Strong claims need strong proof, so when the founders of NeuroMesh described their bitcoin-based product as an “unhackable botnet”, there were a lot of questions to be asked.
Still, the claim has already been backed by such accolades as a second-place prize in the MIT $100k startup challenge and a shortlist position in the ongoing Atos IT Challenge 2017 – both of which lend weight to the credibility of the project.
Founded by Greg Falco, a PhD candidate at MIT studying cybersecurity, and Caleb Li, an MBA student at the same institution, NeuroMesh is seeking to find solutions to security issues in the Internet of Things (IoT).
The pair saw what they say is a gap in the market for a security product that would specifically work within the confines imposed by low-power, limited-storage devices.
NeuroMesh’s idea is to mimick the same tactics hackers use when trying to compromise machines in the first place – installing lightweight code that hijacks the kernel and then dials out to a command and control (C&C;) server, adding the machine’s resources to a botnet directed by the bot ‘herder’.
“We wanted to create a vaccine for IoT devices by first installing our own security software on the kernel,” said Li. “It’s like playing ‘King of the Hill’, so we become the only ones that can control the device.”
One of the main points of vulnerability for a botnet is an attack on the C&C; server, something that’s often observed when competing hackers try to knock their rivals’ botnets offline and commandeer the devices.
NeuroMesh’s solution is to send commands to devices secured by their technology via OP_RETURN codes in the bitcoin blockchain – code that allows for the transmission of arbitrary data (such as ‘Mined by Antpool’, ‘Happy halving day’ or in one case, the text of an encyclical letter by Pope Francis).
“That means we can actually send out a blacklist of IP addresses that these IoT devices shouldn’t talk to over the bitcoin blockchain,” Falco explained, adding:
“Usually [with botnets] you could shut down a central server where the command is coming from, but with the blockchain we don’t have to worry about that because it’s entirely decentralized.”
New research twist
In practical terms, this involves a C&C; server connected to a bitcoin wallet address which can sign transactions. In turn, IoT devices in the NeuroMesh net would run an SPV client which reads only transactions signed by NeuroMesh, and execute the commands contained in the OP_RETURN data.
Because data is propagated between bitcoin nodes in a decentralized manner, in theory reading these commands does not give any further information about the location of the server which originally issued them.
Dr Michael Siegel, Associate Director of MIT’s IC3 cybersecurity consortium and a research advisor for the NeuroMesh project, says that Li and Falco’s work comes out of a tradition of research into secure communication between distributed systems.
“It’s a clever use of a small piece of code that can run on many types of devices,” Siegel told .
“It’s a great idea: not totally new, but, in the IoT space, the combination of what they’re doing with botnets, blockchain and central command is something new they’ve established, and appears to be an extremely secure environment for managing small distributed devices.”
Falco also confirmed that the uniqueness of the NeuroMesh offering is in finding a new use for existing practices.
“While what we’re doing is new from a commercial standpoint, there’s been several case studies of white-hat security researchers doing what we’re doing to close vulnerabilities in a system,” he said.
Roman Sinayev, a security software engineer who designs anti-malware systems at Juniper Networks, is familiar with the concepts behind the NeuroMesh project (although he’s not seen the software in action).
Assuming the code is written without any exploitable errors, then the result would be a secure communication channel, Sinayev said.
Further, he pointed out that blockchain isn’t required to hide communications.
“[A]nother way would be any kind of P2P programme like BitTorrent,” he said. “You could also use many different proxy servers and change the IPs, or you could use some intermediate service – embed information in pictures on a public channel, for example.”
Without having seen the code, Sinayev stressed that it’s impossible to verify that the NeuroMesh product works exactly as described. However, he suggested that (as with all security software) best practice would be to have an independent audit once the product is finalised.
On a similarly cautionary note, MIT’s Dr Siegel pointed out that technology is not always the weakest point of a system, saying:
“Underlying this is a very secure system with sound technology and difficult to break security. But this doesn’t stop humans from doing really dumb things! On the end of it, you’ll have someone who controls the passwords and controls access, and that person could always do something stupid.”
Even factoring in human error, the bitcoin network has proven to be extremely resistant to malicious activity, and it’s this property that Falco and Li are hoping to tap into with their IoT product.
“We call it ‘unhackable’ because to date, the bitcoin blockchain hasn’t been hacked.”