The hyper-connectivity of today's society involves new threats and scenarios of attacks. The Internet of Things thus raises new challenges in terms of security which must be taken into account now in order not to be helpless in front of possible attacks. To this end, we will briefly present several prospective scenarios on different scales in order to better understand the risks involved.
The "Internet of Threats": when new technologies become a danger
The Internet of Things security is now comparable to the beginnings of the Internet: no encryption, little awareness of vulnerabilities and possible attacks, low maturity. However, the hardware and knowledge to implement attacks of increasing complexity are easier and easier to obtain.
This is the case in particular for the numerous connected objects communicating by radiofrequency: the equipment costs virtually nothing and the knowledge spread widely. Manufacturers often neglect the safety of their objects, which leads to exploitable vulnerability in connected bulbs or locks. Security researcher Renaud Lifchitz, expert at Digital Security, has demonstrated the weakness of the encryption implementations on certain locks, thus opening the possibility of retrieving logins or passwords in clear. Sensitive information is sometimes even hard-coded.
The nature of the objects that are connected by manufacturers modify the content of the data generated. In this way, connected bracelets or home automation equipment will produce sensitive and compromising data in case of piracy. The same goes for the smart city, which can experience major disruptions in its infrastructure and services in case of malicious acts. Industrial systems are not spared, as it can be seen by the attack on a German steelworks in 2015 that caused extensive damage against a backdrop of industrial espionage.
The lack of security can be explained in particular by the innovation paradigm that drives manufacturers to rapidly develop and produce objects, making the speed of arrival to the market a priority before the safety problems. These shortcomings become critical when they involve users lives of these objects, especially those used in the medical sector. A connected pacemaker remotly hacked can thus cause the death of its wearer. Medical data processed by hospitals - which increasingly use connected equipment - are also likely to end up leaked.
In the military domain also the Internet of the Things is coming: reconnaissance or attack drones, sensors of all kinds in the equipment, connected rifle scopes; the soldier becomes an extension of the network. The security challenges then shift from the individual to the group, and even towards the whole nation.
For the individual, the risks are of several kinds, but mainly concern personal data leakage or damage to the physical integrity. Let us look at two possible scenarios against individuals.
The first possible scenario is the burglary of a house using connected devices. A connected lock, for example, can easily be hacked to open. Default configurations, encryption vulnerabilities, unprotected administration interfaces or duplicable badges are vulnerabilities that make it easier for a burglar to do his work. From an insurance point of view, the lack of evidence of a proven break can cause real problems.
The second scenario to consider is the piracy of a connected car. If artificial intelligence integrated in vehicles is known to improve its safety, connectivity on the other hand, if it is poorly secured, can open doors for the control of the automobile. The car can thus be diverted from its path (without the driver being able to intervene) to create an accident and commit targeted and potentially undetectable killings. In the context of terrorist actions, a remote-controlled, explosive-loaded vehicle could be used to carry out deadly attacks without the need of a physical presence on board.
In companies: a new access to the Information System
In the company context, connected objects do not bring that much new threats, but rather new surfaces of attacks. Whether brought by the employees or by the company itself, these objects are not without risk.
The first threat is the possibility of an involuntary theft of confidential company data by a connected object brought by an employee. Because these devices are not designed for an enterprise background, they almost never follow the IS security policy, despite the fact that they can connect to the company's network. It is then easy for a malware to recover sensitive data as part of an economic intelligence attack or industrial espionage. The problem is the same as for mobile phones at their beginning and that for the BYOD trend.
These connected solutions can also belong to the company itself. Imagine, for example, an connected air conditioning system in the server room which, in case of piracy, could allow the temperature to rise abnormally and thus cause damage to the computers. If the target for the pirate is to enter the premises, the use of connected access devices would allow him to exploit a flaw in communication protocols in order to enter the building. A connected bulb that keeps the Wi-Fi password in memory, a robot vacuum cleaner that knows the plans of the premises and hours of presence of the employees or a smart television equipped with a microphone in the meeting room are many ways of entering the company or its information system.
At the state level: cyber-warfare and terrorism
Threats related to connected objects exist at the state level, whether they are actions of isolated groups or cyber-warfare between nations. We will detail two scenarios to illustrate it.
Attacks against websites representing the government of an adverse state are not a recent method, evidenced by the conflict between China and Japan around the Senkaku Islands where groups of Chinese patriotic hackers targeted institutional Japanese websites. The novelty would lie more in the fact of attacking physical infrastructures, critical preferably, such as power stations. On December 23, 2015, Russian hackers managed to cut the power for more than 600,000 people in Ukraine by hacking a power plant. Airports could also be a prime target for attackers, effectively detaining aircraft.
The hijacking of civilian drones is the second threat that we choose to present in this article. Several uses can be made of these devices, such as drugs delivery over the US-Mexican border by cartels. Drones of US Customs were hacked in January 2016, among other cybercrime actions carried out by the cartels. Drones can also be used to release explosives in crowds, over public figures, or critical infrastructure as part of a terrorist action. The use of drones for reconnaissance operations to prepare an attack has also been proved, particularly in Syria by the Islamic State.
The Internet of Things security is therefore a major issue for data protection and the people's safety, for individuals as well as for companies or States. The increasingly deep integration of technology in societies made risks became physical as people’s lives are now at stake. At a time of ubiquitous computing and spreading of computing devices, the security response must be holistic. Too few actors today are actually involved in the development of IoT security solutions. Standards, in particular, which would allow the unification of security practices, are missing. Threats related to connected objects are more and more present and should be contained by actions taken by stakeholders involved in the Internet of Things.
This article is the synthesis of the feature article published in the OSIDO of July / August 2016.