Editorial N°9 – Valentine’s Day, privacy and cybersecurity

    This Valentine’s Day month recently showed us that the security of IoT devices and more generally cybersecurity is everyone’s business. During the last edition of the International Cybersecurity Forum (22 and 23 January 2019), ANSSI Director Guillaume Poupard also focused on recalling the role of everyone in cybersecurity. In the service of mass consumption, connected objects that observe flaws by design and/or implementation expose all sensitive data to hackers. The absence of updates or the non-updating of default passwords can lead to the theft of confidential data, compromising users’ privacy.

On Valentine’s Day, several security experts reminded us of the importance of securing our most intimate connected objects. In particular, the connected sextoys were targeted and, although they are romantic in nature, the researchers alerted users to the security breaches they contain and to the risks of protecting personal data. Mozilla‘s recent study reviewed 70 consumer products including intelligent vibrators. The study revealed that they collect, collect and share personal data without the consumer being informed. As a result, users have been exposed to vulnerabilities that can lead to identity theft or theft of confidential data.
Users are most often concerned by the technical defects of connected objects. This February in particular identified major flaws on connected home automation assistants, going so far as to violate consumers’ privacy. The human vector, which is at the origin of major attacks, allows attackers to infiltrate private spaces. Connected home automation objects are vulnerable, as they can record private conversations. Like the Amazon Echo, Nest Secure security alarms have recently been the subject of cyber-attacks and via them, attackers have been able to infiltrate a family’s home and insult them via the microphone.

While the CIF has been an opportunity to raise awareness among experts and the public about the use of connected objects and the vulnerabilities they face, awareness must also be raised further upstream, from the construction stage. In response, ETSI, a European Standards Organisation (ESO), recently published the first globally applicable standard for the security of the Internet of Things. This IoT cybersecurity standard establishes a security foundation for IoT devices for consumers and manufacturers. Thus, this standard has set itself the challenge of responding to major and widespread safety deficiencies in IoT devices and providing them with all the compliance, they need (GDPR). Targeting industrialists, the CIF also recalled the challenge of securing their systems. Often interconnected with customers and subcontractors, these systems represent major gateways for attackers, targeting both companies and individuals. The security of an industrial system or a connected object must therefore be ensured from the design phase.

Connected objects that are not updated or that have defects by design represent a danger to the privacy of users who have absolute confidence in them. This month, awareness of the safety of these IoT devices was in the spotlight. This is more than necessary to preserve sensitive consumer data.