Blockchain could help fix IoT security after DDoS attack

Chinese electronics manufacturer Hangzhou Xiongmai is in deep trouble. Its products are being blamed for having enabled last Friday’s historical DDoS attack, which shut down access to important websites across swathes of the U.S. and Europe and has caused a stir about IoT insecurity.

Aside from the blow to its reputation, the firm has to deal with recalling thousands of devices that researchers say might have been instrumental to the attack. The problem is that product recalls are extremely difficult and expensive, as every single device has to be tracked down and the owners contacted if they don’t bring in the items in their possession.

Moreover, in the case of Xiongmai, the company has already manufactured thousands of white-label electronic components with vulnerabilities, which have been embedded in a wide variety of IoT products, as security researcher Brian Krebs reports. Tracking down those devices will be even more challenging.

The feat will effectively take months to complete, during which the devices will continue to be used for DDoS attacks. And residual damage will remain because it will be virtually impossible to collect every single device and component, and some will continue to be connected to the Internet with old vulnerabilities.

Though Xiongmai’s story has made the headlines this week, it’s not the first instance of companies grappling with product recall nightmares.

The company’s predicament puts a spotlight on the problems with today’s complex supply and production chain, especially in the tech and electronics sector, where products are made of an assembly of components coming from across the world and change hands dozens and potentially hundreds of times before reaching their final destination.

At one end of the supply chain, manufacturers find it extremely difficult to know where their products have gone and who owns them; at the other end, consumers and customers have a hard time tracking the provenance of the components that make up the devices they own.

The situation is exacerbated when it comes to connected devices, where vulnerabilities and flaws found in a single device type can have global repercussions.

While a lot of IoT security problems need to be fixed through correct design and development practices, the recall problem is one that can be resolved with blockchain technology, the distributed ledger that powers cryptocurrencies such as Bitcoin and Ethereum. The blockchain’s characteristics, which enable parties to stores transactions in a secure, transparent, and publicly accessible way, make it especially suitable for complex workflows such as what we’re seeing in the tech production and supply chain.

A practical application of the concept would be to have a blockchain that registers time, location, price, parties involved, and other relevant information each time an item changes ownership. The technology could be used to track raw materials as they move through the supply chain, are transformed into circuit boards and electronic components, are integrated into products, and are finally sold to customers.

Such a blockchain model would have several advantages. First of all, as a decentralized and immutable structure, the blockchain would prevent any single party from acquiring ownership of the ledger and manipulating it to their own benefit.

Also, the public availability of the information in the blockchain would provide unprecedented transparency into device ownership. Manufacturers would be able to find and reach out to device owners, making recalls much easier when the need arises.

For their part, consumers would be able to obtain full details on the provenance of the parts that have been used in the devices they own, which would make it easier for them to find out whether their devices contain any potentially vulnerable components. And apps could automate the process of checking parts against the blockchain, allowing users to automatically scan everything they own against a list of newly found vulnerabilities.

Finally, the blockchain ledger could be extended to register updates, patches, and part replacements applied to any product or device throughout its lifetime. This would make it much easier to track progress in removing vulnerabilities and security holes and to send out warnings and notifications to product owners.

Several companies are already leading initiatives to integrate blockchain technology into the production circle and supply chain. Notable efforts come from established tech firms as well as startups.

IBM, which has already made considerable investments in blockchain, is leveraging its huge cloud infrastructure to provide blockchain services for tracking high-value items as they move across complex supply chains. We are also seeing solutions from startups such as Provenance, which is using blockchain to promote trust in the supply chain by providing transparency and visibility into the product journey, from source to customer.

While the blockchain might not be a silver bullet solution to the complicated IoT security problem, it could be a key part of the fix. It will be interesting to see if the Xiongmai episode encourages companies to start looking into this technology to improve the integrity of their supply chains.

Ben Dickson is a software engineer and the founder of TechTalks, a blog that explores the ways technology is solving and creating problems. He writes about technology, business and politics. Follow him on Twitter: @BenDee983.