Editorial N°3 – Sea, hack and sun

  During the summer, computer security conventions have introduced the latest discoveries in IoT hacking. Default passwords, unsecured communications, use of secret by default, all these vulnerabilities  allow attackers to manipulate an smart device and access to the stored data.

At the DEF CON 2018, Damien Cauquil, security expert at digital.security, presented how jamming a specific part of the Bluetooth Low Energy protocol (BLE) could be used to connect to a device already associated with a smartphone. Then, an attacker can prevent access to an smart device or interact directly with it. “For years, we have been able to analyze and intercept communications ” explains Damien Cauquil.

Despite the fact that security experts warn about IoT risks for several years now, security updates are slow to be implemented. Sometimes, even when manufacturer patches have been applied, they can be bypassed by criminals. The hacking of a Tesla Model X in 2017 is a perfect example. The manufacturer who had been the victim of a cyber attack suffered another compromission. Security researchers were able to access once again the CAN (Controller Area Network) data bus that interconnects the equipment and the embedded system that drives them, demonstrating obsolescence of security patches.

With the extension of the Internet to the physical world, everyday objects, even harmless ones, can be used for malicious purposes. In May 2018, the CEO of a computer security company reported a case symptomatic of the very low level of protection offered by smart devices : a casino was hacked because of a connected thermometer placed in the aquarium of the entrance hall.

While these vulnerabilities allow criminals to control stored data on smart devices, the takeover of certain solutions represents an immediate danger for humans. At the 2017 Black Hat in Las Vegas, computer security researchers presented how they were able to take control of a 100% automated car wash. With the owner’s permission, they were able to access the system, close the station’s interior doors and jam a vehicle. Security researchers claim that they could have directed a powerful jet of water at the passenger door to prevent the driver from getting out of the vehicle or even seriously injuring him.

Faced with this increase in cyberattacks, the sovereign actors did not fail to react. In order to prevent IoT cyberattacks, the US Senate passed the Internet of Things Cybersecurity Improvement Act in August 2017. This legislation should make it possible to define the safety standards applicable to equipment installed on US administration networks. In France, the General Data Protection Regulation (GDPR) is an important step in strengthening IoT security, in particular personal data.

As Bruce Schneier announced at the Infosecurity Eruope 2017 event in London, ” regulation is coming, with strength “. A regulatory evolution, which we hope will allow a real awareness of all stakeholders in securing their solutions.