Connected objects (we also talk about the “Internet of Things”) are one of the major trends of the moment, so much so that some even speak of a real revolution that could have even more impact than the arrival of the Internet, just that! It must be said that this trend is still in its infancy, and yet there are already connected objects in many areas:
Health: scale, connected bracelet, blood pressure monitor, … or even a connected fork!
Leisure: watch, TV, Google Glass…
Home automation: camera, alarm, thermostat (Google’s Nest for example), light bulb…
But who says multiplication of connected objects says multiplication of the data collected, which generates new problems around the security of this data. Indeed by definition a connected object exchanges information, most of the time on the Internet, and sometimes through a Smartphone or a computer. This information can therefore be intercepted and/or misappropriated, often for malicious purposes, including simply to learn more about you. For example, some brands would pay a lot of money today to know your eating habits, your location, the programs you watch on TV, etc.
The example of the Quantified Self
Symantec published in August 2014 a report on the security of connected objects of the “Quantified Self” type available here:
This very interesting study therefore focuses on objects of the “activity sensor” type in the broad sense, for example connected bracelets, Smartphones equipped with sensors, connected scales, … And its conclusions are chilling, even for products marketed by brands with a presence on the street and considered relatively serious.
Here are some of the results of the study:
The set of products studied is vulnerable to “location tracking”, that is to say that an attacker can find your geolocation quite easily. This is mainly due to the use of the Bluetooth LE protocol, very widespread on this kind of products because it consumes little energy but generally implemented without any security or almost. A simple network of Bluetooth sensors is then enough to follow you on the trail. This is also valid with Wifi, even if iOs 8 brings an additional security measure by making the Mac address random.
20% of apps transmit your password in plain text. This statistic is just as worrying because the transmission of secure passwords is not a recent topic, yet big gaps still exist. And this is all the more dangerous since it is known that many users use the same password on different services. As the report points out, it is then enough for the attacker to attack the most vulnerable object in a user’s ecosystem, in this case the connected object, to recover the password.
54% of apps do not have a privacy policy. This means that more than half of the applications studied do not tell the user what data is collected, how often, where and for how long it is stored, whether it is shared with third parties, etc. Beyond the fact that it is contrary to a number of regulations (CNIL, etc.) it means that users must have blind trust in the processing and storage of data that is quite sensitive.
These few figures show that even if brands are embarking on this trend, they sometimes do so without worrying too much about the security of the data collected, which is nevertheless numerous and for some very sensitive. We still have few examples of massive data leakage, for this kind of product, but unfortunately it is only a matter of time. In addition, to carry out this study, Symantec researchers did not use hyper-advanced hardware, but a simple Raspberry Pi at 30 € coupled with a Bluetooth module and a battery, in other words products accessible to all and very inexpensive.
What future for the security of connected objects?
We had already talked about it in our article on the Connected Conference, reflections are already underway on the issue of data security, even if they are still in their infancy today. Standardization seems difficult given the heterogeneity of products and technologies, but interoperability will be one of the success factors. For example, we can imagine APIs with a number of security-related constraints, in order to force those who want to use them to respect these rules.
Connected objects are still not very present in companies, at least for professional use, but there is no doubt that this will evolve quickly. CISOs and other security leaders will need to be able to face this new challenge, in particular to ensure that connected objects do not become the weakest link in security.
Pending developments on this subject, manufacturers could already simply follow the good security practices already in force for many systems: encryption of communications, authentication, physical protection, etc. It is not because it is a connected object that these good practices are no longer valid, on the contrary!