Back to Insights

Is your device trying to kill you?

Riz Pabani

I don't mean this in the metaphorical sense. But literally. If it's not your device. Is it someone else's? The person behind you in the queue at the coffee shop or supermarket might be holding a compromised device.

After the recent news of weaponised pagers and walkie talkies being detonated in Lebanon and Syria — how do we feel when something so innocuous as a personal device could be used to kill? It really starts bringing warfare all very close to home.

Details are pretty sparse on exactly how the devices were detonated — but we know it happened simultaneously and the devices were in use for some time. So let's assume that the detonations happened using some trigger over a network like the internet or mobile network. These are in effect, IoT (internet-of-things) devices.

The Ubiquity and Risk of IoT Devices

IoT devices are now ubiquitous in modern society — your mobile phone, fridge, oven, drone, camera, laptop, tablet, watch — everything is connected.

Did you know they're even developing buildings which are monitoring staff movements, temperatures, how long you spend at the water cooler or even in the toilet. How good the air quality is and how long you spend in the office. All sensors which are connected and sending sensitive information all potentially used as a pawn in cyber warfare.

While it gives us enormous convenience we must be careful not to compromise security — I would add privacy here but that ship has sailed.

Manufacturers of IoT devices will now certainly be scrutinised to demonstrate that their devices are secure and cannot be weaponised. Perhaps consumers like yourself will start to ask more questions like how do I know the supply chain isn't compromised by an illicit actor or that children weren't use in manufacturing?

Once you start testing the trust you have for your favourite IoT brand (Apple, Samsung, Tesla etc.) it's a bit of a slippery slope. Like in love, friendship and business, once the trust is gone, everything comes crashing down. And this will happen to our confidence in the devices we own.

As with all threats to our good society and safety, there good people out there thinking about our cyber security to make the world a safer place.

Zero-Knowledge Proofs

Here is where I might lose some of you – in the field of computer science, my alma mater, a new piece of tech has been developed called 'zero knowledge proofs'.

It allows you to prove beyond reasonable doubt that you know something to someone else without actually showing them what you know. How?

Well, let's ask Claude Sonnet 3.5 (a popular Large Language Model) to explain using the Ali Baba Cave analogy:

Zero Knowledge Proof - Ali Baba Cave Illustration
Imagine you have a magical cave with a secret password. The cave is circular, with an entrance on one side and a magical door in the middle that splits the cave into two paths. To open the magical door, you need to whisper a secret password. Your friend claims to know the password, but you want to verify this without them revealing it to you.

Here's how you can check if your friend really knows the password:

Your friend goes into the cave while you wait outside. You don't know which path they took (left or right). You shout either "Come out from the left!" or "Come out from the right!" If your friend is on the side you called, they just walk out. If your friend is on the other side, they need to use the password to open the magical door and come out the side you called. You repeat this many times, always randomly choosing which side to call.

The cool part is:

If your friend really knows the password, they can always come out the side you call. If they don't know the password, they have a 50% chance of being on the wrong side each time, and can't get through the door.

After doing this many times (let's say 20), if your friend always comes out the correct side, you can be pretty sure they know the password — but you never learned what the password is!

This is what we call a "zero-knowledge proof" because:

You proved your friend knows the password (completeness) Your friend can't trick you if they don't know it (soundness) You didn't learn the actual password (zero-knowledge)

A computer, embedded into a personal device, could cycle through these checks thousands of times in less than a second and generate a 'zero knowledge proof'.

Making IoT Devices Safer

So, after that educational but necessary tangent, what are the real-world implications?

By proving knowledge without revealing data, we can now demonstrate that our devices are working as the manufacturer intended and haven't been tampered with. This gives us private, trustworthy, and verifiable computation.

Imagine integrating these lightweight 'zero-knowledge proofs' into all types of IoT devices, providing owners with confidence that their devices are functioning securely and as intended.

At Exponential Partners, we are advising a promising start-up called FidesInnova which is pioneering this exact approach. They've developed firmware for IoT devices that allows their computation and data output to be verified using zero-knowledge proofs.

This technology extends to many different use cases which use IoT devices to monitor:

  • Critical National Infrastructure: Securing power plants and railway systems to prevent tampering or sabotage.
  • Building Management: Monitoring staff attendance, air quality, and occupancy rates while ensuring data integrity.
  • Automotive Industry: Ensuring the integrity of connected car systems, including autonomous vehicle controls.
  • Healthcare Devices: Verifying the operation of medical equipment like pacemakers, insulin pumps, and hospital monitoring systems without exposing sensitive patient data.
  • Smart Home Systems: Protecting security cameras, smart locks, thermostats, and other home automation devices from unauthorized access or manipulation.

Let's consider drones as a concrete example. Once a drone is out of sight, operators rely entirely on telemetry data to know if it's functioning correctly. But what if the drone was compromised and sending misleading information? How would you know?

With FidesInnova's firmware installed, the drone could frequently share proofs of its computation and data output. Any manipulation of the device would necessarily alter these proofs, immediately alerting operators to potential tampering.

Similarly, in the healthcare sector, connected medical devices play a crucial role in patient care. Ensuring that these devices are operating correctly is critical for patient safety. Zero-knowledge proofs can confirm that a device like an insulin pump is functioning properly without revealing sensitive patient information or proprietary device data.

The implications are profound: imagine having absolute certainty about your device's computation and output, especially in critical infrastructure scenarios. This level of security and verification could revolutionise how we interact with and trust our increasingly connected world.

By embracing this technology, we can rebuild the trust that is so essential in our relationship with the digital world. It's up to all of us — consumers, manufacturers, and technologists alike — to ensure that the conveniences of the IoT era don't come at the expense of our safety.

Together, we can foster a future where innovation and security go hand in hand, making our interconnected world not just smarter, but also safer.

Back to all insights