Strong claims need strong proof, so when the founders of NeuroMesh described their bitcoin-based product as an "unhackable botnet", there were a lot of questions to be asked.
Founded by Greg Falco, a PhD candidate at MIT studying cybersecurity, and Caleb Li, an MBA student at the same institution, NeuroMesh is seeking to find solutions to security issues in the Internet of Things (IoT).
The pair saw what they say is a gap in the market for a security product that would specifically work within the confines imposed by low-power, limited-storage devices.
NeuroMesh's idea is to mimick the same tactics hackers use when trying to compromise machines in the first place – installing lightweight code that hijacks the kernel and then dials out to a command and control (C&C) server, adding the machine's resources to a botnet directed by the bot 'herder'.
"We wanted to create a vaccine for IoT devices by first installing our own security software on the kernel," said Li. "It's like playing 'King of the Hill', so we become the only ones that can control the device."
One of the main points of vulnerability for a botnet is an attack on the C&C server, something that's often observed when competing hackers try to knock their rivals' botnets offline and commandeer the devices.
"That means we can actually send out a blacklist of IP addresses that these IoT devices shouldn't talk to over the bitcoin blockchain," Falco explained, adding:
New research twist
In practical terms, this involves a C&C server connected to a bitcoin wallet address which can sign transactions. In turn, IoT devices in the NeuroMesh net would run an SPV client which reads only transactions signed by NeuroMesh, and execute the commands contained in the OP_RETURN data.
Because data is propagated between bitcoin nodes in a decentralized manner, in theory reading these commands does not give any further information about the location of the server which originally issued them.
Dr Michael Siegel, Associate Director of MIT’s IC3 cybersecurity consortium and a research advisor for the NeuroMesh project, says that Li and Falco's work comes out of a tradition of research into secure communication between distributed systems.
"It's a clever use of a small piece of code that can run on many types of devices," Siegel told CoinDesk.
Falco also confirmed that the uniqueness of the NeuroMesh offering is in finding a new use for existing practices.
"While what we're doing is new from a commercial standpoint, there's been several case studies of white-hat security researchers doing what we're doing to close vulnerabilities in a system," he said.
Roman Sinayev, a security software engineer who designs anti-malware systems at Juniper Networks, is familiar with the concepts behind the NeuroMesh project (although he's not seen the software in action).
Assuming the code is written without any exploitable errors, then the result would be a secure communication channel, Sinayev said.
Further, he pointed out that blockchain isn't required to hide communications.
"[A]nother way would be any kind of P2P programme like BitTorrent," he said. "You could also use many different proxy servers and change the IPs, or you could use some intermediate service – embed information in pictures on a public channel, for example."
Without having seen the code, Sinayev stressed that it's impossible to verify that the NeuroMesh product works exactly as described. However, he suggested that (as with all security software) best practice would be to have an independent audit once the product is finalised.
On a similarly cautionary note, MIT's Dr Siegel pointed out that technology is not always the weakest point of a system, saying:
Even factoring in human error, the bitcoin network has proven to be extremely resistant to malicious activity, and it's this property that Falco and Li are hoping to tap into with their IoT product.
World baby image via Flickr
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.