What are the real issues behind securing the Internet of Things?

by bold-lichterman

The arrival of connected locks offers the opportunity to ask the question of the security of connected objects. Last January, on the occasion of the FIC, one of the major IT security events in France, an expert in the sector carried out an inventory at Prévert of security vulnerabilities present in a connected lock which tried to reassure consumers by displaying “military-grade encryption”.

Insufficient, very insufficient, in the face of the multitude of security flaws that would allow an attacker not only to open a locked door, but even worse, to pretend to be the door in the eyes of the cloud to which it connects. A disaster, which many IoT startups would do well to draw inspiration from, under penalty of very big disappointments, for them as for their investors.

The Internet of Things (IoT) is, to use Jeremy Rifkin’s definition, the meeting of atoms and digits. The missing link between the real and the virtual, the last step before moving into a world where cyber and real will be increasingly confused. To fall into the very popular IoT category, an object must not only be connected, but it is far from sufficient. It must also – and above all – have sensors giving it this role of bridge between the real and the virtual, and software designed in this sense. A connected scale is part of the club if we apply Rifkin’s definition.

And to be even more precise in qualifying an object as belonging to the IoT universe, the object in question must meet seven requirements :

  1. A physical or virtual label to identify objects and places. Some labeling systems are described below. To allow smaller physical labels to be located they must be embedded in visual markers.

  2. A way to read physical labels, or locate virtual labels.

  3. A mobile device such as cell phone, organizer or laptop.

  4. Additional software for the mobile device.

  5. A wireless network of type 2G, 3G or 4G in order to allow communication between the portable device and the server containing the information related to the tagged object.

  6. Information about each linked object. This information may be contained in the existing pages of the Web, databases containing price type information, etc.

  7. A display for viewing information about the linked object. At present, it is likely to be the screen of a mobile phone.

After the skeleton, the nervous system

With such a critical mission and an assi sensitive role, we better understand why security must be a subject of reflection at the very heart of IoT – which it is also within communities. the most advanced in terms of security, as among the military who regularly devote conferences and round tables to it.

With the Internet of Things, security breaches formerly limited to virtualization are spilling over into the real world, with very concrete consequences: if you have adopted the connected lock mentioned above, then not only will you be robbed very easily, but the implementing your home insurance can be very tricky.

Insidiously, the gradual advent of the IoT is radically changing the organization of our societies. To grasp what is at stake, a simple metaphor suffices. The internet has created a real backbone for the information society. The IoT is drawing its nervous system, completing the construction of a gigantic matrix, cradle of a stammering 21st century.

This system will have to be self-regulating, because its decentralized nature will make any attempt at centralized regulation ineffective, security thought upstream rather than after the fact, as is often the case, suddenly promises to be a technological issue. central to the twenty-first century.

This will require us to thoroughly rethink the security testing and auditing strategies for the Internet of Things, which should gradually lead us to something similar to the automobile, where crash tests have ended up. impose itself as a compulsory passage before any marketing. Indeed, with the Internet of Objects, it is no longer a computer that crashes or a credit card number that is stolen, but it is a car, with its occupants, which leaves the road (or, less serious, a boiler that leaves a salty phone note).

This announces a vast project in which security and safety will be linked more than ever.

To achieve this essential decentralized approach to security – for the Internet of Things as well as for the Internet itself – two elements missing today seem essential. Greater accountability of companies that bring technology to market, on the one hand, and inclusion of those who are the backbone of IT security – ethical hackers – on the other.

The first project should move forward rapidly with the arrival, in less than two years, of the European Union’s “personal data” and cybersecurity regulations, which will impose more transparency on pain of very heavy penalties for companies. The second – an inclusive initiative for ethical hackers – could advance strongly with the arrival in the foreground of hackers through the “Bug Bounty” offers which propose to crowdsource to communities of hackers looking for security breaches , among other things in the Internet of Things. Collaboration between companies and hackers goes from an era characterized by capricious, occasional, even tense relationships, to an era made of necessity, even imperative.

yassir-kazar-2016Yassir Kazar is a “serial entrepreneur”, Certified Lead Auditor ISO / CEI27001. He regularly speaks at conferences and / or workshops on topics related to Cyber ​​Security.

He taught the Business intelligence in Master II MIAGe in Paris V. Yassir is the co-founder and CEO of the start-up Yogosha, Bug Bounty platform.