P4UIoT—pay-per-piece patch update delivery for IoT using gradual release—introduces a distributed framework for delivering patch updates to IoT devices. The framework facilitates distribution via peer-to-peer delivery networks and incentivizes the distribution operation. The peer-to-peer delivery network reduces load by delegating the patch distribution to the nodes of the network, thereby protecting against a single point of failure and reducing costs. Distributed file-sharing solutions currently available in the literature are limited to sharing popular files among peers. In contrast, the proposed protocol incentivizes peers to distribute patch updates, which might be relevant only to IoT devices, using a blockchain-based lightning network. A manufacturer/owner named vendor of the IoT device commits a bid on the blockchain, which can be publicly verified by the members of the network. The nodes, called distributors, interested in delivering the patch update, compete among each other to exchange a piece of patch update with cryptocurrency payment. The pay-per-piece payments protocol addresses the problem of misbehavior between IoT devices and distributors as either of them may try to take advantage of the other. The pay-per-piece protocol is a form of a gradual release of a commodity like a patch update, where the commodity can be divided into small pieces and exchanged between the sender and the receiver building trust at each step as the transactions progress into rounds. The permissionless nature of the framework enables the proposal to scale as it incentivizes the participation of individual distributors. Thus, compared to the previous solutions, the proposed framework can scale better without any overhead and with reduced costs. A combination of the Bitcoin lightning network for cryptocurrency incentives with the BitTorrent delivery network is used to present a prototype of the proposed framework. Finally, a financial and scalability evaluation of the proposed framework is presented.
The last decade has seen tremendous growth in the Internet of Things (IoT) services and devices owing to rapid advancements in networking technologies. Gartner, Inc. predicts a 21% growth to 5.8 billion IoT endpoints by 2020 compared to 2019 . The growth is expected to reach 64 billion devices worldwide by 2025 , with the predicted market size to reach $520 billion by 2021 . With recent advances in next-generation mobile connection technology 5G, mobile subscriptions are predicted to reach 1.3 billion by 2023 . The ubiquitous nature of IoT devices makes them a primary suspect for attackers. Recent exploits like DDoS attack , or ZigBee chain reaction  demonstrated in practice point towards weak security posture of many popular IoT devices. Other attacks include break into homes [7,8], compromise local networks [9,10] and smart devices . However, with an increase in focus on the security of IoT devices [7,12,13,14,15], the practice of patching the IoT devices with security updates is a simple solution to protect them from cyber-attacks.
Despite being a basic solution, patching is often ignored or scarcely performed, as observed by the users and manufacturers alike . Narrow profit margins and operational difficulties limit the large-scale patching of IoT devices by the manufacturers. The de-facto client-server-based centralized distribution mechanism, specifically for IoT patch updates, is another cause of concern. The volume of IoT devices and the data generated and consumed by them stresses the ISPs, inter-ISP business relationships, and the Internet backbone. Thus, researchers are focusing on edge computing solutions to limit the information exchange to a single ISP [17,18]. Also, centralized distribution depends heavily on centrally controlled and widely spread cloud service. The centralized control makes the system vulnerable to local outages or natural calamities, as well as exposes it to significant central points of failure . Even spreading the cloud servers to multiple regions still makes the system vulnerable to organizational faults and human errors.
Considering the limitations of existing systems, a distributed P2P content delivery network holds promise. In particular, they can be explored to optimize patch delivery to IoT devices. For example, consider the file-sharing networks like Gnutella , IPFS , and BitTorrent , which became popular in the last decade. As a case in point, large organizations and enterprises like Microsoft (for Windows 10 updates ), Twitter (to speed up servers deployment ), Spotify (to reduced its hosting costs ), or Amazon , are exploring P2P distribution. Unfortunately, such attempts of peer-to-peer distribution are limited to a few organizations acting as peers on the Internet. To truly reach its potential, the distribution needs to be more inclusive and, thus, incentivized. Unfortunately, such attempts are severely limited to independent Internet peers.
Also, such systems suffer from a fundamental problem: limited availability in case of unpopular files like patch update. For example, in the case of IoT patch update distribution, the IoT devices are the only parties interested in the update uploaded by a vendor. Thus, other peers of the network will not be interested in downloading and sharing it in the absence of any incentive. Even the IoT devices will not be able to share the files due to limited resources available.
The authors in [27,28] propose a blockchain-based IoT patch distribution to improve accountability and availability. However, in the absence of incentives, the network did not scale beyond the nodes controlled by the manufacturers. Lee et al.  propose a cryptocurrency incentive mechanism for encouraging a network of distributor networks to deliver patches to destination IoT devices. Leiba et al.  propose a similar approach to , but with an efficient distribution mechanism. Both proposals enable a fair exchange of authenticated software updates and cryptocurrency payments. However, an on-chain payment solution suffers from several problems. (i) Costs: Each transaction on blockchain costs transaction fees in addition to incentives being transferred. For example, the Bitcoin transaction fee is reaching around 60 cents. https://bitinfocharts.com/comparison/bitcoin-transactionfees.html. IoTPatchPool  analyzed per-device fees to be around 10 cents. (ii) Latency: The delay caused due to the required number of block confirmation prevents the solution from scaling. For example, an average block creation time in Bitcoin is ten minutes, and it needs at least six blocks to confirm a transaction. Thus, a single update may take around one hour. (iii) Throughput: Due to the latency delay, the device update is limited by an upper bound within a given time frame. (iv) Privacy: Being a public ledger that can be audited by anyone, blockchain lacks privacy. An attacker can learn critical information like the number of devices handled by the vendor, how many devices got patched, the cost of patching the devices, etc.