© Cinterion Wireless Modules GmbH 2012, All rights reserved
Security in Machine-to-Machine Communication: The role of the Telecommunication Operator
“Internet of Things” = Increasing need for M2M security
Threats in the internet today
M2M vulnerabilities
More devices & value
Increased Security Threats
Threats in M2M tomorrow=
Billions of targets online
Francois Ennesser, GemaltoPage 2 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Weak embedded Devices OS
Connectivity/Availability
Security breaches in software
Decreasing cost of attacks
Internet as source of attacks
We need to prepare today …What will be the costs of failed / compromised systems?
Please adjust your paranoia level now! ☺
Internet connected devices
Lack of user authentication:Zoombak tracking device (GPS/GPRS): http://news.cnet.com/8301-27080_3-20056540-245.html
• Can be identified and tracked by non-authorized persons
• Can even be impersonated!
Luxury car stolen in 3 minutes using security loophole: http://www.networkworld.com/community/node/80983• No authentication required to duplicate electronic key!
Home automation: garage doors, etc.
SIM stolen from South Africa’s traffic lights: http://www.bbc.co.uk/news/world-africa-12135841• Not paired to the device, and usable for voice phone calls
Weak device security with Internet access:
Examples of M2M attacks
Francois Ennesser, GemaltoPage 3 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Weak device security with Internet access:Discovergy Smart Meter: http://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-
disclose-which-tv-shows-and-movies-you-watch/• Hacked to transmit meter readings (up to every 2 seconds) via HTTP, unencrypted, without authentication!
Internet exposure of dutch water pumps: http://www.cyberwarzone.com/cyberwarfare/dutch-bridges-vulnerable-hackers• Could be operated by anyone from a home computer!
Unprotected local wireless links:Jamming attacks e.g. preventing remote activation of alarm systems
Insulin pump hack Over The Air: http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/• Uses unencrypted local radio link
• Could deliver fatal dosage!
Heart monitor hacking: http://www.theregister.co.uk/2008/03/12/heart_monitor_hacking/• Can be turned off or forced to deliver impulse!
Different types of M2M security risks
� Privacy (e.g. Discovergy Smart Meter Hack):
• Personal data, relating to an individual, should be accessible only to authorized parties (lawful purpose or user consent)
• Ensure identification and authentication of involved parties
• Local processing by devices reduces exposure (e.g. send anonymous data)
� Fraud (e.g. South African Traffic lights):
Francois Ennesser, GemaltoPage 4 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
• Unattended devices deployed in unsecured environments are open to attackers
• Restrict access and services to essential channels only, configure APN…
• Do not transmit ID, password or APN on unprotected channels
• Use physical or logical pairing between M2M device and SIM/MIM (cf. ETSI TS 102 671)
� Critical Infrastructure exposure (e.g. Dutch water pump)
• Resources of attackers can be commensurate to potential damages!
• Clearly assess liabilities with all actors
• Minimize risks with adequate security measures at organizational and technical levels
• Do not forget human factor, and remember that one weak link compromises the whole chain!
The network operator in the M2M security ecosystem
• The main M2M security risks rarely originate from the communication network:
Weak application design or unprotected device hardware are most common causes
• Most M2M applications come from industrial fields which still lack ICT expertize:
e.g. energy, automotive, healthcare…
• Yet Telecommunication Operators reputation may be at stake, as affected final
Francois Ennesser, GemaltoPage 5 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
• Yet Telecommunication Operators reputation may be at stake, as affected final
users may not make the difference!
• Play a role in developing the security awareness of M2M customers!
• Telecommunication Operators have opportunities and tools to assist M2M customers
in securing their applications:
• Monitor connections using keep-alive messages
• Correlate location data with e.g. GPS tracking
• Leverage on existing trust provisioning chain (SIM) to deploy applicative security credentials
� Enable applications to leverage on deployed authentication and identification infrastructures
� Use OTA remote management for secure deployment of applications, firmware upgrades, etc.
How to make a M2M system „secure enough“
• Physical device
Francois Ennesser, GemaltoPage 6 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Defense AnalysisRisk Analysis
Cost of attack
Attack Probability
Potential Damage
Prevention possible?
Detection possible?
Cost of prevention?
• Physical device tamper-resistance
• Embedded Secure Element, e.g. SIM
• Modem security
• Application communication (e.g.
encryption)
• Network security
• Application backend server security
How secure are elements of M2M communication systems?
Communication Networks
Connected Devices Communication components
What makes an application “secure”?
Francois Ennesser, GemaltoPage 7 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Security is a chain => all the links must be secured
How secure are the networks?
Cellular Networks? Internet?
No security by default!
� Use e.g. TLS encryption
There are numerous security measures built within
cellular networks:
� User identity is obscured
Francois Ennesser, GemaltoPage 8 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
> Depends on MNO settings (some 2G algorithms are weak)
> Beware of SMS in particular !!! (use encryption and signature)
encryption
� Credentials must be
adequately protected
(tamper resistance / security certification)
� User identity is obscured
� Traffic is encrypted
� Use of SIM as “secure element” protecting
secrets used for authentication
Yes, but ...
How secure are connected devices?
Cost of
Attack
☺
Francois Ennesser, GemaltoPage 9 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
�
Security demand
�
Security demand = Attack probability * Potential damage
Cost of Attack
Examples of device security improvements
Security Measures
Tamper-resistant enclosure $ € £ ¥ $ € £ ¥ $ € £ ¥
Goal: increase cost of attacks that are most likely to happen
Francois Ennesser, GemaltoPage 10 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Authenticate SMS
Tamper-resistant enclosure
Authenticate via certificates
SSL/TLS* encryption
Protocol & data encryption $ € £ ¥ $ € £ ¥ $ € £ ¥
$ € £ ¥ $ € £ ¥ $ € £ ¥
$ € £ ¥ $ € £ ¥$ € £ ¥
$ € £ ¥ $ € £ ¥ $ € £ ¥
$ € £ ¥ $ € £ ¥ $ € £ ¥
*SSL = Secure Socket Layer
TLS = Transport Layer Security
What is “modem security” ?
Modem must be secured
� against manipulation (e.g. firmware reflashing)
� against reverse engineering (e.g. through diagnostics port)
Secure communication between modem and application
� external interfaces (serial, USB) are vulnerable against tracing / reverse
Francois Ennesser, GemaltoPage 11 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
� external interfaces (serial, USB) are vulnerable against tracing / reverse engineering
� encryption may be an option (but key must be stored securely)
Internal application (e.g. Java)
� Java midlet must be protected against manipulation & reverse engineering
� Midlet update must be secured
� File system access must be protected as well
� Rely on tamper-resistant storage/execution environment, e.g. in SIM/MIM
How does a GSM module contribute to application security?
Cinterion Module
Transport Layer Security
Java Security API
Francois Ennesser, GemaltoPage 12 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Jamming Detection
3GPP Security
Firmware & IMEI protection
Lock SIM, Module, Cell
Some frequent M2M threats
Attack
complexity
Attack
likelihood
Attack
Impact
Characteristics Countermeasure
Application snooping
low med/high med Application-level encryption
AT Command encryption
Lawful interception
N/A med med Legal implications
Impossible to detect or prevent
Application-level encryption
Jamming low high med Easy to detect, impossible to prevent
Jamming status detection (radio link monitoring)
Francois Ennesser, GemaltoPage 13 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
Air interface Interception and decryption
med med high Mostly on 2G networks Application-level encryption
Encryption status display/check
Fake networks („IMSI Catcher“ fake BTS)
med med high Works in 2G mode only
Equipment now affordable
Possible to detect & evade
Scan frequency spectrum to detect
Encryption status display/check
Fake networks
GSM Layer 3 attacks
high low high Device stack dependent
May enable code injection!
Protocol stack hardening
Fake network avoidance
Malformed SMS
„SMS-of-death“
low med med May crash some devices! SMS application hardening
The contribution of standards• M2M security is addressed in standardization at several levels
• Communication Network: • “eUICC” work in ETSI SCP for remote change of subscriptions
• 3GPP SA3 “Machine Type Communication” enhancements
• ETSI TISPAN (E2NA) work on Privacy protection
• M2M Service/Application level: Deployed standards today are by verticals• Smart Metering: IEC 61850 (consolidation under EC M/441 standardization mandate),
• Smart Grids: IEC 62351 (extensions under EC M/490 mandate)
• Electric vehicle to Grid communication: ISO 15118 (developments under EC M/468 mandate)
• Industrial Control Systems: IEC 62443
Francois Ennesser, GemaltoPage 14 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
• Industrial Control Systems: IEC 62443
• Tomorrow vision: Horizontal service platform for M2M application deployments• Transport network agnostic concept, developed by ETSI TC M2M since 2009
• Requirements (TS 102 689), Architecture (TS 102 690) and Protocols (TS 102 921)
• Release 1 & 2 provide security on the Gateway to Infrastructure interface• Credential Bootstrapping (provisioning or PKI-based)
• Authentication, Confidentiality, Integrity of M2M connections
• Diversity of M2M applications (security/cost trade off, possibility to leverage on Access Network features) results in multiple security options (GBA, EAP, TLS based)
• Now migrating into worldwide “oneM2M” partnership (3GPP partners+ TIA)• Will provide bootstrapping and end-to-end security services for M2M applications?
Remember…
Security is about prevention, not cure.
� Number of attacks on M2M systems will increase,Secure communication design is the insurance
Francois Ennesser, GemaltoPage 15 8th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013
� M2M Application owners should use existing expertise and proper consulting
� M2M operators should educate M2M customers about security risks, as their reputation is at stake
� M2M device suppliers should raise cost of attacksby simple and cost effective measures.