Written by: Bitsapphire

April 12, 2017

Blockchain and Security

Blockchain security is the holy trinity of Confidentiality, Integrity, and Availability(CIA), and the reason is that the technology offers unprecedented data integrity, rapid transfer speeds, anonymity, and all of this with 24/7 uptime. It provides these attributes through reliable protocols such as blind signatures, SHA-256 encryption, Merkle trees, etc.

Although a nascent technology, the years that will follow are going to, undoubtedly, unfold the potential of its implementation in the high-stakes industries, further stretching the borders of its power.

Internet of Things

The Internet of Things (IoT), a term first coined by Peter T. Lewis in 1985, during a speech given in a US Federal Communications Commission (FCC). It is not a new term, although the rise in popularity was during the late 90’s, and in the early 2000’s when the mass production of many IoT equipment began. We digress to give you a brief historical overview.
IoT, although a hundred-billion dollar industry, was the face to many controversies lately. To show you how dangerous unsecured technological equipment is we will mention the crippling Dyn Distributed-Denial-of-Service (DDOS) attack.

The Dyn Attack

Picture this scenario: You log in your computer, open your browser and try to access Twitter, BBC, Comcast, The New York Times, Reddit, Tumblr, Github, Amazon, Airbnb, etc (the list goes to a total of 70 websites) and you suddenly can’t access any of them. This is exactly what happened on October 21, 2016, where a major DDOS attack crippled the weakest link in the chain – Dyn, a DNS provider.

A direct DDOS in the aforementioned websites/services is virtually impossible because of the protection they have (e.g firewalls), the attack was placed on Dyn. The culprit was a large botnet named Mirai. This botnet managed to infect and acquire, according to Dyn, 10’s of millions of unique IP’s. What were the main infected equipment inside the botnet? Unsecured printers, IP cameras, baby monitors, etc. Basically a lot of IoT equipment. The throughput was at an astonishing rate, reaching a maximum of 1.2 terabits per second which crippled Dyn, and according to experts, this was the largest DDOS attack ever.

Default passwords in “10’s of millions of equipment”? That was the root cause of the biggest DDOS attack, default passwords. Mirai wasn’t such a high-end tool either, it only scanned the internet and brute-forced any login page it could find. There wasn’t a vulnerability, no backdoors, no reverse engineering, just a basic brute-force attack and anyone who had access to Mirai (which, by the way, is very easy to get) could cripple a website. This is one of the many attacks that have occurred with Mirai, albeit the Dyn attack is the largest (to date). Many factors could have rendered an attack like this impossible, the simplest one was simply providing unique username and passwords from the factory. The other long-term solution is a Blockchain.

Blockchain Enhanced IoT

Although the previous explanation is quite lengthy, considering this is a blockchain article, we wanted to emphasize the extent of the damage suffered by such a simple tool, courtesy of the carelessness of manufacturers and users.

This implementation solves the main issues of the IoT industry, namely, equipment getting outdated and support getting dropped for (some of) them really quick, making IoT equipment a possible vulnerability hazard. The problem of unapproved access is at the core of these DDOS attacks. The technology, with the help of another protocol, could solve these two issues.

The Internet of Things (IoT)

Blockchains and the InterPlanetary File System (IPFS), a powerful peer-to-peer protocol which we explained in our Blockchain Protocols blog post, provide the necessary safe environment for IoT. These two protocols provide a private blockchain where a distributor could share an update file a single time and from that moment on, the equipment in the network will save it, version it, and distribute it much faster, because they could intercommunicate on shorter distances rather than having to access a central server, consequently saving bandwidth and time.

They are also an excellent failsafe against a server who may not be available, therefore failing to provide update files, because IPFS networks are P2P and do not have to rely on a single backbone, such as a server. Using an immutable ledger alone is a fix for some of the main security issues. Equipment could be placed inside private chains, rendering them immune from malicious use because of the security provided by the technology’s protocols.

The problems of blockchain-IoT implementations are stateless protocols. It requires equipment to have a uniform way of identification, management, and communication within the ledger, and this looks like it isn’t so far-fetched now. Recently, several Fortune 500 companies have teamed up with start-ups to create an IoT protocol for Blockchains. This could be a large milestone for the technology. By opening a promising future for many companies to integrate a better quality of service in their IoT equipment, specifically speed, security, and service diversity.

Identity Management

Governments are the issuers and managers of identity documents, while blockchain aims to give power to the people. Although cluttered with a lot of confusion and unnecessary hype, the prospect of this technology being implemented in identity management is very exciting.

Identity Management in Blockchain Solutions

At the moment of birth, a person is given a name, a date of birth, and (usually) has two parents. This data can be stored inside an immutable ledger, providing easy access to the parents, and later, to the child. Why is that appealing? For starters, the easy access provided by the technology allows for processes such as kindergarten registration, school registration, health care, and social services to be completed quicker. This gives more power to the person, as the person can choose what to share.

A child, who is still under the care of her parents, will have shared access to the (identity) his/her chain, alongside his/her parents. At the age of 18, this shared access will be severed, giving total control to the, now, adult person. This allows the individual to apply for a myriad of things, such as opening bank accounts, applying for a driver’s license, signing a contract, opening a social media account, and all of this from the data established and confirmed inside an immutable ledger.

Autonomy can also be incremental, where authority is given to the child depending on her age, i.e. applying for a driver’s license (in countries where they can do that at 16), or being able to go to PG-13 rated movies, and things like that.

Although not every person around the world needs a bank account, a social media account, or a driver’s license, by default, every person needs to be identified and documented. The technology could provide the tools necessary to make this process happen much easier. One could argue that biometric data such as fingerprints, or iris scans are very reliable methods of authentication, but the issue is that they do not work as well as they should for newborn babies, seeing as those parameters are subject to change until a certain age, and you would want the identification and registration of a person to happen at the moment of birth.

The issue is how to build a trust bridge between third-parties and governments. What prevents the third-party from manipulating the data? Intruding in a social media account may be unpleasant at best, but this pales in comparison to your identity being tampered or changed.

The companies that are leading the blockchain and identity management industry must first provide a consistent and powerful framework as a guarantee for privacy, safety, and trust. Making the data inside immutable by malicious intent, and the transferring process secure and reliable is the biggest step.

The hype around identity management in congruence with blockchain does not help at all. While the technology is very powerful, it is not the “philosopher’s stone” of the 21st century digital issues. It will definitely help resolve some long-standing issues of identity management, but we can’t reap the benefits without the strenuous process of creating protocols. The technology is there, it is powerful and easily accessible, but we cannot get ahead of ourselves and bumrush quick fixes when dealing with private and delicate data, e.i identity management, health data, etc.

Educate and Regulate

The concluding issue remains consistent between all fields: the technology needs to be regulated within a given framework for all industries they aim to dominate. Frameworks provide trust between governments and third-parties; the much-needed trust that will give the immutable ledgers their place in the market for large industries. The recurring theme is that there is little trust for whole countries, large industries, or even small businesses to store their data in a technology they know little about. Work must be done in educating and regulating and only then can we see acceptance of blockchain.

Contact us