Role of CyberTelecom / Network Security in High Value M2M and IoT Apps
From a M2M or IoT perspective, do you need devices to be secure? With that question Graeme Coffey, Head of Sales & Marketing at AdaptiveMobile Security, started his talk at RoamsysNext Connectivity Innovation Forum last week.
You may be thinking that Machine to Machine (M2M) and Internet of Things (IoT) applications are already secure, as the network is supposed to be secure. “Let’s start by saying that calls from one device to another device can be intercepted, messages and security credentials can be intercepted. Even when the devices use secured or encrypted communications, it represents a significant risk to not be using a secured mobile network for connectivity”, Graeme pointed out.
AdaptiveMobile Security, through its cyber intelligence unit, analyses, prevents and blocks continuous cyber-attacks against network operators. But attackers do not only focus on datapath attacks. High Value IoT devices are especially attractive for cybercriminals to attack from network signalling protocols.
Here’s how AdaptiveMobile Security’s strong cybersecurity expertise can help protect high value M2M and IoT Applications:
CyberTelecom Security for M2M and IoT applications
Graeme continued by introducing what CyberTelecom Security is. It is a distinction between the IP data path used by IoT devices and the control protocols used to manage and control mobile networks and services. This control path is often ignored from a security perspective. However, it is essential that the control plane of the network is secured.
“It is key to continually optimise your defences based on the latest threats and security intelligence. To do this effectively we use a managed service approach where our security experts ensure that our defensive security platforms are always optimised to protect our customers against the latest threats and attackers”, Graeme added.
Uniquely, AdaptiveMobile Security Threat Intelligence Team and intelligence services provide a global threat perspective to augment the individual security policies and defences they maintain for our customers. “Knowledge of the global CyberTelecom threats allows us to better protect our customers and share our security insights”.
Why is CyberTelecom security required?
A critical enabler for the mobile or cellular networks we have today was the ability to enable a global standard and interworking for all mobile networks. This allowed users to roam globally with the same service capability and consistent user experience. This was achieved by the industry using standardised protocols for controlling the service on a global basis.
Some common protocols for doing this are SS7 (MAP/CAP) for 2G and 3G networks, GTP-C for 3G/4G/5G data services, DIAMETER in 4G/LTE, and even as we look forward to 5G the http2/JSON protocol will be used. However, with this standardisation has come the unexpected security RISKS we face today.
M2M and IoT network security is at risk
Graeme then continued mentioning that initially in 2G mobile networks, and indeed any network based on SS7 and Intelligent Network technology, security was in part provided by the trust, costs and complexity of the networks involved.
Each interconnected network used a trust model with the connected partners on a 1-to-1 basis. Over time, however, this “TRUST” based model was eroded as more connections were made and the technologies used became more accessible. Today, that trust model no longer applies and security cannot be assumed.
“We know that these protocols can be used to illegally intercept calls, track locations, intercept messages, intercept data transfers, manipulate identity, change service configurations and deny service. These CyberTelecom threats are very real and we have come to realise that the networks we depend on are not secure” Graeme remarked.
Media reports of interception or government officials calls, tracking locations of VIPs, banking frauds using intercepted 2FA messages and even dark websites and surveillance companies offering to track anyone, for a fee of course!
“When you look at M2M or IoT communications today, often the default and lazy answer is to encrypt the data path or VPN. It is not a complete solution to the security of the device or application. Often this is simply an illusion of security, because when these devices are deployed, they are exposed to the vulnerabilities of the networks they use. If you asked an IoT application provider if they need their devices to be secure, it is likely they would say, “Yes”. If you asked if they would pay more for security, the answer could change to, “No”. It may have never even been a consideration that the network wasn’t secure?”
What that tells us is that the lack of security is perhaps an industry secret, that isn’t fully acknowledged.
“Undoubtedly, the IoT service provider may just not have a business plan that would allow for additional costs. It is an understandable answer in a volume business with perhaps low per device margins. There will however be applications where the extra cost of CyberTelco security can be easily justified. If you consider that most roaming agreements are based on criteria such as coverage, price, services provided and quality of service; is there room for security to be another factor? “
The decision to allow your customers or IoT devices to roam onto a network with no CyberTelco security could be a costly one. The value or importance of the person, the message/call, the cargo or even the destination of the service is a significant factor that is routinely overlooked.
“I have heard nearly every justification for this. It ranges from an assumption that it can’t be secured, to the risk is so low it only impacts a small number of my devices, to it would be too expensive. These are all decisions and choices being made by mobile carriers on our behalf”, Graeme emphasised.
Threat to supply chain scenario
A simple example of the types of cyberattacks that M2M and IOT applications could face, is the one against the supply chain. This has dramatically multiplied in the last 5 years. Only in 2019, the Transport Asset Protection Association reported an average daily loss of €305,605 in 2019. It represents a +388.5% increase in comparison to 2015.
In Europe alone, a study from the European Parliament estimated the cost of cargo crime to be some €8.2 billion annually. But money is not the only impact that these types of crimes could have on business. It represents a risk to employees and public safety, and it also affects the operators’ brand and reputation.
Some more recent examples of cybercrimes reported in 2020 include the one against an international rail vehicle manufacturer which was blackmailed. Also, a global shipping company was victim of a malware attack in September, reporting an estimated loss of US$250 million. Back in October, one of the biggest container liner’s information systems were compromised due to a cyberattack.
If you still need more examples to validate how important M2M and IoT network security is, here is a very likely scenario illustrated by Graeme at the event:
- Imagine that I own a shipping company and routinely deliver cargo throughout Europe. I run a professional company so I always have cargo insured and understand the value in my fleet of trucks, logistics professionals and pride our company performance for on-time delivery.We have invested in both container tracking/telemetry systems and also operate driver progress report calls. This is sensible because the cargo can be high value, vehicles themselves are high value and operational costs are also significant. I consider security as a nice to have capability, would possibly consider paying a premium for security if it was available? Sure, if it wasn’t too expensive.
- Let’s add a little more context to this example, we have 10 containers to ship from Cambridge in the UK to Berlin. It’s pre-Brexit so the trip shouldn’t face any border issues or delay. My tracking systems are operational, we have never had any issues before, and things are looking good. As the shipments approach the German border the telemetry stops and our systems show no connection to them.
- The drivers are not responding to update calls. It’s concerning, however they are all in the same location, it is likely just either a blindspot in coverage or a network problem. Nothing to panic about, and we will check again in 30mins.
- Knowing what we know about the risk of CyberTelecom attack, if roaming to the network is not secured would you be concerned? The tracking devices can be denied-access to the network or services removed, identity of security devices could have been intercepted, calls can be manipulated, and locations can be spoofed. More security could be looking attractive now?
- What If the cargo was a shipment of COVID-19 vaccine, time critical delivery? The cargo would have a significant value for sure on the black market. That alone would increase the risk. If you extend the scenario further, what if this was the bulk of the vaccine for the German health service, intended to protect frontline health workers. You would expect the German Health Minister would have happily paid extra for additional CyberTelecom security capability. Of course, the shipment was insured. However, if no alternative suppliers can be found that would not be a consolation for the German Government.
- A simple choice to use a secured roaming mobile network could have given warning of the threat and prevented the mobile network from allowing IoT device identities from being harvested. It could have also prevented the shipment from being tracked as its journey unfolded and protected the disconnection of the tracking systems and mobile communications with the drivers.
Ok so it’s a complex scenario and lots of things would have had to align to make it possible. But Graeme advised to not think that this level of sophisticated CyberTelecom attacks are impossible. Experienced attackers and Nation-states have the capabilities and funding today to perpetrate these complex scenarios.
“I think there is a strong case for specific IoT/M2M, Critical Infrastructure, Emergency Service and Governments to ensure that they are always using a network with CyberTelecom security protection. Roaming onto networks without these protections will significantly increase their vulnerability. Whilst risk is likely low on average, it is significant for an individual device if it is a target. High value assets attract attention after all”.
5G technology will bring new security risks for the M2M and IoT industries
If you are reading this thinking that 5G will not be vulnerable then prepare yourself, 5G networks and 4G interworking will create more attack surfaces and complexity than ever before, access to the core network for multiple slices and entities, introduction of APIs in the MEC infrastructure where 3rd party cloud platforms will host and enable application use of 5G radio infrastructure.
Today, these networks are being deployed whilst the security standards are in draft or early revisions, with any new mobile technology security is once again being retrofitted slowly while the 5G train is already steaming down the track. Security work is being delayed by the COVID-19 pandemic as well which hasn’t helped.
If only the vaccine shipment had arrived on time!
For more information, read our post on 5G OWASP for networks.
About Enea AdaptiveMobile Security
Enea AdaptiveMobile Security is the world leader in mobile network security, protecting more than 2.2 billion subscribers worldwide. With deep expertise and a unique focus on network-to-handset security, Enea AdaptiveMobile’s award-winning security solutions and services provide its customers with advanced threat detection and actionable intelligence, combined with the most comprehensive security product-set in the market today.
Enea AdaptiveMobile Security was founded in 2006 and counts some of the world’s largest carriers, Governments and Regulators as customers. The Company is headquartered in Dublin with offices in North America, Europe, South Africa, the Middle East and Asia Pacific.