Securing connected objects (IoT)
State of play of the cyber threat of the IoT ecosystemBy definition, a connected object exchanges data and information over the Internet. This data can be intercepted by hackers and diverted for malicious purposes. Recent news and studies on this subject confirm this: connected objects are vulnerable and can be hacked. Hacked webcams that allow surveillance of company or home premises, hacking into a pacemaker that would send a fatal discharge to the patient, stealing a car connected with a simple transmission key, hacking into a casino with a thermometer connected in an aquarium, the examples are many and edifying. The reason for these repeated attacks? It is now easy for hackers to find self-service malware on the dark net. IoT equipment is characterized by simple vulnerabilities, within reach of all hackers. Indeed, whether by compromising a password or using the default login credentials, it is easy for a hacker, equipped with malware found on the darknet, to infect thousands of connected objects in a few seconds. One of the most successful examples is the Botnet Mirai, whose source code has been made public, and which has allowed many hackers to use it to infect IoTs. Researchers at Princeton University estimate that 600,000 connected objects have been hacked by the Botnet Mirai, including security cameras and home routers. The challenge of these attacks against connected objects is not only the theft or the compromise of data. Indeed, by hacking into many objects connected at the same time, the hacker can overheat the power grid and ultimately cause a blackout in a city. Obviously, enough pirated objects are needed, but the risk is present and has been the subject of a study by Princeton University. proving its veracity. The security situation of the connected objects is alarming. It is clear that it is becoming essential to better secure the IoT.
How to better secure connected objects?Various solutions exist to overcome this IoT safety problem, but few are actually applied by manufacturers. Allowing customers to change standard passwords is an option to consider. Manufacturers could make this password change mandatory the first time the object is connected. This solution would limit the number of vulnerable IoTs with a default password. The application of the principles of security by design can also be used, in particular by minimizing the attack surface of connected objects or by using the principle of the least privilege.
Data encryption is also a solution. In fact, few manufacturers offer connected objects that integrate a security feature to the data that the object collects and sends. Encryption is an effective option but has some shortcomings: a poorly configured encryption key and encrypted data will be unusable. There is therefore room for manoeuvre regarding the security of connected objects. This is an issue for manufacturers, but also for individuals and companies, who will have to develop their use of IoTs in the coming years.
The 3 main principles of security by Design