Treffer: Secure Blockchain-based Software Updates for IoT Devices

Several billion Internet of Things (loT) devices are deployed worldwide enabling people to control their homes, automobiles, door locks, and appliances. With their increasing growth, loT devices have become popular targets of various malicious computer-based attacks. Due to this, frequent updates to keep their software up to date are essential to their security. However, state-of-the-art software update delivery and payment systems incorporate multiple services in a client-server structure requiring multiple transits of information between client and server, while also creating a wide attack surface. IoT devices are also resource-constrained devices making them challenging to secure with complex resource-expensive security algorithms and techniques. This thesis proposes a blockchain-based end-to-end secure software update delivery framework for IoT devices that ensures confidentiality, integrity, availability, efficiency, and auditability for verified software delivery, while also offloading the cryptographic computation from resource-constrained loT devices to a decentralized blockchain system. The proposed framework leverages Ciphertext-Policy Attribute-Based Encryption (CP-ABE), a customized authorization policy to not only ensure that software updates can only be decrypted and installed on authorized loT devices but also significantly reduce the computational overhead for key generation and key delivery on the manufacturer side. Furthermore, secure and atomic software delivery and payments between IoT devices and the manufacturer are assured through smart contracts. The authenticity of the delivered software is guaranteed by offloading the computation-based signature validation to smart contracts. Compliance audits are satisfied through immutable records on the blockchain's public ledger, and the smart contracts efficiently guarantee the delivery of software updates in exchange for payment. While many IoT devices are stationary, the thesis proposes to extend the framework to address challenges in mobile loT ...