The word "connected object" immediately conjures up a second, "security". With 100 billion connected objects and 5 billion users on the market in less than five years' time, the question of how to secure these objects, from watches to cars, is one that both specialists and concerned citizens are asking, in the light of recent incidents. Why don't manufacturers make their products secure? Here are some answers.
Like many parents, giving your children an educational mini-tablet is an almost ordinary gift. With its stylus, the child can have hours of fun reading, calculating, drawing and editing photos using fun applications. In short, they'll be able to do what grown-ups do under the watchful eyes of their parents. This view quickly changed when these same parents learned that their child's name, date of birth, gender and personal address, as well as the password and security question, had been stolen from the Vtech site along with hundreds of thousands of others by hackers with unknown intentions.
With a bit of bad luck, these same parents have installed an Internet-connected SimpliSafe alarm to protect their child and their home. An alarm that a novice burglar can disconnect 30 metres away with simple software and hardware ranging from 20 to 250 euros. Double bad luck: the design of this alarm prohibits any change of programme. The 300,000 or so units installed will have to be changed.
Useful pirated data
These recent examples could be multiplied, and cases involving faults linked to connected objects are regularly reported in the media. Sometimes, as in the case of alarms, the damage is minor - except for the manufacturer who is obliged to change its equipment - while other times the potential damage is more worrying. Cyrille Barthelemy, CEO of Intrinsec sécurité, explains: "On their own, they are of little value, but imagine that among the millions of recordings are those of people in sensitive professions, and that the information is correlated with other sources. On the scale of millions of recordings, people with dark ambitions will always find interesting data to exploit". What is true for a tablet is just as true for physical data collected from connected bracelets and other "quantified self" applications stored somewhere, sometimes with only approximate security.
A problem of scale
These data leaks and exploits are the most obvious consequence of attacks linked to connected objects. As Clément Notin, security consultant at Intrinsec, points out, some objects have real effects in the real world, like pacemakers that can now be configured by radio. In the event of failure, can we be sure that there has been no attack? No.
This raises the fundamental problem of connected objects: "Today, in the event of an attack on a website or an intrusion, for example, we can generally trace the thread back to the source and understand what happened. With connected objects, as things stand, this is impossible. There are no traces, no methods, for example, to detect illegitimate access", points out Cyrille Barthélémy, who adds: "Security is not just about putting up barriers, it's also about confidentiality, availability, integrity, confidentiality and traceability. In the example of the pacemaker, over and above protection against wrong orders, the question that arises in the event of an incident is how to investigate and react to attacks. “
While pacemakers are an extreme example, the fundamental issue is scale. When millions of connected objects are potentially fallible - think of the bankcards of the future - the change in scale raises questions about fraud detection, data analysis and the reaction to be given from another perspective.
"Cyrille Barthelemy points out: "Current resources for supervising large-scale fleets of connected objects will not make it possible to envisage, understand and control incidents with any precision: this is still an area to be explored in terms of innovation.
IoT: calculated industrial recklessness
Faced with such an accumulation of flaws, it is legitimate to be surprised. How can serious manufacturers offer products and systems that are so vulnerable to all kinds of attacks? Two main factors, technical and financial, point the way to an explanation. On the technical side, one of the specific features of the IoT (Internet of things) is the hardware and software constraints. The chips and processors embedded in these objects have to deliver the best possible performance and autonomy, and therefore consume very little energy. Any addition of security consumes computing resources and just as much energy, thereby reducing autonomy. However, users will first judge their connected object on the more observable variable of power consumption.
Another factor is the design of these objects. Many manufacturers simply integrate hardware and software components taken from various places and from multiple manufacturers. More often than not, no upstream or downstream risk assessment is carried out, either on the hardware or on the software layers, which also raises the question of the traceability of the products affected if a vulnerability is discovered.
To put it another way, manufacturers are making a trade-off between benefit and risk. Many of them consider that few people have the technical capacity - and interest - to tackle this type of object. This is known as security through obscurity. A worrying line of reasoning in the light of current events, and even more so if you believe Clément Notin, who believes that "all the players positioning themselves today will be hacked. And there's a simple reason for this: none of them has built security into their objects. So while we wait for a label or a move upmarket, the lack of reliability is here to stay.
Accepting to be hacked
In the end, the manufacturers who were attacked, like Vtech, no doubt learned from this lesson and modified their products. In fact, they haven't. What they have changed are the general terms and conditions of use, the famous CGU that everyone reads carefully.
In this case, paragraph 7 states, "You are aware and agree that any information you send or receive while using this site may not be secure or may be intercepted or acquired by unauthorised third parties". This insane case is far from isolated. Without being paranoid, we can only give credence to Vinton Cerf, one of the founders of the internet who fears "that thousands of connected refrigerators will gather to attack the Bank of America." A joke?
To find out more: read the interview with the Vtech hacker