From surveillance cameras to refrigerators the number of objects connected to the Internet 24 hours a day multiplied. And the risk of diversion too.
At the end of September 2016, a deluge of connections occurred on OVH, the European giant of Internet hosting. It comes from a network of at least 145,000 connected objects, all piloted without the knowledge of their owner, completely disrupting the operation of the servers of OVH, which are saturated. Barely a month later, part of the American Web is shaken by a similar attack. The company Dyn, which provides part of the basic architecture of the network, was targeted by a horde of connected zombie cameras: they have multiplied the connections until saturated its services. Several major sites have been rendered unavailable by this attack, known as "denial of service".
The problem of the security of connected objects, the operation of which can be altered by hacking or whose data can be intercepted, is well known. But the attacks on OVH and Dyn, characterized by the use of connected objects gathered in a remotely controlled network by an attacker, put a third risk on the scene. That of the diversion of objects connected in vast zombie networks able to launch very powerful attacks. This issue was one of the topics addressed at the 9th International Forum on Cybercrime, which ended in Lille on Wednesday 25 January.
Two evolutions explain this renewed concern. Firstly, the multiplication of the number of objects connected to the Internet: it is not only computers and telephones that are provided with a connection to the network, but also surveillance cameras, certain industrial machines and even refrigerators, and this 24 hours a day.
Manufacturers with very diverse profiles
Then, the frequent failures of the manufacturers of these objects to the basic requirements of safety: many of them have too little protections.
In an article published after the attack, OVH noted the frequency of "failures due to defects in their software design, neglect of manufacturers, who often attribute the same default password to all their products, or the negligence of the installers, who do not take the trouble to modify it when deploying them".
Manufacturers of connected objects have very different profiles. The question of safety is more or less a priority for different sectors: essential for a stand-alone and connected car manufacturer, it comes to the forefront for a producer of small cameras a few euros a piece.
The sector also has many start-ups with a very limited security budget compared to the more mature industries. "A lot of connected devices have to get out of the market very quickly, which leaves less room for security," adds Christophe Moret, vice president of cyber security at Atos.
How can I secure the connected objects? OVH, in his September 2016 note, puts forward some technical avenues to solve the problem: "Resisting [attacks] aimed at our customers is our job! [But] what can we do, for example, if the manufacturers of connected equipment do not correct the flaws of their [software], if the resellers do not dare to warn their customers that their hardware is infected? "
Yves Rochereau, director for France of the company Check Point, agrees: "A solution would be to make security from the design of the object", or to be able to automatically and remotely modify the software that equip the products to fill loopholes.
But most experts believe that the effects of attacks caused by pirated connected objects need to be addressed rather than tackled. "If there are abnormal behavior, it is up to the companies to equip themselves. As it stands, we are not able to secure all connected objects, "said Coralie Héritier, head of IDnomic.
Can public power play a role? "A standard on minimum security is inevitable: currently there is no standard on what can be connected to the Internet. States must be more proactive. A French standard for connected objects would be a beginning, although France obviously can not do anything alone, "says Christophe Moret.
In November 2016, the US Department of Homeland Security took over the issue and proposed "strategic principles" to secure connected objects, echoing the suggestions of professionals in the sector.
The latter consider that the situation is pressing, as connected objects are increasingly entering businesses, homes and administrations. It is less the threat of zombie objects than that of a dysfunctional attack that is dreaded. "There are more and more connected objects that have security impacts in vital sectors, for example in transport," warns Coralie Héritier.
Threat to critical infrastructures
The threat of an attack on industrial systems or critical infrastructures is regularly raised, in particular by the public authorities. The computer security of the most sensitive French companies, administrations and infrastructures is subject to a precise legal framework, resulting from the military planning law of 2013.
The future is not necessarily bleak. For Mr Moret, "standards are beginning to emerge: protocols where security has been taken into account are being put in place".
During her hearing on 10 January, before the Committee on Economic Affairs of the National Assembly, Laure de La Raudière, the co-author of a report on connected objects, "Confident": "We are only in the first phase of development of connected objects and the problem is well identified; It will be treated, even if it is not yet. "
More information on http://www.lemonde.fr/pixels/article/2017/01/27/le-casse-tete-de-l-securite-des-objets-connectes_5069854_4408996.html#2RxvSzJSgshgMORc.99