Overview
ABSTRACT
In order to meet the needs of the industry and consumers, the variety of connected objects never stops expanding. However cybersecurity remains a major preoccupation that limits their deployment. The multiplicity of technologies used to acquire and exchange data between the various nodes of the Internet of Things, coupled with the hardware limitations in terms of computation and user interfaces, makes it difficult to ensure end-to-end security. This article gives an overview of the risks associated to the Internet of Things through an analysis of threats, both remote and local, and it presents their countermeasures.
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHORS
-
David ARMAND: Expert in hardware and software security for embedded systems – Orange Security Expert
-
Arnaud DE BOCK: Senior Architect – Orange Security Expert Orange Business Services
-
Loïc FERREIRA: Research engineer in security and cryptography – Applied Cryptography Group – Orange Security Expert
INTRODUCTION
In a general environment where cybersecurity is an essential component of networks and services, IoT (Internet of Things) objects today present specific characteristics that are sources of weaknesses:
the low level of security maturity, or even the absence of a strong security culture, which can be observed in certain technologies or in common implementation faults (such as a single, trivial password for a series of objects). When studying the security of various objects, it is clear that we often find open serial ports, unprotected radio interfaces, obsolete kernels in firmware, secret keys in the clear, etc. ... ;
the positioning of objects as entry points to the Internet and to personal information systems (local home networks) and professional information systems (internal company networks), which, by disseminating objects in the field and making them accessible both locally and remotely, extends the attack surface of networks and systems;
massive deployment of objects built on the same foundation, transforming any vulnerability into a large-scale threat;
the massive generation of personal data to be strictly protected within the framework of users' rights to privacy and control of their data;
the ability to act in the real world with new, malicious motivations: spying on homes using cameras or voice assistants, industrial systems used to damage factories, endangering or even attacking the integrity of individuals, etc.
These weaknesses, which are very real in objects, can be used to hijack the IoT services themselves: disorganize a factory, spy on a home, open a door, divert a car or stop a pacemaker... The list is long of real or laboratory exploits regularly noted by security researchers (see, for example, the training sessions on hacking IoT objects via IP, radio and hardware interfaces at the BlackHat conference ).
But paradoxically, objects are more often hacked to break into an information system, or even just for their sheer computing capacity and bandwidth, as demonstrated by the Mirai family of infected object networks since 2016 . Malware constantly scans the Internet for vulnerable (e.g.: not updated) and open (e.g.: possessing...
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference
KEYWORDS
security | IoT | threat
This article is included in
Security of information systems
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
IoT cybersecurity risks
Bibliography
- (1) - Black Hat 2019 IoT hacking training sessions. - https://www.blackhat.com/us-19/training/schedule/#track/iot
- (2) - KOLIAS (C.), KAMBOURAKIS (G.), STAVROU (A.), VOAS (J.) -...
Standards and norms
- ETSI CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements - EN 303 645 - 2020
- Internet of Things (loT) — Reference Architecture - ISO/IEC 30141 - 2018
Directory
Organizations – Federations – Associations (non-exhaustive list)
ANSSI - French National Agency for Information Systems Security
ENISA – European Cybersecurity Agency
...Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference