mercredi 13 mai 2015

Des millions de compteurs intelligents et autres objets connectés en danger de piratages et cyberattaques

(en anglais)

12 mai 2015 – ZDnet / CBS Interactive

Des millions compteurs intelligents, les thermostats et d’autres appareils « connectés » sont à risque de cyberattaques parce qu’ils viennent avec cryptage facilement trouvable, une étude démontre et met en garde ces problèmes.

Millions of smart meters, thermostats, and other internet-connected devices are at risk of cyberattacks because they come with easily crackable encryption, a study has warned.

A paper by Philipp Jovanovic and Samuel Neves published in late April analyzed the cryptography used in the Open Smart Grid Protocol (OSGP), a group of specifications published by a European telecoms standards body. The protocol is used in more than four million devices, and said to be one of the most widely used protocols for smart devices today.

The results? Not great.

The researchers found that the « weak cryptography » can easily be cracked through a series of relatively simple attacks. In one case, the researchers said they could « completely » defeat a device’s cryptography.

The most common and trusted encryption standards use well-established, peer-reviewed cyphers that are open-source and readily available to inspect. Some have argued it’s the « first rule » of crypto-club. The problem for smart grid devices is that they don’t stand up to the scrutiny of the community.

The OSGP Alliance, the non-profit group behind the OSGP protocol, said last month it’s preparing an update to the specifications to add new security features.

« The alliance’s work on this security update is motivated by the latest recommended international cybersecurity practices, and will enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms, » the post read.

We reached out to the OSGP Alliance, but did not hear back outside business hours.

> Lire la nouvelle en ligne sur le site de ZDnet / CBS Interactive