Distributed ledger technologies (DLTs) are driving a significant evolution in the way security for IT and telecommunications is currently being developed. Over the last few years, we have seen IT and telecommunications services evolve from dedicated centralized infrastructure, where today these are deployed across distributed virtualized cloud providers. In doing so, the traditional controls for managing identity, security and data privacy can present many challenges.
The growing threat of IoT-based cyberattacks
The plethora of innovative low-cost internet of things (IoT) devices that typically ship with default security passwords are connecting with a broad range of IT services. As IoT adoption grows, hackers see new opportunities to spread malicious software to millions of IoT devices, which can then be leveraged in a coordinated distributed denial-of-service (DDoS) attack.
We have seen many examples in the news where centralized systems are compromised through these attacks. A DDoS attack floods systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this attack.
Today, most IT security systems are based on central servers, used to identify and authenticate individual connecting IoT devices. Any centralization makes servers inherently vulnerable to potential DDoS and brute force attacks. If this centralized resource is compromised, everything attached and the service it provides will be equally affected.
In 2016, in possibly the most severe example of this, there was an attack on the internet DNS service provider Dyn. In this attack, millions of internet digital cameras and DVR players were infected with special malware, known as a “botnet.” The cameras were coordinated into bombarding a server with traffic until it collapsed under the strain. The result brought down the internet across North America, affecting top internet-based brands, including Airbnb, Twitter, PayPal and Netflix.
Distributed ledger security foundations
Distributed ledger technologies or blockchain, as they are commonly referred to, are currently being used to power and secure a cryptocurrency market worth over US $368 billion as of September 2020.
DLT/blockchain is a truly distributed system, which has built-in protections against many potential cybersecurity and fraud attacks. The largest blockchain network today, Bitcoin, has more than 100,000 nodes. In 10 years of operation, its protocol has warded off several attempts made to attack this network. This distributed infrastructure of nodes makes it extremely difficult for a successful cyberattack. Multiple blockchain nodes across many different institutions must be attacked to overwhelm the full system.
A distributed ledger foundation for secure access and transactions is based on cryptography functions from public-key cryptography. The system uses asymmetric cryptography, also known as public-key cryptography, using public and private keys to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical, referred to as “asymmetric keys.”
One key kept secret is called the private key. The private key is used to encrypt messages and ensure the identity of the owner recording information or transacting on the blockchain can be trusted. The other key is called the public key. The public key is used to verify that the message sent is from the holder of a specific private key. Public keys are distributed on the distributed ledger blockchain enabling anyone to use them to verify the identity and authenticity of a message or transaction. This method eliminates the need for personal data, i.e., username/password, to be used as a means of authenticated access.
How distributed ledger technology can enhance IoT security
Billions of IoT devices are being produced and shipped to consumers globally. Typically, manufacturers configure into the firmware default usernames/passwords enabling the devices to be shipped anywhere and be easily installed.
Instead, the manufacturers of these IoT devices can embed into the firmware a unique private key for each IoT device, storing each device identity with its corresponding public key onto a distributed ledger. The use of these unique keys gives each IoT device its own unique trusted identity that can be authenticated by any application using the public key from the distributed ledger.
Most distributed ledger/blockchain private keys use SHA256 hashing to secure transactions. In broad terms, a supercomputer that can perform 15 trillion calculations per second employed in cracking a hash would take more than a billion years to crack the hash of a single blockchain identity. Not only would it take a long time, but the cost to infiltrate a single device would make it very difficult and impractical to recruit a sufficient number of devices to coordinate a DDoS attack using IoT devices.
Instead of having all the IoT device identities and public keys in a central resource, these can be stored on a distributed ledger and be used to authenticate and verify IoT devices. Through use of a distributed ledger, each service or application provider can host its own node to ensure they have a local copy of the blockchain. More importantly, service providers can mitigate DDoS attacks attempting to disrupt service availability.
DLT and blockchain have proven their security capabilities over the last ten years. By integrating an IoT device identity and authentications service onto a distributed ledger will help to mitigate many of the known DDoS attack possibilities we have seen to date.
ATIS Distributed Ledger Project.
In 2017, ATIS launched the DLT Initiative to validate key aspects of distributed ledger technology as applied to real-world challenges facing today’s communications industry. As part of this work, ATIS generated a technical report, “Enterprise Identity on Distributed Ledger for Authenticated Caller Use Cases.” It describes how DLT will provide enterprise identity verification to authenticate the originating caller information in IP communication networks. The report also addresses problems associated with attestation of a telephone number (TN) due to enterprise multihoming with originating service providers that are not the allocation provider of the TN, within IP communication networks. The solution is called the “ATIS Enterprise Identity Network,” and you can access a brief and engaging video clip on its benefits to stakeholders here.
The same DLT-based TN Identity service could also support IoT identities to be authenticated by communication service providers, enterprise verticals and applications providers. Access detailed information on the DLT project and the ATIS Enterprise Identity Network here.