Can we secure the Internet of Things?
I spoke at the opening of the Cybersecurity Conference – IOT and Embedded Systems organized in Toulouse on February 18, 2016. Organized by Captronic and the consulting company G-Echo, this conference brought together around a hundred people at the LAAS-CNRS laboratory in Toulouse and saw the participation of specialists in security issues. It was a great opportunity to take stock of the subject. This review uses information gleaned from the presentations at this conference, supplemented by some online research. The conference was sponsored by AllianTech (measurement tools and sensors), Digital Security (services and advice), HSC / Deloitte (the security consulting subsidiary of Deloitte resulting from the acquisition of Hervé Schauer Consultants in 2014), ISIT (development real-time) and NeoTech (services and advice).
It was not the only conference on the subject in France. The 8th International Cybersecurity Forum took place at the Grand Palais in Lille on January 25 and 26, 2016. There were also the Internet of Things and Cybersecurity / Cyber Defense Day in June 2015 at the CNAM in Paris. The subject is gaining momentum! The security of the Internet of Things has become a major subject of major security conferences such as the famous Defcon to USA.
Each new wave of technology brings its share of vulnerabilities. It took decades to secure rail, air and automobile transport. The seat belt, invented at the end of the 19th century, did not become compulsory in France until 1973. In the digital world, these innovation-security cycles have accelerated. Micro-computing has seen the anti-virus business very quickly emerge. This has accelerated with the arrival of the Internet. Mobility and payment systems then brought their share of vulnerabilities and new solutions.
NB: I often use the term “hack” to describe technical actions allowing to attack a connected object. Yes, I know, hacking can have a positive connotation, but it is also applied in the field of hacking!
Known weaknesses of connected objects
The world of connected objects will probably follow a similar scenario: a development of uses, the discovery of (many) vulnerabilities, symbolic attacks generating an echo in the media and the emergence and then the deployment of security solutions. There will be an inevitable race against time between security and pirate counter-attacks.
Those who claim to be able to fully secure their website or their personal computer are often surprised at the vulnerabilities that can be updated by specialists. The perception of risk is a matter of information. By default, we do not fear much. But as security breaches and their consequences are highlighted, the perception increases and can generate the expectation of greater security of the systems. Not to mention the case of attacks suffered.
In the world of connected objects, smartphones are on the front line. They are to date the most connected objects of the general public and subject to a growing number of attacks linked to their various vulnerabilities. Thus, G-DATA’s Mobile Malware Report Q4 2015 mentions the number of 2.3 million new dangers identified on Android in 2015, an increase of 32% compared to the previous quarter. This concerns the 66% of smartphone users who use Android. iOS is also prone to various vulnerabilities although its more closed side partially protects it.
But the vulnerabilities are starting to affect many categories of connected objects. Vulnerabilities are multiplied by touch points and sensors like actuators. And in terms of media coverage, we are starting to be served. Starting with the statements of officials from ANSSI, the government agency that depends on the SGDN and manages the security of state information systems, after the publication of Vincent Strubel’s Connected Objects Cybersecurity Report in June 2015.
The catalog of threats to connected objects is fascinating to say the least! In “Abusing the Internet of Things», Nitesh Dhanjani in fact a first inventory with the hacking integrating the associated source codes for connected lighting, generating a black-out, connected locks (source), facilitating burglaries, baby monitors, connected TVs and connected cars.
The inventory of “Hou! Scare me ”is already one of the richest:
The cars have a dozen or so subsystems and support various network protocols (GSM / 2G / 3G / 4G, Bluetooth, NFC, Wi-Fi, not to mention USB and the ODB-II port). Even RDS information transmitted in the FM band can interfere with the navigation system! Car radios are vulnerable to corrupted WAV audio files. It is also possible to create an electromagnetic pulse to destroy the on-board electronics of a vehicle, via a Marx generator placed at the edge of the road. Problems of this kind are inventoried in the report of American Senator Edward Markey Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk published in early 2015. The diagram below which lists the many areas of vulnerability of modern vehicles comes from the GSMA.
The hacking of Wi-Fi connections via access to radio frequency waves and the interception of certain passwords which circulate in clear is already quite common. Wi-Fi network hacking software is easy to find on the Internet, and what’s more, it’s free! Protection ? At a minimum, use complicated passwords with lowercase, uppercase, numbers and special characters preventing hacking systems from exploiting dictionaries of commonly used words.
The surveillance cameras can be attacked with lasers or through their Wi-Fi links, especially if the Wi-Fi network has been previously attacked by the previous tools. The same goes for cameras GoPro which can be hacked remotely via their Wi-Fi link (source).
In the health, risks are identified both with connected devices that simply take measurements such as blood pressure or blood sugar or those that act on health such as pacemakers.
The means of payment, especially without contact, are very vulnerable. This being the case, the greatest vulnerability is that of the men themselves, as evidenced by the famous frauds “to the president” which fall under social engineering and push accounting services to make transfers of very large sums to unknown recipients. without this arousing suspicion in companies. The most fragile connected object is in fact … man!
The electric meters can be attacked, at least in Spain, to compromise the electrical grid security from the country. It is linked to the massive interconnectivity of weakly secure devices with infrastructure networks.
The Nest thermostats are vulnerable, at least they were in 2014.
A blast furnace was also attacked in Germany in 2014 without counting Iranian uranium centrifuges, attacked by the virus Stuxnet co-designed by the NSA and the Israeli intelligence service 8200, and exploiting a vulnerability in Windows. The worm reprogrammed industrial machines without leaving any traces! It goes without saying that it was a very sophisticated attack with a very high level of integration. The scenario is easily replicable and relies on public knowledge of known vulnerabilities in operating systems, including Linux. Operating systems are rarely patched instantly after the discovery of vulnerabilities.
A few years ago, the security expert Chris Roberts had shown how he had hijacked the route of a plane from his passenger seat, by physically then logically hacking the seat video system. He had also changed the temperature of the ISS space station, which obviously drew the wrath of NASA when he was mainly trying to show their carelessness in terms of security.
Better, the inmate bracelets on probation are also hackable (source).
In the Toulouse conference, Eric ALATA, a researcher from LAAS-CNRS showed how he had remotely hacked the operator box of a user as well as objects connected via a LoRa network with a small antenna allowing to have a range of 1km.
- Conversely, rumors are circulating about a company whose computer network has been hacked via a vulnerability of a connected toaster. I have seen it mentioned in various conferences in France. I have the impression that this is actually an urban legend and more of a theoretical case. It is mentioned in a presentation of Checkpoint during the Defcon 2015 conference. There are traces of a connected toaster on the Internet in 1990 and in 2014. Each time, they were only prototypes, no commercial product, so a fortiori, with little chance of being installed in ordinary companies. I even found a history of connected toasters here which confirms that they are not commercial products (even if the article dates from 2012). An American communications agency called SocialToaster even uses the concept of the connected toaster to describe its social media buzz campaigns. They launched a connected toaster on April 1, 2012 (photo below)! I never seem to have seen a connected toaster while visiting CES in Las Vegas. And yet, there are many weird things there every year as you could see in the last one CES Report 2016 ! IoT evangelists and other security experts continue despite everything, to brandish the threat of the hack of connected toasters, using them as simple and effective communication devices to raise public awareness! A little fact checking doesn’t hurt!
The attacks are also very often staged in the fiction in the cinema or in TV series. They were countless and provoked by the NSA in “Enemy of the State” in 1999, which did not have the right equipment at the time but has largely caught up since as revealed by Edward Snowden, with all nine seasons of “24 Chrono” and Jack Bauer’s hacks using a pre- iPhone, then in “Die Hard 4” with a global cyber-attack affecting the infrastructures of New York, the cyberattack of Air Force One by Ukrainians at the beginning of the second season of the series “Madam Secretary” or the assassination of the US Vice President via an attack on his pacemaker in the 10th episode from the second season of the series “Homeland”. These numerous attacks are in fact half-fictions because they are generally based on rather plausible scenarios. In the worst case scenario, the writers were only a little ahead of their time. But less ahead of the writers of science fiction films like Star Wars or Star Trek. Indeed, we still do not move faster than light, even at the level of the most elementary particles!
Read the second part: IoT security solutions
Olivier Ezratty is a consultant in new technologies and author of Opinions Libres, a blog on digital media (digital TV, digital cinema, digital photography), and on entrepreneurship (innovation, marketing, public policies…). Olivier is an expert for FrenchWeb.