SCUBA: a tool chain for connected object security

Watches, video surveillance cameras, household appliances, televisions, lighting systems, voice assistants, connected locks, electrical outlets – connected objects are everywhere and are becoming ever more numerous. “It is predicted that there will be 30 billion connected objects in use around the world next year”, says Abdelkader Lahmadi, lecturer and researcher on the RESIST team at the Inria Nancy - Grand Est centre. This proliferation of devices of all kinds sending and receiving information over the internet poses a major security challenge, particularly with regard to users’ private data.

Several recent studies have identified very low overall security levels, due to insufficient investment, multiple technical constraints and undoubtedly a certain degree of negligence on the part of manufacturers in a hurry to bring their products to market. For example, at the end of 2016, two successive attacks by the Mirai malware caused a wave of panic at internet providers OVH and Dyn by bombarding their servers with requests sent by armies of connected “zombie” objects being controlled without their owners’ knowledge. “More recently, researchers at Princeton University in the USA have demonstrated that it is possible to create an electricity blackout by tampering with smart thermostats connected to heating equipment”, says Abdelkader Lahmadi.

Tools to be invented

Faced with this threat, risk assessment and protection tools are still too limited. “There are solutions that are used to map and diagnose the vulnerabilities of connected objects, but they come from other fields and are not really suited to the specific characteristics of the IoT (Internet of Things), a very complex universe because of the multiplicity of protocols and components that coexist there”, explains Frédéric Beck, engineer in the Experimentation and Development for Research Department at Inria Nancy - Grand Est.

It is against this backdrop that the SCUBA project was born, launched by the RESIST team in January 2018 with technical support from the High-Security Laboratory of the Inria Nancy - Grand Est research centre. The project aims to fill current gaps and create tools specifically designed for connected objects to better identify their security vulnerabilities.

“What sets SCUBA apart is that it is concerned not only with the equipment itself but also with the environment as a whole”, adds Abdelkader Lahmadi. “Our objective is also to identify intrusion chains that can be exploited by attackers: a smart bulb may be completely secure, but when plugged into a connected socket that also has a fault, it can still be attacked.”

From diagnosis to risk management

In concrete terms, this mapping is based on the automated construction of knowledge graphs linking the software components of objects to known vulnerabilities, weaknesses and attack patterns. These risk visualisation tools are very powerful and can identify where and how a cyberattack can enter a network.

The project also includes the development of a query interface that will allow connected object manufacturers and their operators to easily access and understand all the information contained in these graphs. “This information will be doubly useful because it can be used not only to diagnose risks but also to manage and prevent them more effectively by prioritising the most effective countermeasures to combat the most threatening patterns of attacks”, emphasises Abdelkader Lahmadi. 

Midway through the project, the first results are in: “A prototype mapping and diagnostic module has been developed, and an industrial partnership has been formed”, says Frédéric Beck. “Work is now focused on interpreting knowledge graphs to build attack patterns. We have also begun to think about the industrial opportunities for this project. This could lead to the creation of a dedicated start-up.”