“For the future, the key challenge will be incorporating security criteria in our industrial standards, and perhaps even creating a system of certification labels.”
Orange has a hand in every aspect of the IoT chain of services: in networks, via its investments in LoRa and LTE-M, in device and data management, via its Datavenue service and its Live Objects and DataShare platforms, but also in the devices themselves, having established a position in the smart device market in partnership with a number of other companies. Networks, platforms and objects: three key pillars of the IoT with the same pressing security needs. In an environment in which new digital threats are emerging every day, confidence is an essential prerequisite for the success of the IoT, and this can only be achieved through the design of highly secure solutions capable of protecting users’ privacy.
The threats remain the same – for now
When we think about risk in the IoT, what often springs to mind is a specific type of vulnerability: the ability of a hacker to remotely take control of a device, such as a camera or car. However, the type of cybercrimes being seen thus far in the IoT are usually fairly standard: hackers attempting to create a network of “zombies” for attacks on sites, or to penetrate IT systems by using the smart device as a point of entry. The recent case of a casino whose database was hacked into via a smart aquarium is a perfect example of this type of vulnerability. In most cases, the hackers are not particularly interested in the function of the device itself; rather, they are simply going after an easier target.
The weak point of a smart device: the device itself
Orange’s teams of experts carry out security audits on all kinds of smart devices. “We’re looking for both material weak points and software vulnerabilities that could allow the devices to be remotely accessed and controlled, explains Sébastien Allard, Manager of the Terminals and Systems Security team. We observe the ways in which the device communicates using radio waves, and look for any open ports or unencrypted keys, etc. Our observations are widely shared in the sector: as things stand, a very large number of devices remain insufficiently secure. The reason behind this is a lack of security culture within many of the companies launching products in this sector. While they possess strong expertise in their respective fields, this is not always the case when it comes to IT security, and they often end up buying pre-manufactured pieces of hardware and firmware in order to get things rolling. The variations in technology, proliferation of contractors, and the constant emergence of new protocols all have the end result of weakening the security performance levels of the smart devices produced.
Platforms and networks under control
Conversely, the networks and platforms via which these devices operate are benefiting from reinforced levels of security. “Networks have always been our home turf, and we apply a zero-tolerance approach: we audit every single port of entry to the LoRa network, we use standardized processes, and we correct faults where they are found. The IoT also benefits from the native security protocols of the mobile network.” As for platforms, the same logic applies: the My Livebox application and the Smart Home household automation platform are held to similar security requirements. The specificity of the IoT resides solely in the quantity and highly private (“my body, my home”) nature of the information generated, but the issue of personal data protection is similar. For Orange, there will be no change to the commitments already made: we will continue to adhere to our Personal Data Charter, in full compliance with the GDPR.
Raising maturity levels among operators
A bill of specifications does exist for the ideal smart device – “at Orange, we use the GSMA stipulations, which were drawn up during a working group on the IoT in which we participated. We’ve shared this widely with our partners, along with a self-assessment questionnaire,” explains Mr. Allard. The challenge of getting industrial groups to adopt best practices goes beyond Orange alone, but the Group is actively contributing to making this happen – notably via the Orange Cyberdefence team, whose expertise is being made available to more and more projects all the time, with increasing levels of sensitivity. “For the future, the key challenge is to incorporate security criteria in our industrial standards, and perhaps even to create a system of product certification labels.
What solutions are available already?
Achieving optimal device security is still a ways off, but in the meantime Orange is not content to rest on its laurels: at Show Hello 2018, the Group presented the Security Scan, a service loaded onto the software bundles of the Livebox, which protects the client’s LAN network. From the My Livebox application, users can now verify the security and update status of all smart devices in their home network. The service also includes a connection cut-off system, in order to limit potential damage from a compromised device. “We believe that an operator such as Orange has a role to play as a mediator in everyday uses of the IoT, not only in order to help users manage their data privacy, but also to manage device security (e.g. by ensuring all necessary updates are made). We want our platforms to offer security services for devices and users,” stresses Sébastien Allard. At the same time, Orange will continue to invest in research and development of security standards, provide guidance and support for its partners, and share best practices with the sector as a whole. The Group has set its sights on bringing about an IoT ecosystem with end-to-end security.
> Download the White Paper – IoT Security by Orange (Document : pdf)
