Experts Disdain Blockchain in Spain

　　BARCELONA — “Trust” and “security” were the two words most oft uttered during a discussion here Monday at the Mobile World Congress entitled “IoT and the Security Blockchain,” but they were spoken — for the most part — either wishfully or in tones of outright sarcasm.

　　The explosion of Internet of Things (IoT) devices, said moderator Ian Hughes, an IoT analyst for 451 Research, “has created a massive ballooning of risk” to the security of systems dependent on Internet communications.

　　“The proliferation of IoT devices,” said Rashni Misra, Microsoft’s general manager for IoT and AI solutions, “has basically opened a new surface for attack, to an extraordinary degree.”

　　The message offered by a parade of experts at the Mobile World session was that security is finally an issue that big companies are taking seriously, but that the solutions today are more theoretical than actual, and they will require a measure of mutual trust (socialism) unusual among high-tech competitors (capitalists).

　　However, none of the experts was sanguine about the exclusively software approach, such as blockchains, which originally emerged as a decentralized transaction ledger for the crypto-currency Bitcoin. “You just don’t base all your security in software,” said analyst Seshu Madhavapeddy, Qualcomm’s vice president of IoT product management.

　　Speaking more positively on the subject, Paul Williamson, Arm’s vice president for IoT device IPs, touted IoT’s “huge potential to change our world” and described measures, specifically Arm’s “ground-up” hardware solution called Platform Security Architecture.

　　But Williamson admitted that today, IoT is a “wild West” landscape better described as the “insecurity of things.” Fellow speaker Erin Linch, vice president of corporate development at Syniverse, expanded on this theme, noting that in any given second, traffic on the public Internet includes 24,000 gigs of data, 62,000 Google searches and 2.6 million emails — each item a potential target for cyberattack.

　　Williamson noted that danger no longer applies to devices when they are launched. “We have to think about how devices can be managed throughout their lives in this world of IoT,” he said.

　　Linch, of Syniverse, emphasized the potential impact of a security breach in massive systems, like high-speed trains and hospital networks, but Jaya Baloo, chief information security officer at KPN Telecom, characterizing her company as a “customer” of security systems, took the issue down to the smallest devices.

　　She cited the case of Fitbit users in Somalia. Their activities were monitored and fed to the Internet by a built-in monitoring system that kept track of data like mileage run and heart-rate levels. By tuning in to the network and finding an unusual concentration of Fitbit data emanating from a remote region in East Africa, unauthorized observers correctly determined that this fitness cluster, a lot of people working out, was the location of what had been a secret military base.

　　Baloo noted that this breach was not a bug, nor did it require a sophisticated hack. It was a flaw intentionally built in by its designers, a “sharing” feature. “People are designing devices who don’t know enough to anticipate bugs,” lamented Baloo.

　　Among solutions suggested during the Mobile World session was a Blockchain IoT Registry, described by Anoop Nannra, chairman at Cisco of the Trusted IoT Alliance and head of its Blockchain Initiatives. He said each IoT system — such as drug delivery by drone — could be secured by “smart contracts that define a common model for IoT devices in a registry.”

　　He laid out a program, incorporating both hardware and software protections, for each IoT “asset” — a “smart truck,” for example — that would include a) registration, b) verification, c) transfer security, d) a secure ledger system and e) a digital wallet to pay for and get paid for services.

　　But this is where, said Baloo, the truck hits the road. Proposing standards, registries, alliances and trust are the easy part of Internet security, especially in the industrial realm. “We have failed at everything, at every single level,” she said. “The standards are there, but our implementation of them sucks. There’s no other way to put it.”

　　She offered another real-world example, in which high-tech medical devices were carefully and strictly registered to prevent a security breach. But the machines then rejected the remote software updates that they needed. It seems that if the device was opened to allow the new software, the security protocol would rescind the certification that was necessary to permit its use.

　　Baloo’s own company hired a team of white-hat hackers to attack its just-finished, state-of-the-art security system. The hackers discovered a flaw in the protocol standard that rendered the system vulnerable and in need of massive repairs. She added that most companies have neither the resources nor the wits to hire teams of hackers to test security quite so intensely.

　　The bottom line, which was left to Baloo, the final speaker, is that IoT security has a long way to go. “Defense in depth actually requires us to do just that,” she said. “Trust, but always be in a position to verify.”