On 30 September 2020, public distributed ledger (DLT) IOTA announced the launch of IOTA Access, an open-source framework that builds access control systems. An example is a car owner’s ability to enable someone to access and use their car remotely. IOTA Access isn’t limited to vehicles, it works with any IoT resource, such as embedded sensors or smart locks. Regarding smart vehicles, IOTA has previously worked with Jaguar Land Rover on an IoT smart wallet project, which is a partner on this project, alongside STMicroelectronics, NTT DATA Romania, RIDDLE&CODE, and numerous others.
Below is a Q&A with RIDDLE&CODE which focuses on hardware integration.
IOTA Access aims to securely control smart devices, granting and revoking access to the devices anytime and anywhere. It allows users to specify conditions for granting access.
Business owners using IOTA Access can charge users for access to their resources, also with enforceable conditions. Every interaction between the digital devices will be registered and secured immutably on the Tangle, notably not a blockchain. The Tangle is a directed acyclic graph, which IOTA claims is a faster and cheaper alternative to blockchains. An added advantage for something like office building access is there is an audit log of all usage, permission changes and payments.
One of the questions is why a decentralized system is required? Firstly there’s the concept of a single point of failure. If there was a centralized database that goes offline, people could get locked out of cars or worse. By having numerous nodes with the same data, a DLT provides redundancy.
Secondly, it means there is no honeypot for hackers to target. If someone wanted to steal a car and knew the car manufacturer had a centralized database, they could hack the database to alter data and give themselves access to many cars. Data stored on DLT is much harder to change because of the many nodes that store copies.
Porsche has also explored using blockchain for remote car access.
IOTA security track record
However secure a DLT might be, the security weak points will more likely be in the communication with the DLT or the apps that can control the access. The nature of IOTA Access has security at its core.
But that’s not an area that IOTA has a strong track record. However, the involvement of numerous other organizations could be a huge help here.
In early 2020, IOTA had to halt part of its network to investigate thefts in the Trinity Wallet, the main IOTA wallet released by the IOTA Foundation. Even before the thefts, IOTA had serious security vulnerabilities although they were subsequently rectified. Trinity Wallet has since been subject to three security audits. While this time, the vulnerabilities were in the wallet app rather than the DLT, security will nevertheless be a prominent discussion point in IOTA Access.
1. Are you working on it at a research level or with a particular client?
We’re assessing the potential of combining the technologies IOTA is publishing with our solutions. So it is both happening on the research level and on the strategic level.
We will approach interested parties as soon as we have aligned all of this. As you can see from the release of our industry-grade hardware Car Wallet with Daimler Mobility last week, the automotive industry is an obvious target, but we also think Smart Locks for supply chains or securing the perimeters of industrial facilities is very interesting. At Riddle&Code, we are interested in enabling robust and highly secure solutions for critical infrastructures.
2. Run us through the advantages of DLT
We have to differentiate between the underlying infrastructure and the business model layer that is executed on top of it. DLT or the Tangle are part of the underlying infrastructure, and it is clear that decentralized data storage, a tamper-proof audit trail and some other often-cited advantages of DLT can increase the (cyber-)security levels of IoT or vehicle systems. While IOTA Access is providing a business and process framework to control access, our part is to give physical objects such as machines or vehicles a tamper-proof digital identity.
3. Are the biggest security issues in the devices that transmit the unlock signal, and how the communications or data could be tampered with?
Yes, that’s exactly the point. We achieve this by adding or embedding a crypto hardware module into devices of all kinds. Establishing that digital identity and checkin has more to do with cryptography and mathematical functions, but then establishing a direct connection between that chip and DLT protocols, registering the Digital Twin of that object on a DLT and also using it as registry for usage data or other metadata is the go-to approach here. This helps to establish a root of trust on the device level and turn them into trusted data sources that can benefit from wallet and settlement capabilities.
In a nutshell, we bridge the physical and the digital realm and create highly secure end-to-end platforms.
4. IOTA and security: have its wallet security issues not raised concerns with corporates?
This is something IOTA should comment on – but it is clear that problems that do arise – especially in an emerging industry and ecosystem – from the integration of third party solutions do not always lead to the best possible results. But if you can identify where the problem came from, then you can fix it. So we all benefit today from the internet as a technology layer, even though it was a very painful usability experience throughout the Nineties, and it still hasn’t reached an acceptable level of security for many applications today. That’s why DLT technology is a necessary evolutionary step. And errors are part of that journey.
Update: The Riddle&Code Q&A was added