Anonymity in blockchain-supported Cyberphysical Systems

Blockchain is a disruptive technology that has received tremendous attention from academia and industry due to its salient features including auditability, immutability, decentralization, and anonymity. In blockchain, a transaction forms the basic communication primitive that allows nodes to exchange information or read/write data in the blockchain. Dependencies can exist between transactions where certain fields generated in one transaction (outputs) are referenced in another transaction as inputs. Particular nodes in the network, known as miners, collate multiple transactions and form a block which is appended to the blockchain by following a consensus algorithm. Using the consensus algorithm, e.g., Proof of Work (PoW) , participating nodes build a trusted network over untrusted participants.

New transactions and blocks are broadcast and verified by all participating nodes, which eliminates the need for central authorities and introduces distributed management of trust. Each block includes the hash of its previous block in the ledger, which ensures immutability of the ledger. The modifi- cation of the block content, i.e., the transactions, is impossible, since the hash maintained in the subsequent block will not match with the hash of the modified block. The transactions are permanently stored in the public immutable blockchain, which can be accessed by any node, thus delivering high auditability.

The transactions are cryptographically sealed using pub- lic/private keys. The Public Key (PK) used in each transaction is employed as the identity of the transaction generator. This introduces a level of anonymity for the blockchain users as their real identity remains unknown to the participating nodes. To enhance their anonymity, the users may change their PK for each new transaction as in Bitcoin [1]. This protects users against linking attacks, where malicious nodes attempt to deanonymize a user by tracking multiple identities of the user.

In recent years, there has been increased interest in adopting blockchain to address security, anonymity, and centralization challenges of the network of billions of connected devices that form the Internet of Things (IoT). Ethereum was proposed in 2014 that enables the blockchain participants to write and execute codes in a distributed manner in the form of smart contracts.

As noted above, to improve anonymity, blockchain users often employ changeable PKs. However, malicious nodes can deanonymize a user by classifying transactions with different PKs based on particular metrics, e.g., the flow of inputs/outputs, and linking them to a user. Deanonymisation can also be achieved by analysing real-time network traffic, where the network address of a device is linked to one or more PKs. IoT networks are subject to an additional privacy risk, which is around the exposure of the user’s activity patterns based on the sensed data. An attacker with the intention of unveiling a user’s activities must first determine the type of sensing devices in the user’s premises. The combination of user deanonymisation and sensor device identification can therefore be a powerful tool for an attacker to determine a user’s identity and activities.

In this project, we analyse the possibility of sensor type identification in IoT-based blockchain by analysing the temporal patterns of recorded transactions in the blockchain. As an example, a Samsung camera that stores transactions in blockchain can be identified as a “camera” by analyzing the pattern of its transactions. To the best of our knowledge, this is the first attempt to identify sensor device types in an IoT blockchain context. In an IoT setting, each user owns a number of devices that collect and share data with Service Providers (SP) and/or other users to offer personalized services to the user. Exposure of the user’s activity patterns results in serious privacy and security concerns, e.g., the attacker can infer the hours that a home is occupied by monitoring the temporal patterns of transactions generated by motion sensors. In most blockchain instantiations, the data of the IoT devices are not stored in the blockchain, but rather off-the-chain in a separate cloud storage with only the hash of the data being stored in the blockchain. It is not necessary for the attacker to access the data to expose the user’s activity as attackers can do so by monitoring the pattern of stored communications, i.e., transactions, of IoT devices.

Recent News

Project Team

Dr. Ali Dorri

Prof. Raja Jurdak

Prof. Salil Kanhere (UNSW)

Andrew Mather

Jonathan Charles (UNSW)

Related Publications

[1] A. Dorri, S. Kanhere, R. Jurdak, P. Gauravaram, LSB: A Lightweight Scalable BlockChain for IoT Security and Anonymity,  Journal of Parallel and Distributed Computing, 134: 180-197, December, 2019.

[2] A. Dorri, C. Roulin, R. Jurdak, S. Kanhere, “On the Activity Privacy of Blockchain for IoT,” In proceedings of the IEEE 44th Conference on Local Computer Networks (LCN), Osnabrück, Germany, October, 2019.

[3] A. Dorri, M. Steger, S. Kanhere, R. Jurdak, “A blockchain-based solution to automotive security and privacy,” Blockchain for Distributed Systems Security, Editors Sachin Shetty, Charles A. Kamhoua, Laurent Njilla, John Wiley & Sons/IEEE Press, ISBN 1119519608, 9781119519607, March, 2019.

[4] A. Dorri, S. Kanhere, R. Jurdak., and P. Gauravaram, “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home,” In proceedings of the 2nd IEEE Workshop on security, privacy, and trust in the Internet of things (PERCOM), Hawaii, USA, March, 2017.