Preventing the “Looming Digital Meltdown” with New Approaches to IoT Security

Well, 2018 is certainly off to a fast start, at least within the world of IoT security. Last week I wrote about my one one-word advice: “I have one word for you: Blockchain.” This week I might say – when considering the challenges of securing the IoT, “I have two words of advice: Meltdown and Spectre.”

Words like “devastating” have been used to describe the Meltdown and Spectre vulnerabilities because they represent bugs in chip hardware, rather than code, and the bugs have inadvertently been built into chips since sometime in the 1990s. That’s a lot of attack surface out there.

For a fascinating look at the simultaneous discovery of the Meltdown and Spectre vulnerabilities, see Andy Greenberg’s recent article in Wired: “Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw at the Same Time.”

And for a wake-up call, you can see a recent New York Times piece by Zeynep Tufekci, inspired by revelations of Meltdown and Spectre. The alarm-ringing title is: “The Looming Digital Meltdown.” Tufekci writes: “However, as a citizen of a world in which digital technology is increasingly integrated into all objects – not just phones but also cars, baby monitors and so on – it is past time to panic.”

Tufekci also notes: “We have built the digital world too rapidly. It was constructed layer upon layer, and many of the early layers were never meant to guard so many valuable things: our personal correspondence, our finances, the very infrastructure of our lives.”

She proposes holding the computer industry to the same high standards of safety as the airline industry, even proposing that we “hold companies accountable that did not use established safety procedures…”

A Fresh Approach: Trust, Reputation, Provenance, and Blockchain

As IoT becomes an ever larger (though not always visible) part of our daily lives, the need for securing this global infrastructure grows profoundly. We must secure the IoT. And, it is time to take a fresh look at how we protect the IoT, as well as the rest of the global cyber infrastructure. We need to go beyond standard mechanisms to deepen security through use of trust, reputation, and provenance. Fortunately, blockchain technology is a powerful tool in achieving this fresh approach.

I’ve recently been reading some of the research of Thomas Hardjono, Technical Director of the MIT Internet Trust Center, who advocates using crypto key pairs and blockchain technology to enable IoT devices to be activated and prove its manufacturing provenance in an “anonymous fashion without reliance on a trusted third party, and for the device to be anonymously registered through the use of a blockchain system.”

In true blockchain fashion, this proof of provenance would be decentralized through incentivized device owners and service providers. This approach pushes us closer to ensuring device identity, which is central to securing the IoT.

Hardjono, writing with Ned Smith, Principal IoT Security Architect at Intel, in their paper “Cloud-Based Commissioning of Constrained Devices using Permissioned Blockchains” write of building on the Enhanced Privacy ID (EPID) scheme of zero-knowledge proofs and using the blockchain to anonymously register device commissioning and decommissioning.

“EPID provides the ability for devices to prove its provenance without relying on the manufacturer or on an external trusted third party,” Hardjono and Smith wrote. “Furthermore, EPID provides a number of revocation capabilities should a device (or its keys) become suspect of being compromised.”

Clippinger on Trusted Identities

I’m also a longtime fan of John Henry Clippinger, Research Scientist, MIT Media Lab Human Dynamics Group, and co-founder of ID3 (Institute for Institutional Innovation & Data Driven Design), who is a pioneer in applying the concepts of reputation rating systems to the Internet.

In his white paper “A New Kind of Social Ordering: Self-Sovereignty, Autonomous Trust and P2P Parity,” Clippinger writes about the emergence of cooperation and trusted identities. These elements could also provide a fresh approach to IoT security.

“Moreover, cooperation and trusted identities themselves start to emerge as critical and sought after resources that enable sociality, commerce, and new levels of social ordering,” Clippinger writes. “This is likely to characterize the next evolutionary phase of the Internet and would argue for more cooperative forms of currency designs and incentives mechanism.”

The challenges of protecting the IoT require fresh thinking.

This is why we are creating Atonomi.

Thanks for reading,

Vaughan