The Internet of things is great until it blows up your house
How to stop hackers letting the gas flow in your connected oven? Bitcoin has the answer
If something uses electricity, it will be connected
We live in a world where billions of devices consume electricity, so when I read last week that Strategy Analytics predicted 33 billion connected devices by 2020 - now just five years away - it confirmed something I’d suspected for a long time now: we’re in deep trouble.
Let me pose another hypothetical appliance: the connected oven. (You can probably guess where this is going, but indulge me.) The connected oven pairs with a smartphone to read the QR codes in recipes to get the settings just right for a perfect bake, every time.
That sounds delightful.
But when you go away on a fortnight’s holidays, and someone hacks into your oven, turns the gas on, waits 36 hours, then lights the pilot, well, then you’ve got a problem. A much worse problem if you happen to be at home at the time. Your oven could gas you in your sleep.
2014 saw both the peak of the internet of things hype cycle, and the start of the ‘What have we done?’ era of network computing. 33 billion connected devices means 33 billion attack surfaces, each with their own exploits, zero day attacks, weaknesses and vulnerabilities.
There’s no way to stay on top of all of that. If we continue to design connected devices way we have the last forty years - haphazardly, patching our mistakes as we go along - we will turn the entire planet into a honeypot. The numbers are too big, and the dangers too present for us to trust that ‘she’ll be right’. She’ll be hacked.
We need a solution that provides security for connected devices, and moreover, we need a universal solution, so a device designer can simply add this into their product as a bog-standard feature, without having to worry too much about either its implementation or its vulnerabilities.
We need something difficult to attack, something that can’t be spoofed or subverted. We need a solution that is open, inspectable, verifiable, something that favours transparency over obscurity. And it needs to be freely available, to prevent another pointless round in these endless patent wars.
In short, we need the blockchain.
The first real advance in security in decades, the Bitcoin blockchain uses a network of peers to create a platform for distributed authentication. This network of peers must come to consensus before any Bitcoin transaction is validated, offering ‘defense in depth’ to any network attack, as at least 51% of the network would need to be compromised before an attack could succeed.
In a world of 33 billion connected devices, something very unlikely to happen.
The Bitcoin blockchain provides enough security to support a distributed financial system, sufficient protection for all our connected devices. And as an open source technology, it’s freely available for anyone to implement and adapt to their needs.
IBM has seen this as well, and recently launched the ‘Adept’ initiative, blending the blockchain with the Internet of Things, provisioning for security and access control within the blockchain.
It’s early days yet. We have a proposed solution, but we haven’t deployed it. But one thing immediately becomes clear: this solution - or any similar offering - defines a floor, a minimum set of capabilities that will be required of all connected devices. Table stakes for the connected era.
At present, chipsets providing device-level connectivity at best offer minimal security services. The blockchain is compute hungry, relying on hashing and public-key cryptography and implements a protocol for peer-to-peer communication. That’s not the sort of thing you can deliver on a ten cent microcontroller.
Although we consistently focus our attention on the high end - how many transistors Intel can squeeze out of their latest process node - that’s not the main game for these 33 billion connected devices. Every device has an absolute need for computationally-expensive security, with a few modest and computationally cheap device integration features thrown on top.
So the race is on to design this chip: cheap, safe, simple and effective. A chip that will be designed into every connected product, selling in the hundreds of billions. A chip that defines the bottom rung of connected electronics: the foundation for a new world of devices that, as each one comes to life, and joins the network of peers, increases the security of all of the others.
Powered by this soon-to-be chip, that future is (borrowing from Nassim Taleb) ‘antifragile’, growing more stable and more secure over time. That’s the world we want to be living in. That’s the world we we need to be building. ®
This article was first used as a talk delivered at The Register's Christmas lecture in Australia.
Sponsored: Becoming a Pragmatic Security Leader