The development of the Internet of Things (IoT) raises the crucial question of the security of connected objects, which are particularly vulnerable to attacks. Télécom SudParis is involved in the research and development of cybersecurity technologies and is particularly interested in IoT security through the European collaborative research project VARIoT (Vulnerability and Attack Repository for IoT).  Here’s a look at an ambitious and promising project.

The creation of the project

The VARIoT project was set up by Grégory Blanc, a teacher-researcher at Télécom SudParis, lecturer in cybersecurity and networks, coordinator of the third-year specialization in systems and network security, and head of European and national projects.

After completing his engineering school internship in a research laboratory in Japan, Grégory Blanc continued his studies with a thesis in the field of cybersecurity. “The topic was related to client-side scripting, the objective being to protect the browser against attacks that can be organized via malware-infected websites,” says Grégory Blanc.

Back in France, the young researcher obtained a postdoc at Télécom SudParis, with Professor Hervé Debar. In 2012, the opportunity arose to participate in a European project in collaboration with Japan. This first project paved the way for collaborations such as the VARIoT project. Initiated by a European call for projects from the Innovation and Networks Executive Agency (INEA), this project, which began in 2019 and ends in 2022, involves five European partners on the IT security of connected objects.

Why should we be concerned about the security of connected objects?

Being mass-produced and having a short time-to-market, connected objects are subject to failures in terms of computer security. Since their resources are limited, once the operating system and various applications are installed, they have little memory left for security software. Security often has to be outsourced, which results in a notorious vulnerability of these objects to attacks.

“For objects connected to the Internet via a wireless connection, updates can be vulnerable to interception (or Man-in-the-Middle attacks) when integrity and authenticity guarantees are lacking: when requests and responses are not encrypted, the attacker can modify their content, especially if the object does not verify the identity of the update server,” explains Gregory Blanc.

“Another very common vulnerability is the administration web portal, like the Telnet service, used as an administration interface by many objects. You can connect to it using the administration credentials, which are often left as the default (e.g. admin/admin). Mirai is known to exploit this vulnerability.

The attacks work by scanning the Internet for objects responding on the Telnet port that have weak authentication, i.e. with no or insufficiently protective passwords. It is then possible to take control of the objects and install new programs or generate requests on other entities on the Internet in order to create, for example, distributed denial of service attacks (saturation of communication capacities),” says Grégory Blanc.

The basis of the project

The purpose of VARIoT is to make all the data in the world on the vulnerabilities of connected objects and the attacks that target them available via a set of European web portals. Implementation of the web portal is supported by Carnot Télécom & Société numérique. The consortium set up to support the project is made up of Télécom SudParis, the Polish research institute NASK, the Dutch Shadowserver foundation, the Computer Incident Response Center  in Luxembourg and Mondragon University (Spain).

Télécom SudParis brings its expertise in intrusion detection. “Our approach is to observe communication on the networks and try to determine whether the messages are issued by legitimate or malicious entities,” says Grégory Blanc. In the VARIoT project, a number of objects have been deployed in realistic conditions, interacting with humans to generate real traffic. This legitimate network profile is integrated into machine learning algorithms, so that an anomaly can be identified as soon as it appears. This prevents connected objects that have been infected from sending messages outside the network where they are located. Signatures of previously infected objects will also be collected to provide network behavior profiles of malware. This task is being carried out by Mondragon University, which has proposed a platform to reproduce the infection of an object and capture the network traffic, once this compromised object generates messages.

A collaborative network

Télécom SudParis also shares its data and IoT traffic models on the web portal (variot.telecom-sudparis.eu).

Shadowserver scans the entire Internet regularly to identify threats and share them with its network of partners. Since the beginning of the VARIoT project, Shadowserver has been scanning connected objects to identify them and study their security levels. Aggregation of data and constitution of a database is managed by NASK.

A threat analysis on IoT objects is coordinated by Smile, an entity working under the CERT (Computer Emergency Response Team) in Luxembourg, who have proposed to use an information exchange platform (MISP) between CERTs on a global level, and to share cybersecurity data sources of connected objects across Europe on the European Data Portal.

The benefits

The project has a very concrete focus on improving IoT cybersecurity.  By providing more detailed knowledge of vulnerabilities and threats to connected objects, it will enable the development of tools capable of anticipating and preventing the occurrence of threats.

Moreover, since network data on connected objects is rare and difficult to obtain (due to the protection of privacy and personal data), generating this data will provide visibility and enable the evaluation of intrusion detection tools developed at Télécom SudParis.

The contacts that are being established with Yokohama National University for collaboration on these topics illustrate the broad interest in this work.

This article was initially published on I’MTech, the scientific and technological news blog of Institut Mines-Télécom.

A UAV (or drone) in flight can fall victim to different types of attacks. At Télécom SudParis, Alexandre Vervisch-Picois is working on a method for detecting attacks that spoof drones concerning their position. This research could be used for both military and civilian applications.

He set out to deliver your package one morning, but it never arrived. Don’t worry, nothing has happened to your mailman. This is a story about an autonomous drone. These small flying vehicles are capable of following a flight path without a pilot, and are now ahead of the competition in the race for the fastest delivery.

While drone deliveries are technically possible, for now they remain the stuff of science fiction in France. This is due to both legal reasons and certain vulnerabilities in these systems. At Télécom SudParis, Alexandre Vervisch-Picois, a researcher specialized in global navigation satellite systems (GNSS), and his team are working with Thales to detect what is referred to as “spoofing” attacks. In order to prevent these attacks, researchers are studying how they work, with the goal of establishing protocol to help detect them.

How do you spoof a drone?

In order to move around independently, a drone must know its position and the direction in which it is moving. It therefore receives continuous signals from a satellite constellation which enables it to calculate the coordinates of its position. These can then be used to follow a predefined flight path by moving through a succession of waypoints until it reaches its destination. However, the drone’s heavy reliance on satellite geolocation to find its way makes it vulnerable to cyber attacks. “If we can succeed in getting the drone to believe it is somewhere other than its actual position, then we can indirectly control its flight path,” Alexandre Vervisch-Picois explains. This flaw is all the more critical given that the drones’ GPS receivers can be easily deceived by false signals transmitted at the same frequency as those of the satellites.

This is what the researchers call a spoofing attack. This type of cyber attack is not new. It was used in 2011 by the Iranian army to capture an American stealth drone that flew over its border. The technique involves transmitting a sufficiently powerful false radio frequency to replace the satellite signal picked up by the drone. This spoofing technique doesn’t cancel the drone’s geolocation capacities as a scrambler would. Instead, it forces the GPS receiver to calculate an incorrect position, causing it to deviate from its flight path. “For example, an attacker who succeeds in identifying the next waypoint can then determine a wrong position to be sent in order to lead the drone right to a location where it can be captured,” the researcher explains.

Resetting the clocks

Several techniques can be used to identify these attacks, but they often require additional costs, both in terms of hardware and energy. Through the DIGUE project (French acronym for GNSS Interference Detection for Autonomous UAV)[1] conducted with Thales Six, Alexandre Vervisch-Picois and his team have developed a method for detecting spoofing attempts. “Our approach uses the GPS receivers present in the drones, which makes this solution less expensive,” says the researcher. This is referred to as the “clock bias” method. Time is a key parameter in satellite position calculations. The satellites have their time base and so does the GPS receiver. Therefore, once the GPS receiver has calculated its position, it measures the “bias”, which is the difference between these two time bases.  However, when a spoofing attack occurs, the researchers observed variations in this calculation in the form of a jump. The underlying reason for this jump is that the spoofer has its own time base, which is different from that of the satellites. “In practice, it is impossible for the spoofer to use the same clock as a satellite. All it can do is move closer to the time base, but we always notice a jump,” Alexandre Vervisch-Picois explains. To put it simply, satellites and spoofer are not set to the same time.

One advantage of this method is that it does not require any additional components or computing power to retrieve the data, since they are already present in the drone. It also does not require expensive signal processing analyses in order to study the information received by the drone–which is another defense method used to determine whether or not a signal originated from a satellite.

But couldn’t the attacker work around this problem by synchronizing with the satellites’ time setting? “It is very rare but still possible in the case of a very sophisticated spoofer. This is a classic example of measures and countermeasures, exemplified in interactions between a sword and a shield. In response to an attack, we set up defense systems and the threats become more sophisticated to bypass them,” the researcher explains. This is one reason why research in this area has so much to offer.

After obtaining successful results in the laboratory, the researchers are now planning to develop an algorithm based on time bias monitoring. This could be implemented on a flying drone for a test with real conditions.

[1] Victor Truong’s thesis research