In general, most IoT networks consist of lightweight, low-power devices, and the potential to generate the levels of energy and processing power required for deploying Blockchain are often limited or expensive. Therefore, this presents a major drawback to the use of Blockchain in IoT [13]. However, recently there is progress in the space of IoT-optimized Blockchain solutions demonstrates the clear potential for Blockchain to help secure the IoT [14]. In [14], a lightweight instantiation of a Blockchain particularly geared for use in IoT for Smart Home by eliminating the Proof-of-Work (POW) and the concept of coins. They proposed an online, high resource device, known as ”miner” that is responsible for handling all communication within and external to the home. At the end, they presented simulation results to highlight that the overheads (in terms of traffic, processing time and energy consumption) introduced by their approach are insignificant relative to its security and privacy gains. 

Both [13,14] presented encouraging news on the progress of deploying Blockchain in IoT security, however there are still lot of work to be done to research an effective, efficient, resilient and trusted approach to deploy Blockchain for the mission critical IoT networks like Internet of Vehicles (IoV), Smart Grid, or Smart City applications.

Conclusion 

It is generally agreed that Blockchain is not a panacea to solve all the security issues in the IoT and there are several technical stumbling blocks or security challenges which need to be overcome by each IoT network before Blockchain could become a viable security solution.  

The transaction validation process by traditional POW involves significant amounts of energy and computational power to process the authentication, access to a network of independent nodes, and delays as each block in the chain is authenticated by those decentralized nodes. Furthermore, each IoT Blockchain node replicates and stores a copy of a synchronized distributed ledger database which grows in size with time when more and more transactions are processed. All of these stumbling blocks underline the need of an IoT-optimized Blockchain solutions to facilitate the use of Blockchain for IoT security. Finally, an IoT-optimized Blockchain also needs to use cryptographic protocols based authentication and attestation that require unique, randomly generated, and closely guarded cryptographic keys (i.e., HRoT or PUF) for each IoT device. 

Consequently, we concluded that it is both necessary and sufficient to have a hardware-assisted Blockchain (e.g., PUF + Blockchain) to provide a robust and sustainable security for both IoT devices and IoT data. 

Reference