Sites Inria

Version française


Jean-Michel Prima - 25/08/2016

OT and Inria, partners in countering mobile cyber-attacks

Jean-Louis Lanet et Francis Chamberot

OT (Oberthur Technologies), one of the world leaders in embedded software products, solutions and services, is beginning a collaboration in the field of Research & Development with the High-Security Laboratory (LHS) created at the Inria Rennes - Bretagne Atlantique research centre as part of the Cyber Cluster of Excellence (PEC). One of the main lines of this partnership concerns test tools for mobile payment applications. Another issue looms over the longer term: being ready to counter the security attacks of tomorrow.

"Where does the danger come from? From fuzzers, Jean-Louis Lanet, the scientist in charge of the LHS, explains. These are brute force attack programs that try all sorts of manoeuvres in order to penetrate systems. They have become more sophisticated over time. They act in an increasingly intelligent way. They adapt their behaviour depending on the reaction of the system being attacked. Our work consists in finding ways of countering this that are both effective and, if possible, generic. "

One of the prime targets of these cyber-attacks: mobile phones. Their protection is becoming even more crucial since they now host numerous critical applications (payment, identity management, authentication, transport...).  With NFC technology users can already, in certain countries, purchase things simply by placing their device near to a terminal in shops. "Schematically, a telephone is made up of two parts. The main area is where the majority of, shall we say, "ordinary" applications are found. However, a small highly-secure area also exists, sometimes called the trust zone. Both with regard to equipment (eSE: embedded Secure Element) and software (TEE: Trusted Execution Environment), this part of the system hosts the critical applications. With a sacrosanct rule: nobody must be able to penetrate it. Hackers are putting in place unlimited creativity and ever-increasing resources. For us, it is a matter of keeping one step ahead of them. Via extremely advanced tests, we pre-empt the flaws and original methods that hackers could use. That is what we, as researchers, are interested in. It is also of great interest to industrialists. " The collaboration between Inria and OT that began at the end of 2015 operates, in part, within this context.

"Our company wishes to work with scientific centres of excellence. And Inria has recognised expertise in the field of cyber security. It was an obvious choice for us, says Francis Chamberot, development manager for embedded applications at OT. Moreover, one of the people in our team had already done his thesis under the supervision of Jean-Louis Lanet -  with a direct link to one of the two subjects we are working on. Finally, part of this general picture is also the creation of the Cyber Cluster of Excellence in Rennes, which can help us to find new expertise and forge new alliances in the area of security. "

In practice, OT will fund theses that will be carried out within the LHS. "The first two have just begun ", Jean-Louis Lanet explains. "One concerns the protection of products under development and focuses on applications that are directly linked to the industrialist context. The second is more prospective, and targets the protection of products being designed." For example, the security of phone boot sequences. "It is a crucial phase in terms of security ", Francis Chamberot explains. "Indeed, at start-up, we check the structure of a certain number of codes that will run and carry out sensitive operations. Other possibilities will exist in future mechanisms. Our responsibility lies in pre-empting them in order to guarantee their security. "

For OT, it is a continuous process. "We are a world leader in embedded digital security in order to protect individuals when they connect, authenticate or pay. We hold a key position in high-value markets and provide embedded software security solutions as close as possible to remotely-managed functions and related solutions. Every day we work with other hardware components, other security components. This evolution in our work means that we take security in our activity into account in the broadest possible way. This means taking an interest in subjects in which we are not currently directly involved, but which are crucial for the future. "

All of these experimentations, within the framework of the two theses, will be followed closely by OT. "Within our own R&D team we have people who work directly with the PhD students in order to integrate their research findings into our reflection process, Francis Chamberot concludes. We would like all of the work carried out as part of this partnership to then have an industrial consequence with a real impact on products for our customers.  That is why, at the beginning, we included our industrial realities in our specifications. At the same time, however, we want the Inria scientists to have great freedom in what they do, so that they can express all of their creativity and provide the best of their skills and vision. "

Keywords: Entreprise Partenariat LHS Jean-Louis Lanet Cybersécurité INRIA Rennes - Bretagne Atlantique Oberthur