Intrinsec was present at SIDO (Internet of Things Exhibition), which took place at the Cité Internationale in Lyon on April 6 and 7 (www.sido-event.comThis was the first edition of such an event, which included various activities:

• Three parallel conference sessions; ;
• Stands from various market players; ;
• Demonstrations from major players (EDF, Orange, Microsoft, etc.).

Intrinsec was represented at this trade fair by Guillaume Lopes and Damien Picard.

In view of the number of conferences and presentations held during this event, we propose to take stock of them, focusing of course on information security.

Before we begin, a quick reminder about the Internet of Things.

What is the Internet of Things?

According to the OWASP top 10 Internet of Things "It is a set of connected objects with internet connectivity that can send and receive data.".

In practical terms, these are objects capable of collecting, communicating, and even processing information from their surroundings (temperature, radio frequency, electricity, etc.). These objects can generally communicate through various means:

• Wi-Fi; ;
• Bluetooth; ;
• Cellular networks (2G/3G/4G); ;
• Networks specific to connected objects: Sigfox and LoRa.

Let's take the example of a refrigerator, capable of determining its contents and sending you an alert when you run out of eggs.

We can therefore already see several points emerging where security comes into play:

• Within the object itself. Can it be controlled? Remotely?
• Within the data stream exchanged between the object and the associated processing platform, can it be intercepted, read, or modified?
• The platform that processes the data. What information is accessible on this service?

By processing platform, we mean any web service or application with which the object communicates in order to perform data processing (statistical analysis, storage, etc.). Generally, it is a platform cloud.

Issues related to the Internet of Things

In theory, it's wonderful: all objects communicate and inform us about our environment. In practice, there are more than a dozen different operating systems, some more up-to-date than others, for designing a device. This is compounded by the plethora of existing communication protocols and the various platforms with which objects want to communicate, without even considering the hardware architecture used. This raises an initial problem: how can we ensure security without a standard? We can certainly commend the efforts of the IETF and ETSI. (European Telecommunications Standards Institute) and some market players for the standardization of this environment, but for now they are only "« drafts »"And they are not yet widespread. Let us remember that security through obscurantism is not robust.".

To be appealing, many devices rely on long battery life, and manufacturers must reduce the energy costs of communications and processing. For those who think encryption is too energy-intensive, be aware that there are algorithms adapted to your needs, including AES-128, which has been implemented, for example, on RFID cards. Since AES is a symmetric encryption algorithm, keys must be exchanged beforehand. This can be done using specialized hardware and exchanging keys as defined by the DTLS protocol. (Datagram Transport Layer SecurityThis approach, although slightly more expensive and generating more packet exchanges, is based on a proven protocol. A paper A more detailed discussion of the resulting overconsumption has been published.

It should be noted that the use of cryptographic mechanisms by third-party service providers (LoRa/Sigfox operators, web service providers, etc.) only secures data between the third party and the connected device. They therefore have access to the data in plain text. Consequently, an attacker who has managed to compromise their infrastructure will have just as much access. End-to-end security, that is, security between the device and the end user, may therefore be necessary to minimize the impact of such a compromise, and even essential in the case of critical data. It should also be emphasized that the mention of cryptographic mechanisms and the use of multiple keys in some documentation warrants more detail to establish the product's security. How are the keys managed? Can they be renewed? How are they used, and where do they come into play?

Another issue raised many times is how to manage the discovery of a vulnerability in a device. Gartner predicts between 25 and 50 billion connected devices by 2020, IDATE (Institute for Audiovisual and Telecommunications in Europe) even predicts 80 billion. Most with limited computing and communication capabilities. Let's imagine for a moment the impact of discovering a vulnerability affecting even just 1% of connected devices. How do you update 250 million devices with limited communication capabilities? How do you return to normal operation if the vulnerability is exploited? What kind of power do you gain from a botnet of 250 million connected devices? Can you interrupt the connection and still have the device remain usable, or can you drive a connected car like a regular car?

Let us now turn to what we call the processing platform. It is frequently the case that this is equated with the cloud. Let's get things straight, the cloud it's a business model. Some clouds offer security and security operations center services (SOC). But in no case can one claim that "the data is sent into a cloud, "They are therefore secure." One must even be extremely careful about the security of this platform, even if it is a cloud or an application, the latter potentially having access to all the objects connected to it.

Finally, we can ask ourselves about the standardization of risk analyses when the manufacturer of an object considers that taking control of their object is not critical, because it is unlikely and ultimately has little direct impact on the object's data, but a third-party publisher or user considers it critical because it could compromise their information system? Who should secure what? In the event of a compromise, who is held responsible?

State of security

It's also important to be aware that if we're asking ourselves all these questions, we're certainly not alone, and many people, with varying degrees of good intentions, have already asked themselves these questions. Moreover, we've already seen in the press that it's possible to’remotely unlock the doors of a connected car Or doors equipped with connected locks. These are only "works" that have been brought to the attention of the publishers or organized by them and on which they have agreed to communicate.

Conclusion

The Internet of Things, in its current state, and if nothing is done to improve its security, risks greatly increasing the attack surface of an information system. The question that can be asked is: how can we assess the security of a system with 25 billion potential targets where even 11³T of vulnerable objects can lead to disaster? The penetration testing approach in "« best effort »", even if it will never guarantee the absence of vulnerability, it might allow us to eliminate a number of them before they are placed on the market.