The development of the Internet of Things (IoT) raises the crucial question of the security of connected objects, which are particularly vulnerable to attacks. Télécom SudParis is involved in the research and development of cybersecurity technologies and is particularly interested in IoT security through the European collaborative research project VARIoT (Vulnerability and Attack Repository for IoT). Here's a look at an ambitious and promising project.
The creation of the project
The VARIoT project was set up by Grégory Blanc, a teacher-researcher at Télécom SudParis, lecturer in cybersecurity and networks, coordinator of the third-year specialization in systems and network security, and head of European and national projects.
After completing his engineering school internship in a research laboratory in Japan, Grégory Blanc continued his studies with a thesis in the field of cybersecurity. “The topic was related to client-side scripting, the objective being to protect the browser against attacks that can be organized via malware-infected websites,” says Grégory Blanc.
Back in France, the young researcher obtained a postdoc at Télécom SudParis, with Professor Hervé Debar. In 2012, the opportunity arose to participate in a European project in collaboration with Japan. This first project paved the way for collaborations such as the VARIoT project. Initiated by a European call for projects from the Innovation and Networks Executive Agency (INEA), this project, which began in 2019 and ends in 2022, involves five European partners on the IT security of connected objects.
Why should we be concerned about the security of connected objects?
Being mass-produced and having a short time-to-market, connected objects are subject to failures in terms of computer security. Since their resources are limited, once the operating system and various applications are installed, they have little memory left for security software. Security often has to be outsourced, which results in a notorious vulnerability of these objects to attacks.
“For objects connected to the Internet via a wireless connection, updates can be vulnerable to interception (or Man-in-the-Middle attacks) when integrity and authenticity guarantees are lacking: when requests and responses are not encrypted, the attacker can modify their content, especially if the object does not verify the identity of the update server,” explains Gregory Blanc.
“Another very common vulnerability is the administration web portal, like the Telnet service, used as an administration interface by many objects. You can connect to it using the administration credentials, which are often left as the default (e.g. admin/admin). Mirai is known to exploit this vulnerability.
The attacks work by scanning the Internet for objects responding on the Telnet port that have weak authentication, i.e. with no or insufficiently protective passwords. It is then possible to take control of the objects and install new programs or generate requests on other entities on the Internet in order to create, for example, distributed denial of service attacks (saturation of communication capacities),” says Grégory Blanc.
The basis of the project
The purpose of VARIoT is to make all the data in the world on the vulnerabilities of connected objects and the attacks that target them available via a set of European web portals. Implementation of the web portal is supported by Carnot Télécom & Société numérique. The consortium set up to support the project is made up of Télécom SudParis, the Polish research institute NASK, the Dutch Shadowserver foundation, the Computer Incident Response Center in Luxembourg and Mondragon University (Spain).
Télécom SudParis brings its expertise in intrusion detection. “Our approach is to observe communication on the networks and try to determine whether the messages are issued by legitimate or malicious entities,” says Grégory Blanc. In the VARIoT project, a number of objects have been deployed in realistic conditions, interacting with humans to generate real traffic. This legitimate network profile is integrated into machine learning algorithms, so that an anomaly can be identified as soon as it appears. This prevents connected objects that have been infected from sending messages outside the network where they are located. Signatures of previously infected objects will also be collected to provide network behavior profiles of malware. This task is being carried out by Mondragon University, which has proposed a platform to reproduce the infection of an object and capture the network traffic, once this compromised object generates messages.
A collaborative network
Télécom SudParis also shares its data and IoT traffic models on the web portal (variot.telecom-sudparis.eu).
Shadowserver scans the entire Internet regularly to identify threats and share them with its network of partners. Since the beginning of the VARIoT project, Shadowserver has been scanning connected objects to identify them and study their security levels. Aggregation of data and constitution of a database is managed by NASK.
A threat analysis on IoT objects is coordinated by Smile, an entity working under the CERT (Computer Emergency Response Team) in Luxembourg, who have proposed to use an information exchange platform (MISP) between CERTs on a global level, and to share cybersecurity data sources of connected objects across Europe on the European Data Portal.
The project has a very concrete focus on improving IoT cybersecurity. By providing more detailed knowledge of vulnerabilities and threats to connected objects, it will enable the development of tools capable of anticipating and preventing the occurrence of threats.
Moreover, since network data on connected objects is rare and difficult to obtain (due to the protection of privacy and personal data), generating this data will provide visibility and enable the evaluation of intrusion detection tools developed at Télécom SudParis.
The contacts that are being established with Yokohama National University for collaboration on these topics illustrate the broad interest in this work.