Attacks on IoT devices increased nine-fold between the first half of 2018 and the first half of 2019, from 12 million to 105 million, according to Juniper Research. In order to better understand the challenges and risks of cyber attacks for companies using connected objects, we met with Hatem Oueslati, co-founder of IoTerop, a company specializing in the cybersecurity of connected things. We will see with him, the stakes, good practices and technological advances related to cybersecurity in the IoT.
IoTerop, expert company in cybersecurity of connected things
ELA INNOVATION : Mr. OUESLATI, can you tell us more about IoTerop ? And about OMA?
Hatem Oueslati: “IoTerop, based in Montpellier, was created in 2016 by three former Intel employees. Its software revolutionizes the Internet of Things by providing the cheapest devices with powerful, secure and reliable remote management. IoTerop thus perpetuates the deployment of millions of connected devices by requiring very few hardware and energy resources. This software is based on a worldwide standard Lightweight M2M 1.1, of which IoTerop is a major actor both in the definition of specifications and in its implementation.
Indeed, IoTerop has recently joined the steering committee of the international standardization organization OMA SpecWorks ( https://omaspecworks.org), which defines the Security and Remote Management Standards for the Internet of Things. The OMA SpecWorks Steering Committee is composed of IoTerop, AT&T, Ericsson, T-Mobile, ARM, Itron and Qualcomm. OMA is particularly pushing for the adoption of Open Standards such as OMA Lightweight M2M, in the industry, designed specifically to thwart hacking of connected devices and to provide the ability to remotely manage the massive deployment of connected devices”.
Impacts and risks related to the cybersecurity of connected things for companies
ELA: What are the impacts/risks for companies using connected objects?
Hatem Oueslati: “The security of connected objects is a monumental challenge. Failing security on a connected device can have serious consequences. Indeed, in addition to the leakage of personal data, an attack on a connected object can be used for much larger scale hacking by simply being a gateway giving access to a network of several million other objects. In 2016, the largest DDoS (Denial of Service) attack was launched on OVH and Dyn service providers using an IoT botnet. Access to a large portion of the Internet, including Twitter, The Guardian, Netflix, Reddit and CNN, fell. This IoT botnet was made possible through the use of a malicious program called Mirai. Once infected by Mirai, computers searched the Internet for vulnerable IoT devices (mainly cameras and DVR players) and then infected them in turn and used them to attack the targeted sites.
We regret to note the little, if any, security on the connected devices solutions currently deployed. In some cases, data is sent unencrypted and can therefore be intercepted, falsified or hijacked very easily by a third party. Connected systems and their data must be secured from end to end using robust, reliable and regularly updated mechanisms”.
Good practices to prevent security issues
ELA: What are good practices to protect yourself and prevent cyber security problems?
Hatem Oueslati: “Security, data collection and analysis are becoming fundamental issues in the context of the rise of the IIoT (Internet of Industrial Objects). Manufacturers need to add security elements to their connected objects at the design stage. It is essential that these security elements are based on international standards to maintain the openness and interoperability of the entire solution and its value chain. It is also important to use a security mechanism adapted to the nature of the connected device and the environment in which it is evolving. Indeed, we don’t secure a connected object in the same way as we secure a PC, so we need to take into account its limitations in terms of computing power, memory, energy availability and network bandwidth occupation. These security elements must be able to evolve over the lifecycle of the device. New vulnerabilities will obviously be found once they have been deployed, so manufacturers need to plan for software update mechanisms in the design of their objects so that security patches can be applied over time.
On the other hand, it is necessary to think from the start about a dynamic and non-static security of the connected object, based on logics allowing for example to change the security keys of a device if they have been compromised, to revoke a device if it has been stolen, etc. As the massive deployment of industrial connected objects is relatively strong, still few manufacturers apply these methods and implement the right solutions, which are essential for the massive deployment of connected objects. Nevertheless, this is part of the research and development topics of several of them.”
What are the technological choices to secure connected objects?
ELA: What are, in your opinion, the most recommended security technologies for connected objects?
Hatem Oueslati: “Security Standards are an important issue, and there is still a lack of knowledge about them. And yet, their adoption is a sine qua non condition for the emergence of high-volume connected objects. Manufacturers need to adopt open security standards that enable them to ensure the end-to-end security of connected objects, particularly in terms of authentication and encryption of communications.
IoTerop’s ambition is to secure and remotely manage billions of connected objects by relying on standards issued by international standardization consortiums, mainly OMA (Open Mobile Alliance) which is behind the LightWeight M2M protocol, and IETF (Internet Engineering Task Force) which develops and promotes Internet standards, in particular the standards that make up the Internet protocol suite (TCP/IP). These are the most successful international standards bodies in the industry. We are a member of these standardization bodies, and as such, we are a driving force in the definition of these standards.
The IETF, DTLS, TLS and recently OSCORE standards allow to manage authentication and encryption of communications in an efficient and adapted way in connected objects. With a small flat for TLS (on TCP) whose heaviness is penalizing, in particular on constrained networks such as NBIoT. In the latter case, DTLS (on UDP) or OSCORE is preferred, which can be a very interesting alternative especially for non-IP networks, perfectly adapted to LPWAN. This security must be designed dynamically, i.e. updates or changes to encryption keys must be possible remotely. This is the interest of the standardized COAP and LwM2M layers, which will allow connected objects to integrate standardized management functionalities such as bootstrapping or provisioning of parameters, configurations and other security keys (automatic auto-configuration and/or reconfiguration of certain parameters, configurations and security keys dynamically at the first start-up of the device).
As security vulnerabilities are discovered, device software will need to be adapted to eradicate hacking. This is precisely what LwM2M can do, a highly efficient end-to-end management of software updates on connected objects. This is an essential point that ensures the durability and economic viability of the solutions put in place.
OMA’s LwM2M and IETF’s OSCORE are the best of the state of the art in the field of remote management of connected objects and these technologies are in a phase of massive adoption by major industry players”.
The Future of Security in IoT
ELA: What future for the security of connected things?
Hatem Oueslati: “The major telecoms operators, major manufacturers and governments will naturally impose regulations, and in particular the use of International Security and Remote Management Standards on manufacturers of connected things. It is these same players – the world’s major operators, the main manufacturers of connectivity chips, and major suppliers of connected meters – who are now working on the most appropriate technologies for the mass deployment and security of connected devices. There is still too much fragmentation in this field, too many proprietary or insufficiently secure solutions on the market.
The interoperability, remote management and security of our smartphones and Internet applications seem obvious today. However, they are only possible thanks to the adoption of Open Standards, and the origin of these initiatives often comes from these same consortia.
Beyond the cryptography of data from connected objects, the Internet of Things market will therefore evolve towards more remote management and more dynamic end-to-end element security“.