Probably most people have not heard of either company. Orange is like the Verizon of Europe, the largest telecom company there and Thales is very large multinational security products company that sells in both the commercial and military space.
The number of cyber attacks against Internet of Things devices is skyrocketing
Orange’s research team says that an IoT device is attacked more than 2,500 times a day, but more than 100 botnet networks, looking for weaknesses.
Right now there are about 12 billion IoT devices connected to the Internet and by 2025 that number will be around 27 billion. Given that most of those devices will never be patched ever, this is a target rich environment.
These attacks can do three things. First, they can steal whatever data the device has. Second it can be used as a launchpad to attack the hosting network the device is on. Since most home users and many business users do not segment IoT devices, this can be easy to do. Finally, these compromises can be used to launch attacks against other businesses and adversaries.
I get notices every day of anywhere from 2 to a dozen new vulnerabilities discovered and reported and that is probably only a tiny percentage of the vulnerabilities that are discovered. That doesn’t even count the bugs that are not yet discovered.
So what can be done?
Orange and Thales are partnering to create an open standard called IoT Safe and it has been approved as an international standard by the GSM Association.
Very simply, it includes a microSD card for the device that includes security protocol code. MicroSD cards are already in all kinds of devices like phones and cameras. They are well understood and physically secure.
The IoTSafe applet is installed on the SDCard as soon as the device is connected to the Internet and the applet generates a new and unique public/private encryption key pair. The public key is sent to the server and the private key is kept on the SDCard.
This allows a vendor to communicate with the device in a much more secure manner, with a key that is created automatically and which is unique to the device – at very low cost. The code is open source.
While this is not bulletproof, it is certainly bullet resistant and is low cost, a pretty good improvement.
Credit: The Hacker News