Back from our study mission to the USA on the subject of the Internet of Things (IoT) and AI, all the players insisted, Cisco and Microsoft in mind, on the importance of network security, systems and access. This is indeed a key point for the wonderful world of connected objects does not turn tomorrow into our worst nightmare…
If connecting multiple objects, orchestrating their operation is undoubtedly an exciting technological advance the dangers are real if everything is not done in a secure way, if the slightest breach in a system is exploited.
IoT currently has few elements of standardization, at least shared by all. The proliferation of solutions, protocols, attempts by each actor to “standardize” their approach makes this playground very interesting.
We find ourselves a bit like the time of the beginning of the micro-computing where the assembled elements communicated with each other, in small diffusion OS, non-standardized internal exchange protocols if only to make it work. a screen with the central unit! This made it fun for the hacker. The analogy can also be done between the micro-computer of the time which was the computer what home automation is at the IoT today.
It is normal that as with any emerging technology, there are youth problems that make everything far from perfect, that we need to find bridges, bypasses, and so on. Only, that’s it, it’s no longer a game, things have changed: all this is connected. An experiment in a corner with an object not sufficiently secure can have very important consequences.
The examples are unfortunately quite numerous and cold in the back
Remember the incident that occurred last year when the US Federal Medical Device Control Organization (FDA) announced that it had discovered a serious vulnerability in pacemakers manufactured by St. Jude Medical. If IoT devices have a huge potential in the medical field (just see the commitment of Apple with its Apple Watch to understand the issue) security is really a key point.
In this case, it was a vulnerability of the transmitter/receiver that was used by pacemakers to communicate with external services (doctors). Once the attackers had access to the pacemaker transmitter/receiver, they were able to modify the operation, deplete the battery and even deliver potentially fatal shocks.
But the attack is not necessarily direct, it sometimes aims to target only the weak link of a network. So in the case of the denial of service attack on CNN, Twitter and Netflix in October 2016, the botnet (named Mirai) that committed this package identified vulnerable connected objects (such as devices running a small Linux not updated or having kept the root password by default), installed on them to attack the targeted sites …
Same story with the Owlet baby heart monitor, hackers were not interested in the baby’s heart rate, but the weakness in the safety of equipment to relay and attack other devices of the House…
We also remember more than a year ago the history of TrendNet brand SecureView surveillance cameras, which allowed anyone to find their IP address and associated port (with a default password) and thus gave remote access to home video and audio to hackers .
There are unfortunately many other examples that do not always make the front page of the press. There are more reasons to consider all the elements of the IoT component chain.