Building a Safe and Secure IoT

Would you buy a new car without the latest safety features like air bags, ABS brakes, and seat belts? Unless you’re a crash test dummy, the answer is certainly no. Would you buy a used car without understanding where it came from and its accident history? Probably not! How about the smart and connected devices scattered about your home? Would you buy an IoT product without knowing if it was safe and secure, or without having confidence in its provenance? Today, that answer might be ‘I’m not sure’ but soon, the answer will be ‘of course not’.

This type of information can be securely stored and validated using a blockchain ledger. Like the technology employed to secure cryptocurrencies, the next generation of IoT standards incorporating blockchain components will provide data integrity and immutability through a decentralized ledger for devices.

The Alliance is incorporating this Distributed Compliance Ledger (DCL) into specifications as part of the device development and commissioning process. The DCL is a cryptographically secure, distributed network that allows IoT device manufacturers, official test houses and the Alliance Test and Certification team to publish public information about a given device. This will start with specific information that will attest to the provenance and performance of the device, all be done “behind the scenes” when a device connects to a Matter network. 

The Alliance and its members are using the DCL to “up the game” for the industry with a cryptographically secure, distributed ledger with no single company or entity in charge of the ledger. Properties of this permissioned blockchain framework include:

  • Multi-node network run by Alliance member companies
  • Individually signed transactions using pre-approved keys
  • Distribution of data across different geographical locations
  • Consensus protocol to ensure majority approval
  • Public reads with available cryptographic proofs attached
  • Non-repudiation, transparency, and auditability

Using blockchain and the DCL solves a host of issues that will ultimately benefit consumers, developers and manufacturers of devices and their associated firmware. This can include ensuring the latest firmware is installed or even weeding out counterfeit devices and firmware, as the platform provides ‘trusted roots’ also known as Product Attestation Authority to validate the provenance of a product and a mechanism to disperse revocation information to take a suspect device out of the network.

The complete benefits of using blockchain and the Alliance DCL are fully aligned with the goals of providing secure, independently verifiable information around IoT devices and meeting the main objectives of having a centralized, secure, tamper-proof, imputable framework for IoT. For more detail on this holistic approach, the Alliance is working on a white paper which will delve further into the DCL.

Looking into the future, DCL will enable additional sets of use cases. By participating in a blockchain distributed ledger, IoT devices can trust transactions that are cryptographically signed with their private keys. IoT devices can then make decentralized decisions for granting access by relying on secure keying material stored locally on the device. An example would be the requesting device being part of a transaction that targets a device created and signed with its own private key. The IoT devices can have signed firmware that denies all requests until it has been associated with a blockchain ledger. Once that happens, it will inherit security properties associated with a class of devices that are maintained in the ledger by the manufacturer. The Alliance’s DCL is the first step in a potential global adoption of decentralized compliance ledger technology for IoT as a whole.

In short, the marriage of IoT and Blockchain puts customers in charge of their own security by providing a trusted source of information about device provenance, certification status, and important setup and operation parameters. Today when we purchase a new car, we quickly scan the sticker to make sure it includes the safety equipment to keep us safe or the CARFAX® to check vehicle history. In comparison, certified IoT devices, backed by device attestation using blockchain, will feature the unique Matter logo, which will tell consumers that a nod to the amount of work that has gone into the standard to ensure it is as safe and secure as it can be.