The Internet of Things is a historic Internet technological revolution. Thanks to connected objects, our daily life is changing constantly as we are introduced to innovations ranging from synchronised agendas to smart radiators. A study by Gartner found that, by 2020, there will be 20.8 billion connected objects capable of communication. Orange is positioning itself as a pioneer in the area, for example by its decision to invest in the LoRa network since 2015 with the goal of interconnecting more efficiently with connected objects. Of course, the exchange of information among the 6 billion objects called the Internet of Things (IoT) raises security questions. In the race to innovate, is data protection at risk?
Internet security has always been a hot topic, but a violent attack that occurred last 24 October changed everything and called the security of all devices into question. As often happens, it was a “Distributed Denial of Service” (DDoS) attack that brought down the servers of a number of Internet giants that day. This classical procedure, which is well known to IT security experts, is unfortunately difficult to predict and stop. In a very brief period of time, cyber-criminals establish billions of connections in order to inundate a site and bring it down. Twitter, Netflix, Spotify, Amazon – on 24 October, all these sites were rendered partially or completely inaccessible.
Nevertheless, those responsible for this crisis were unable to get into the servers of all these services. The target of this attack was none other than the DNS of Dyn, a referral service that allows Internet site servers to be accessed from one and the same address.
Black Mirror, a science fiction series, examines current technologies and threats in order to paint a picture of our future.
To achieve their goal, the hackers employed a method that, up to that point, had never been used on such a large scale. They commandeered thousands of connected objects used by individuals and businesses. In particular, they found a major security breach in surveillance cameras connected with the Chinese brand XiongMai Technologies, which allowed them to bring down all these services. With a simple, small programme (“Mirai,” a virus that is easily available for free on the Internet), connected objects were literally transformed into robots that saturated the Dyn DNS network.
According to researchers at Flashpoint, around half a million devices connected to the Internet are susceptible to such IT breaches and, so, represent an equal number of potential threats. The most common error is use of a default password that users do not bother to change when they initiate their devices.
To be sure, this attack was not the first of its kind, and it will not be the last. It is likely that other Internet criminals will attempt to bring down a number of servers or steal thousands of files, sometimes for reasons we do not understand. Nevertheless, after what has been called “the 24th October blackout,” a number of experts are emphasising the importance of the “security by design” approach. This method, which makes security an integral part of design, is already used by all businesses working in sensitive areas such as the world of banking, but it has so far not been a prime concern for start-ups that give priority to usability and performance when developing their connected objects, and do so to the point of neglecting to make their devices secure.
What if this connected oven was a threat?
According to Tanguy de Coatpont, General Manager of Kaspersky France, “It costs 10% to 15% more to develop a secure connected product than an unsecure version of the same product.” Although expensive, the product security phase now needs to be an integral part of the process of creating any new intelligent device that is connected to the Internet and sold on a large scale. Users, on the other hand, must acquire new habits and ensure that their new connected oven, for example, is correctly set up so that it does not affect the security of their preferred VOD service. There is nothing sadder than eating a pizza in front of a black screen.
Precisely the lack of security restrictions within the Internet of Things has encouraged many businesses to invest in this flourishing sector. To ensure the continuity of the objects and the security of their users, many experts are calling for the introduction of standards that could be implemented by existing organisations, such as the European Committee for Standardization. Edward Humphreys, who works on these issues at the ISO, states: “We are attempting to create a solid foundation of standards to ensure that our data is protected in a connected digital universe, and to build consumer confidence. We hope that these standards will promote the development of solutions that meet the unique challenges of the Internet of Things.”
Stéphane Richard, CEO of Orange, explains LoRa network
Many research groups around the world, including ARCEP and the French Ministry of Defence, are already studying the most well-known vulnerabilities, and this has allowed them to outline best practices and recommendations to be adopted by those involved at all phases of a connected object (designers, manufacturers, operators, and data storage services). In April, the European Commission employed a more official and rigorous process to create a general regulation to be applied in all Member States of the European Union as from 25 May 2018. The “default security” concepts mentioned above, and the assessment of personal data protection risks, are at the heart of these new provisions.
Of course, sanctions are foreseen for those who violate this new regulation. In order to ensure the security of connected objects, all manufacturers are now also being asked to provide the means of distributing security updates to all users and of implementing those updates, and to do so throughout the life of a product. To be sure, these directives will not be the last. We must now consider all these innovations and systematically integrate network and data security into the equation.